Sunday, January 18, 2009

Reader Questions: Internal or External MSSP

Another reader asked the following:

As I am doing research for building a security operations center one of the things I am being asked to do is compare building things internally versus having an MSSP take on certain network monitoring functions. There is the suggestion that it is less expensive and more desirable to have a MSSP provide monitoring services for firewall and IDS devices. In addition the thinking is that the MSSP should provide log managment services for other logs that are being sent to our log managment platform (not sure what this service offering means).

I do not personally agree that this is the best approach. First of all they are planning on obtaining these services from a vendor we currently utilize that already is supposed to be providing some of these services and they don't appear to be providing anything useful. I've had discussions with a network security analyst that has been in this environment for quite some time and he said he routinely finds issues on his own that the vendor does not catch. (not surprisingly this is found with open source tools). I strongly believe in developing internal employees with business knowledge and relationships to do this type of work. If you asked me today who I would recommend to focus on network security monitoring I could easily pick individuals that have the mindset to do this type of work. I don't think an outside service provider could provide the same business value as a properly trained internal team.

Thoughts? [Obviously what I am describing is only one component of security operations, but it is the primary component that really doesn't exist here. I know from experience that ignorance is not bliss from my days at [company X] and the types of things we were finding on our network].


Last year I wrote Internall Security Staff Matters. I argued that, especially for large and complex organizations, the amount of business knowledge required for a security analyst to be successful makes internal security staff very important. In situations where no security monitoring happens, any assistance is welcome -- whether internal or external.

One could argue that certain functions are ripe for outsourcing. Device administration, usually for commercial gear, can often be done cheaply by outsiders. Certain triage and entry-level 24x7 functions can be done by outsiders, but I would argue that those jobs should not simply be tripwires. In other words, those workers should have clearly defined roles that do not result in every odd activity being escalated to the experts or ignored for reasons of insufficient experience.

For large organizations like mine I favor a small team of experts, each of whom brings a unique skill set to the group. For example, we have individuals specializing in NSM, advanced threats, live response, reverse engineering, logs, incident response planning and constituent relationship management, and so on. Beyond people we have high-fidelity NSM data, logs, and the growing ability to acquire live response and other host-centric evidence. I don't see an external provider being service-effective given the nature of our business. I also don't see an outsider being cost-effective, given the quotes we were cited earlier in our planning processes.


Richard Bejtlich is teaching new classes in DC and Europe in 2009. Register by 1 Jan and 1 Feb, respectively, for the best rates.

10 comments:

Anonymous said...

Personnel knowledge is just one of the MANY factors that constitute a good RISK reducing MSSP service. Consider the problem of constantly retraining these people when they grow bored of doing their MSSP tasks (lets admit its a pretty repetitive job) and move onto greener pastures. Also, will these people be available 24x7 to filter through all your logs once technology has done the first sweep? Another factor you might want to consider is placing your company in a situation where a small group of people have the power to demand pay increases as they realize how reliant you are on them. Many MSSP's support a wide range of products these days, open-source included.

locksmith mesa said...

I'm agree with you...

Anonymous said...

I thinks it's more likely that a MSSP would ... "demand pay increases as they realize how reliant you are on them" than for insiders to to make such demands.

Davi Ottenheimer said...

The problem I have found time and time again when validating the work of MSSPs is that they are founded upon a reverse incentive system.

In other words, their margins are directly related to how small their workload is -- they have an incentive to turn down noise because that equals more profit for them. Will you know when they turn down the wrong noise?

Unless you have the resources to test and validate the work being done by the MSSP, you should worry about your security as much or even more than without an MSSP.

There is value in outsourcing the more constant aspects of controls (e.g. operations monitoring), but only if you also retain talent to frequently verify that the rules/changes are valid to your business.

Holliday said...

I believe that you are correct when you say that a large organization needs internal staff to manage its information security but for a small to medium organization it isn't always an option.

