tag:blogger.com,1999:blog-4088979.post5862764429697391886..comments2023-10-16T06:06:25.012-04:00Comments on TaoSecurity Blog: Reader Questions: Internal or External MSSPRichard Bejtlichhttp://www.blogger.com/profile/13512184196416665417noreply@blogger.comBlogger10125tag:blogger.com,1999:blog-4088979.post-66006587220815082802009-08-27T14:15:27.729-04:002009-08-27T14:15:27.729-04:00I just stumbled on this article and find the comme...I just stumbled on this article and find the comments intriguing as they relate to size of company and also internal IP versus external IP. The key item when you leverage a vendor is to eliminate the redundant tasks and eek efficiencies from your own expertise. I believe that utilizing a MSSP for their knowledge and the intellectual property they bring to the table can benefit any organization regardless of size. But, they can only bring their core competency to the table, which then lends itself to leveraging the core IP of the business into the fold. The best MSSP solutions come from a co-sourced solution where you leverage the talents of each organization to achieve the maximum benefit of both organizations. You can’t shed responsibility and when you are ring fenced within the corporate infrastructure with daily demands, it becomes harder to be as focused as your MSSP.<br /><br />I would suggest that both threads are valid, how you leverage an MSSP to offset the mundane tasks that are repetitive and frankly not as interesting as when you get to find the real threat. Leverage the MSSP to align to your goals and requirements, offload the tasks that they can do at a lower cost (device tuning, signature updates, customization, vetting the incidents) and leverage the internal knowledge on the ‘real incidents’ that also keep your employees engaged. <br /><br />In a co-sourced model, both organizations leverage on their strengths and take advantage of the intellectual property and efficiencies of their teams. The end result is a stronger overall security program.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-57411981177620888302009-01-27T14:20:00.000-05:002009-01-27T14:20:00.000-05:00One of the biggest problem with MSSPs is that they...One of the biggest problem with MSSPs is that they do not know the assets or resources they monitor. At every new job I took on I needed, on average, more than one year just to figure out the maze of systems and applications. At the other end of the story, at every new job I took on there were neither good analysts, not available resource to train them.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-45009350622251180792009-01-22T12:33:00.000-05:002009-01-22T12:33:00.000-05:00Having worked for a large MSSP in the past, and no...Having worked for a large MSSP in the past, and now working as the lone security guy in a mid-sized company I see both sides of the argument. My experience is that the really talented people at an MSSP move on as soon as possible, and you end up with IDS analysts who really don't understand what they are looking at, or people that know firewalls real well and no one really does log correlation. There are always a few sharp people to be resources, but expect them to only catch the really obvious stuff. In the end I see an MSSP as a check in the box so that management can feel secure.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-23777547102829451102009-01-19T22:56:00.000-05:002009-01-19T22:56:00.000-05:00This is an excellent question and ironic because I...This is an excellent question and ironic because I have been thinking about this for a while. <BR/><BR/>Anonymous has some valid points about the value of MSSP's, but ultimately I think that if an organization is capable and willing to invest in their own security department then that is the way to go. <BR/><BR/>Obviously this is not always realistic or possible, so that is where MSSP's can step in and provide a service.testhttps://www.blogger.com/profile/17843773704349620940noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-89400854012990220742009-01-19T21:46:00.000-05:002009-01-19T21:46:00.000-05:00I've worked closely with several MSSPs in the past...I've worked closely with several MSSPs in the past. While I would not outsource my entire security operation to them, I do see some distinct benefits in outsourcing certain functions:<BR/><BR/><B>Pros:</B><BR/><BR/>* Cost-effective 24x7 monitoring. If your security team is already providing true 24x7 analysis this may not be a big win. However, if you are not, an MSSP can provide an easy route for round-the-clock coverage. Three FTE analysts (the bare minimum for even attempting 24x7) looking at logs will cost more than paying an MSSP to monitor several devices.<BR/><BR/>* Outsource the log analysis heavy lifting. Let them deal with the large volume of routine (and not-so-routine) scans that come in. Depending on your MSSP's terms, you still may be able to access your logs to do your own targeted, fine-grained analysis.<BR/><BR/>* A best-of-breed MSSP should provide early warning for global/emerging threats. If they are monitoring a significant portion of the Internet, you can get value from what they've already seen and analyzed elsewhere.<BR/><BR/><B>Cons:</B><BR/><BR/>* MSSPs are going to miss some things. This can occur from:<BR/><BR/> -Device placement (e.g., your MSSP who only monitors border devices shouldn't be expected to detect an internal-only attack.)<BR/> -Device configuration (e.g., if your NIPS can't see decrypted SSL traffic, it will not detect HTTP attacks.)<BR/> -MSSP error<BR/><BR/>When they make an error (as with any service provider), swift corrective action is necessary.<BR/><BR/>* MSSPs are provide a commodity service, which only lends itself to a set amount of customization.<BR/><BR/><BR/>An MSSP will not remove the need for local security staff. You will still need to provide onsite staff for escalation and remediation. However, using an MSSP will let you outsource first-line log analysis, etc. and let your staff focus on other security responsibilities.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-29318659785693294752009-01-19T16:09:00.000-05:002009-01-19T16:09:00.000-05:00I believe that you are correct when you say that a...I believe that you are correct when you say that a large organization needs internal staff to manage its information security but for a small to medium organization it isn't always an option.<BR/><BR/>It seems that small organizations are often limited to a few IT positions and often times they don't have a dedicated person for security.<BR/><BR/>An MSSP can be a great resource for small to medium businesses that don't have the resources to support a team of individuals focused on security.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-84361236933583061602009-01-19T14:31:00.000-05:002009-01-19T14:31:00.000-05:00The problem I have found time and time again when ...The problem I have found time and time again when validating the work of MSSPs is that they are founded upon a reverse incentive system. <BR/><BR/>In other words, their margins are directly related to how small their workload is -- they have an incentive to turn down noise because that equals more profit for them. Will you know when they turn down the wrong noise?<BR/><BR/>Unless you have the resources to test and validate the work being done by the MSSP, you should worry about your security as much or even more than without an MSSP. <BR/><BR/>There is value in outsourcing the more constant aspects of controls (e.g. operations monitoring), but only if you also retain talent to frequently verify that the rules/changes are valid to your business.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-57832452767890072182009-01-19T07:49:00.000-05:002009-01-19T07:49:00.000-05:00I thinks it's more likely that a MSSP would ... "d...I thinks it's more likely that a MSSP would ... "demand pay increases as they realize how reliant you are on them" than for insiders to to make such demands.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-81544582265533620412009-01-19T03:46:00.000-05:002009-01-19T03:46:00.000-05:00I'm agree with you...I'm agree with you...Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-75774294728307564842009-01-18T15:32:00.000-05:002009-01-18T15:32:00.000-05:00Personnel knowledge is just one of the MANY factor...Personnel knowledge is just one of the MANY factors that constitute a good RISK reducing MSSP service. Consider the problem of constantly retraining these people when they grow bored of doing their MSSP tasks (lets admit its a pretty repetitive job) and move onto greener pastures. Also, will these people be available 24x7 to filter through all your logs once technology has done the first sweep? Another factor you might want to consider is placing your company in a situation where a small group of people have the power to demand pay increases as they realize how reliant you are on them. Many MSSP's support a wide range of products these days, open-source included.Anonymousnoreply@blogger.com