Re: Managed Security Providers (Who do IDS & Firewall Monitoring and Blocking)

From: IDS Guy (ids_guy@yahoo.com)
Date: 02/10/02 

Date: Sun, 10 Feb 2002 08:15:08 -0800 (PST)
From: IDS Guy <ids_guy@yahoo.com>
To: focus-ids@securityfocus.com

Hi all,

Now that a nice discussion about MSSP's is going on,
could you please list the names (and the IDS products
they are using) of MSSPs that you know? Anyone who has
been involved in such a business? Anyone who can
confirm the quality of service of an MSSP that he has
experienced?

Any comments will be appreciated.

--The IDS Guy

--- Matt Watchinski <matt@farm9.com> wrote:
> Comments In-line:
>
> Warning: I work for a MSSP
>
> opiniontaker@hushmail.com wrote:
> >
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > Hello All,
>
> > 1. What are your thoughts concerning whether or
> not the MSSP is actually paying attention to the
> defense of a customer network 24/7/365?
>
> Short Answer: Test them and test them often.
>
> To keep tabs on the people who are supposably
> watching your network you
> should conduct vulnerability assessments against
> them at random
> intervals without informing them. This can be done
> either by your
> internal staff or a 3rd party vendor, either option
> should give you the
> desired results. Also remember to conduct tests
> internally if they are
> watching logs and traffic to machines that are
> protected inside your
> network. By conducting internal tests you can see
> if your MSSP
> understands your network enough to protect you from
> internal attacks or
> can detect an attacker who has compromised
> non-monitored hosts. If they
> alert you to the activity they are doing their jobs.
> Always remember to
> watch the watcher.
>
> >
> > 2. What are your thoughts as to the MSSP's
> ability to defend my networks when they aren't
> really a part of my business, and, hence, have a
> very limited understanding of my individual
> organization's security threats, issues, and needs.
>
> A good MSSP will take the time to understand your
> network and your
> internal security policies. This information will
> be documented at the
> MSSP and available to the technicians, and in some
> situation it is
> integrated into the monitoring software.
> Additionally any MSSP that is
> worth it's salt will conduct network surveys and
> work with you to
> understand your network and your business. Some
> will even take the time
> to develop risk models for you. If an MSSP does not
> conduct an initial
> network assessment or work with you during the
> implementation stage of
> installing their equipment you should rethink your
> decision to purchase
> their service.
>
> >
> > 3. What are your thoughts on an MSSP to actually
> succeed in business when they are only charging me
> $3000-$6000 per month to secure my borders, AND they
> have to pay attention 24/7/365, AND they tell me
> they will know and understand my network, AND they
> tell me that they possess top notch,
> industry-leading talent (bearing in mind that they
> probably have to pay that talent very well)? How
> many top notch people can they afford to hire and
> spend on MY network at $3000-$6000/month... or do
> they mean that the top notch talent will spend part
> of its day on my networks and part of its day on X
> numbers of other customers.
>
> Most network operation facilities have several
> levels or personnel. At
> the bottom are level 1 support techs that deal with
> monitoring the the
> raw alerts and other information. These people
> should have some
> training but most of the time the MSSP's software
> does most of the work
> for them. After that there are usually two or more
> levels of people
> with increasing talent and experience. These people
> deal with incidents
> and alerts that the level 1 people forward on. In
> the shops I have seen
> these level 2 and 3 people are assigned to a
> subsection of the MSSP's
> clients. These people should have a vast knowledge
> of your network and
> your policies or they are not doing their jobs.
>
> As for monthly fees depending on how many customers,
> employees, and
> other internal constraints 3000k-6000k/mo per client
> may be enough to
> support the companies business model. In other
> situations this may only
> purchase partial protection or partial service.
> Watch your costs and
> never pay more for an external service that you can
> support internally
> for less. Just remember to consider all your
> expenses, 24/7 monitoring
> usually takes 5 people and you have to build a
> solution to monitor all
> the hosts you want to monitor
>
> >
> > 4. How many of you honestly feel that the
> technology in place to day is of a calibur to
> protect my network the way they say it will (I'm
> sure there are all sorts of technical things to
> consider on this last one, so please list anything
> you feel is pertinent)?
>
> The technology for managing and monitoring many
> different platforms and
> devices is definantly there. However, you may have
> to work with your
> MSSP if you have odd requirements or non-standard
> devices you want to
> monitor. Hopefully, your MSSP is not using off the
> self software for
> collecting log, consolidating logs, and monitoring
> hosts. If they are 9
> out of 10 times they are just as confused as you are
> since the
> information is spread among several data stores that
> are not
> integrated.
>
> Some things to consider:
> 1. Make sure your MSSP has agents or will build
> agents to monitor the
> systems you want to protect. If they only monitor
> specific types of
> devices there will be many holes in your suit of
> armor.
> 2. Make sure you know how much log information you
> are currently
> generating and the number of hosts you want to
> monitor. If a company is
> charging by the amount of log traffic you will be
> unpleasantly surprised
> by how much information hosts can provide.
> 3. Make sure your MSSP can accept logs any many
> formats. Some devices
> have syslog or snmp but many devices have
> proprietary interface for
> gathering logs. Additionally some devices have no
> means for exporting
> log information and custom agents might have to be
> developed.
> 4. Make sure your MSSP provides you with your log
> information at
> regular intervals. This allows you to somewhat
> watch the watchers and
> gives you a way to review things your MSSP might
> have missed. You can
> then work with your MSSP to help them better
> understand your network.
> 5. Have the MSSP provide you with sample reports
> that they generate and
> ask them about how they alert their customer when
> problems are detected.
>
> It has been my experience that no solution is
> perfect and log
> consolidation with analysis is no exception. There
> are many things to
> consider when building application to deal with the
> amount of data that
> is generated when monitoring hosts. However, it is
> possible and can add
> another layer of security to your network.
>
> -matt
> Security Engineer
> farm9, Inc.
> Managed Security Solutions
> http://www.farm9.com
>
> >
> > Thanks very much--you're answers will mean a lot
> to a very conflicted IT manager!
> > -----BEGIN PGP SIGNATURE-----
> > Version: Hush 2.1
> > Note: This signature can be verified at
> https://www.hushtools.com
> >
> >
>
wmEEARECACEFAjxXQMEaHG9waW5pb250YWtlckBodXNobWFpbC5jb20ACgkQS5PsFnfk
>
=== message truncated ===

__________________________________________________
Do You Yahoo!?
Send FREE Valentine eCards with Yahoo! Greetings!
http://greetings.yahoo.com

Relevant Pages