It seems that small organizations are often limited to a few IT positions and often times they don't have a dedicated person for security.

An MSSP can be a great resource for small to medium businesses that don't have the resources to support a team of individuals focused on security.

Anonymous said...

I've worked closely with several MSSPs in the past. While I would not outsource my entire security operation to them, I do see some distinct benefits in outsourcing certain functions:

Pros:

* Cost-effective 24x7 monitoring. If your security team is already providing true 24x7 analysis this may not be a big win. However, if you are not, an MSSP can provide an easy route for round-the-clock coverage. Three FTE analysts (the bare minimum for even attempting 24x7) looking at logs will cost more than paying an MSSP to monitor several devices.

* Outsource the log analysis heavy lifting. Let them deal with the large volume of routine (and not-so-routine) scans that come in. Depending on your MSSP's terms, you still may be able to access your logs to do your own targeted, fine-grained analysis.

* A best-of-breed MSSP should provide early warning for global/emerging threats. If they are monitoring a significant portion of the Internet, you can get value from what they've already seen and analyzed elsewhere.

Cons:

* MSSPs are going to miss some things. This can occur from:

-Device placement (e.g., your MSSP who only monitors border devices shouldn't be expected to detect an internal-only attack.)
-Device configuration (e.g., if your NIPS can't see decrypted SSL traffic, it will not detect HTTP attacks.)
-MSSP error

When they make an error (as with any service provider), swift corrective action is necessary.

* MSSPs are provide a commodity service, which only lends itself to a set amount of customization.


An MSSP will not remove the need for local security staff. You will still need to provide onsite staff for escalation and remediation. However, using an MSSP will let you outsource first-line log analysis, etc. and let your staff focus on other security responsibilities.

inuk-x said...

This is an excellent question and ironic because I have been thinking about this for a while.

Anonymous has some valid points about the value of MSSP's, but ultimately I think that if an organization is capable and willing to invest in their own security department then that is the way to go.

Obviously this is not always realistic or possible, so that is where MSSP's can step in and provide a service.

PBRmeASAP said...

Having worked for a large MSSP in the past, and now working as the lone security guy in a mid-sized company I see both sides of the argument. My experience is that the really talented people at an MSSP move on as soon as possible, and you end up with IDS analysts who really don't understand what they are looking at, or people that know firewalls real well and no one really does log correlation. There are always a few sharp people to be resources, but expect them to only catch the really obvious stuff. In the end I see an MSSP as a check in the box so that management can feel secure.

Anonymous said...

One of the biggest problem with MSSPs is that they do not know the assets or resources they monitor. At every new job I took on I needed, on average, more than one year just to figure out the maze of systems and applications. At the other end of the story, at every new job I took on there were neither good analysts, not available resource to train them.

Anonymous said...

I just stumbled on this article and find the comments intriguing as they relate to size of company and also internal IP versus external IP. The key item when you leverage a vendor is to eliminate the redundant tasks and eek efficiencies from your own expertise. I believe that utilizing a MSSP for their knowledge and the intellectual property they bring to the table can benefit any organization regardless of size. But, they can only bring their core competency to the table, which then lends itself to leveraging the core IP of the business into the fold. The best MSSP solutions come from a co-sourced solution where you leverage the talents of each organization to achieve the maximum benefit of both organizations. You can’t shed responsibility and when you are ring fenced within the corporate infrastructure with daily demands, it becomes harder to be as focused as your MSSP.

I would suggest that both threads are valid, how you leverage an MSSP to offset the mundane tasks that are repetitive and frankly not as interesting as when you get to find the real threat. Leverage the MSSP to align to your goals and requirements, offload the tasks that they can do at a lower cost (device tuning, signature updates, customization, vetting the incidents) and leverage the internal knowledge on the ‘real incidents’ that also keep your employees engaged.

In a co-sourced model, both organizations leverage on their strengths and take advantage of the intellectual property and efficiencies of their teams. The end result is a stronger overall security program.