Re: Managed Security Providers (Who do IDS & Firewall Monitoring and Blocking)

From: ktimm@server1.stingrey.com
Date: 01/31/02 

Date: Thu, 31 Jan 2002 12:16:10 -0600 (CST)
From: <ktimm@server1.stingrey.com>
To: hmmmm <jp.kirk@erols.com>

It is possible for an MSSP to do near real time response with some risk ,
threat analysis. A good MMSP can act as an extension to the company's
security management doing only what the company is comfortable with and
integrating in with the comanys incident response policy. There are
several key factors that need to be involved with the real time analysis
1., While an IDS does generate a lot of alerts it is possible to
effectively tune out false alarms over a couple week tuning period. This
must be done very carefully to not introduce any false negative
conditions.
2., The MSSP must have some intelligence / correlation built into the
automated systems. This correlation should allow the engineers a nearly
continuos event stream in which they can analyze and respond to these
events.
3., If the MSSP is enlisted as an extension of the company's staff they
may have some knowledge to what services the customer is running. This
make actually understanding each event and how it impacts the specific
network much easier.
4., The MSSP should be somewhat involved in periodic Vulnerabilty
Assessmenst. These could be performed by many of the MSSPs or outside
company's. The data generated from this helps the MSSP evaluate the
potential impact of certain events.

Really the MSSP should blend in as an extension of another companies
staff. Most companies do not have the budget or desire to unlist 24 by 7
security monitoring / management and response. An MSSP should be able to
effectively fulfill this as an extension of ones staff at a fraction of
the cost.

I personally see little value in daily / monthly batch style reporting in
comparison to near real time monitoring and response. The batch reporting
allows you to see historically what has happened but real time response is
where you see a true ROI. BTW the $3000 -$6000 is for what ? I have seen
some management in the $1000 -$1500 area per device which would get you
firewall and IDS for under $3000 .

Kevin

On Wed, 30 Jan 2002, hmmmm wrote:

> opiniontaker@hushmail.com wrote:
>
> >
> > 1. What are your thoughts concerning whether or not the MSSP is actually paying attention to the defense of a customer network 24/7/365?
>
> I would venture to say that it is rare for an MSSP to have a pair of
> eyes watching your net 24/7/365. That's why software is used to monitor
> and alert. Good MSSP's can provide you alert levels, including real
> time alerting, and will do a full analysis/correlation of IDS and
> firewall logs on a daily basis and provide mutually agreed upon
> reporting mechanisms. Really good ones have staff that can adapt
> rapidly to change. This includes rapid in house development of IDS
> signatures, firewall adds and changes based on new threats etc.
>
> >
> > 2. What are your thoughts as to the MSSP's ability to defend my networks when they aren't really a part of my business, and, hence, have a very limited understanding of my individual organization's security threats, issues, and needs.
>
> It is up to you, the client to understand and communicate your issues
> and needs. You can accomplish this by having someone within your
> company do the analysis and develop a security policy based on your
> company's needs. If you want to contract it out do NOT have the company
> providing managed services do it. Contract to company A to devel
> policy, contract with company B to provide managed services based on the
> policy and have company A verify implementation. Bottom line is that
> security is a living process. You the client must take an active role
> in the process of protecting your assets.
>
> >
> > 3. What are your thoughts on an MSSP to actually succeed in business when they are only charging me $3000-$6000 per month to secure my borders, AND they have to pay attention 24/7/365, AND they tell me they will know and understand my network, AND they tell me that they possess top notch, industry-leading talent (bearing in mind that they probably have to pay that talent very well)? How many top notch people can they afford to hire and spend on MY network at $3000-$6000/month... or do they mean that the top notch talent will spend part of its day on my networks and part of its day on X numbers of other customers.
>
> Monitoring/analyst staff is not that expensive, they are not cheap but
> certainly not expensive. Then again I guess cost is a relative thing
> isn't it. It is highly unlikely that any MSSP parks an analyst in front
> of a system to monitor just your network. More likely, many networks
> are being monitored. If a critical alert is noted, then the incident
> response process begins and the issue is handed off to those responsible
> for managing the issue, leaving the analyst to go back to monitoring,
> walking logs and generating reports. Cost is typically dependent on the
> amount of traffic that traverses your net and how far your company hangs
> itself out there. If you have a fractional T1 and two or three systems
> on a DMZ with one or two NIDS, the cost to monitor would be much less
> than say a client with multiple access points with OC3's, high
> availability and failover, multiple DMZ's and a couple of hundred
> systems on the DMZ's and multiple NIDS/HIDS. You see my point? If
> someone said they could monitor the latter for $3000/month, I would run
> screaming into the night.
> >
> > 4. How many of you honestly feel that the technology in place to day is of a calibur to protect my network the way they say it will (I'm sure there are all sorts of technical things to consider on this last one, so please list anything you feel is pertinent)?
> >
>
> Since I'm not sure what "they" are saying they can do it is difficult to
> answer this question. I stand by what I said in my answer to question
> 1. I work for an MSSP. <soapbox on> We provide many services and I
> feel that we do a very good job. I personally think we are one of the
> best in the field. Monitoring is fairly generic across all MSSP's but
> the reporting and incident response processes are where many fall down.
> We have all the same services that many other MSSP's have but, again, I
> feel that ours are a cut above. We go the extra mile to provide real
> information with solutions rather than canned reports. <soapbox off>
>
> So there it is. I would say that this is my $.02 but since we're a cut
> above I'll have to say it's my $.03.
>
>
> :)
>
> --
>
>
> --------------------------------------------------------------------------------
> James P Kirk | email:
> jp.kirk@erols.com
> MCSE, MCP+I, CCNA, CCSA and some other letters.
> --------------------------------------------------------------------------------
> error: found your .sig, thought it was stupid, did not append!
>

Relevant Pages