Re: Managed Security Providers (Who do IDS & Firewall Monitoring and Blocking)

From: Mike Shaw (mshaw@wwisp.com)
Date: 01/30/02 

Date: Wed, 30 Jan 2002 15:04:31 -0600
To: opiniontaker@hushmail.com, focus-ids@securityfocus.com
From: Mike Shaw <mshaw@wwisp.com>

>1. What are your thoughts concerning whether or not the MSSP is actually
>paying attention to the defense of a customer network 24/7/365?

It depends on what you consider defense. If all they do is plop a firewall
in and say "we're on it!" then don't trust them. There needs to be a more
holistic policy based security approach. How are they going to ensure you
don't have a blank admin password?

It's not so much a question of timeframe but of thoroughness. Proper
firewall configuration, periodic vuln-scans, IDS implementation are a must
for any managed security service. But it has to be based on your policy,
otherwise they're just a router/firewall consultant that shows up when
changes are needed.

>2. What are your thoughts as to the MSSP's ability to defend my networks
>when they aren't really a part of my business, and, hence, have a very
>limited understanding of my individual organization's security threats,
>issues, and needs.

I'm constantly amazed by people who promise 5 minute intrusion notification
times, 24/7 monitoring, etc. Does that mean they are going to call me all
day for every freakin' nimda false positive? If not, how are they going to
know what a real intrusion attempt is?

And if they do know, what are they going to do about it? Shut down that
connection? Ok, so now every AOL user is calling and complaining about not
being able to get into our web site. They'll beep me? 30 minutes of perl
scripting and I can do that myself.

You've hit the nail on the head. A managed security company can't be
involved in the *process* of your security strategy unless they take the
time (and even recognize the need for a process for that matter).

>3. What are your thoughts on an MSSP to actually succeed in business when
>they are only charging me $3000-$6000 per month to secure my borders, AND
>they have to pay attention 24/7/365, AND they tell me they will know and
>understand my network, AND they tell me that they possess top notch,
>industry-leading talent (bearing in mind that they probably have to pay
>that talent very well)? How many top notch people can they afford to hire
>and spend on MY network at $3000-$6000/month... or do they mean that the
>top notch talent will spend part of its day on my networks and part of its
>day on X numbers of other customers.

For $6000/month you're getting close to being able to hire your own
competent security engineer depending on where you are. Someone with hands
on job responsibility and a real stake in the security of your network.

>4. How many of you honestly feel that the technology in place to day is
>of a calibur to protect my network the way they say it will (I'm sure
>there are all sorts of technical things to consider on this last one, so
>please list anything you feel is pertinent)?

Very basic security policy implementation will save you from about 95% of
the risk. IMHO it's not so much a matter of technology as having sound
policies/procedures and the wherewithal to implement them. Technology
comes out of the policy and makes up the remaining 5%.

This is a big problem with managed security providers, pen-tests,
certifications, etc. They are great and necessary tactically, but not
strategically. They should be part of a security process but not THE
security process.

-Mike

Relevant Pages

  • Re: No Shut Down or Restart for Domain Admins
    ... run rsop.msc from your DC and check which policy is responsible to this. ... I have created a group policy in a development network and imported it ... NT AUTHORITY\Authenticated Users Read (from Security Filtering) No ... Enforce user logon restrictions Enabled ...
    (microsoft.public.windows.server.active_directory)
  • Fwd: Oh Dear, Where to start?!
    ... It seems to me you need two things: an organizational policy, ... finish college and break into the real world of computer security. ... experience in the field of network security and policy ... updates, driver updates, and recommended updates. ...
    (Security-Basics)
  • Re: Oh Dear, Where to start?!
    ... > from some of you with appropriate experience in the field of network ... > main focus and priority has been computer security and policy development. ... install certain updates. ...
    (Security-Basics)
  • RE: Mass Distribution of Security Policies
    ... It could start with a Network usage agreement, (Advisory Policy) to all ... Mass Distribution of Security Policies ...
    (Security-Basics)
  • SecurityFocus Microsoft Newsletter #50
    ... Subject: SecurityFocus Microsoft Newsletter #50 ... Specialist in Microsoft's Security Services Partner Program, ... Network Monitoring for Intrusion Detection ... Relevant URL: ...
    (Focus-Microsoft)
Quantcast