Reader Questions: Internal or External MSSP
Another reader asked the following:
As I am doing research for building a security operations center one of the things I am being asked to do is compare building things internally versus having an MSSP take on certain network monitoring functions. There is the suggestion that it is less expensive and more desirable to have a MSSP provide monitoring services for firewall and IDS devices. In addition the thinking is that the MSSP should provide log managment services for other logs that are being sent to our log managment platform (not sure what this service offering means).
I do not personally agree that this is the best approach. First of all they are planning on obtaining these services from a vendor we currently utilize that already is supposed to be providing some of these services and they don't appear to be providing anything useful. I've had discussions with a network security analyst that has been in this environment for quite some time and he said he routinely finds issues on his own that the vendor does not catch. (not surprisingly this is found with open source tools). I strongly believe in developing internal employees with business knowledge and relationships to do this type of work. If you asked me today who I would recommend to focus on network security monitoring I could easily pick individuals that have the mindset to do this type of work. I don't think an outside service provider could provide the same business value as a properly trained internal team.
Thoughts? [Obviously what I am describing is only one component of security operations, but it is the primary component that really doesn't exist here. I know from experience that ignorance is not bliss from my days at [company X] and the types of things we were finding on our network].
Last year I wrote Internall Security Staff Matters. I argued that, especially for large and complex organizations, the amount of business knowledge required for a security analyst to be successful makes internal security staff very important. In situations where no security monitoring happens, any assistance is welcome -- whether internal or external.
One could argue that certain functions are ripe for outsourcing. Device administration, usually for commercial gear, can often be done cheaply by outsiders. Certain triage and entry-level 24x7 functions can be done by outsiders, but I would argue that those jobs should not simply be tripwires. In other words, those workers should have clearly defined roles that do not result in every odd activity being escalated to the experts or ignored for reasons of insufficient experience.
For large organizations like mine I favor a small team of experts, each of whom brings a unique skill set to the group. For example, we have individuals specializing in NSM, advanced threats, live response, reverse engineering, logs, incident response planning and constituent relationship management, and so on. Beyond people we have high-fidelity NSM data, logs, and the growing ability to acquire live response and other host-centric evidence. I don't see an external provider being service-effective given the nature of our business. I also don't see an outsider being cost-effective, given the quotes we were cited earlier in our planning processes.
Richard Bejtlich is teaching new classes in DC and Europe in 2009. Register by 1 Jan and 1 Feb, respectively, for the best rates.
As I am doing research for building a security operations center one of the things I am being asked to do is compare building things internally versus having an MSSP take on certain network monitoring functions. There is the suggestion that it is less expensive and more desirable to have a MSSP provide monitoring services for firewall and IDS devices. In addition the thinking is that the MSSP should provide log managment services for other logs that are being sent to our log managment platform (not sure what this service offering means).
I do not personally agree that this is the best approach. First of all they are planning on obtaining these services from a vendor we currently utilize that already is supposed to be providing some of these services and they don't appear to be providing anything useful. I've had discussions with a network security analyst that has been in this environment for quite some time and he said he routinely finds issues on his own that the vendor does not catch. (not surprisingly this is found with open source tools). I strongly believe in developing internal employees with business knowledge and relationships to do this type of work. If you asked me today who I would recommend to focus on network security monitoring I could easily pick individuals that have the mindset to do this type of work. I don't think an outside service provider could provide the same business value as a properly trained internal team.
Thoughts? [Obviously what I am describing is only one component of security operations, but it is the primary component that really doesn't exist here. I know from experience that ignorance is not bliss from my days at [company X] and the types of things we were finding on our network].
Last year I wrote Internall Security Staff Matters. I argued that, especially for large and complex organizations, the amount of business knowledge required for a security analyst to be successful makes internal security staff very important. In situations where no security monitoring happens, any assistance is welcome -- whether internal or external.
One could argue that certain functions are ripe for outsourcing. Device administration, usually for commercial gear, can often be done cheaply by outsiders. Certain triage and entry-level 24x7 functions can be done by outsiders, but I would argue that those jobs should not simply be tripwires. In other words, those workers should have clearly defined roles that do not result in every odd activity being escalated to the experts or ignored for reasons of insufficient experience.
For large organizations like mine I favor a small team of experts, each of whom brings a unique skill set to the group. For example, we have individuals specializing in NSM, advanced threats, live response, reverse engineering, logs, incident response planning and constituent relationship management, and so on. Beyond people we have high-fidelity NSM data, logs, and the growing ability to acquire live response and other host-centric evidence. I don't see an external provider being service-effective given the nature of our business. I also don't see an outsider being cost-effective, given the quotes we were cited earlier in our planning processes.
Richard Bejtlich is teaching new classes in DC and Europe in 2009. Register by 1 Jan and 1 Feb, respectively, for the best rates.
Comments
In other words, their margins are directly related to how small their workload is -- they have an incentive to turn down noise because that equals more profit for them. Will you know when they turn down the wrong noise?
Unless you have the resources to test and validate the work being done by the MSSP, you should worry about your security as much or even more than without an MSSP.
There is value in outsourcing the more constant aspects of controls (e.g. operations monitoring), but only if you also retain talent to frequently verify that the rules/changes are valid to your business.
It seems that small organizations are often limited to a few IT positions and often times they don't have a dedicated person for security.
An MSSP can be a great resource for small to medium businesses that don't have the resources to support a team of individuals focused on security.
Pros:
* Cost-effective 24x7 monitoring. If your security team is already providing true 24x7 analysis this may not be a big win. However, if you are not, an MSSP can provide an easy route for round-the-clock coverage. Three FTE analysts (the bare minimum for even attempting 24x7) looking at logs will cost more than paying an MSSP to monitor several devices.
* Outsource the log analysis heavy lifting. Let them deal with the large volume of routine (and not-so-routine) scans that come in. Depending on your MSSP's terms, you still may be able to access your logs to do your own targeted, fine-grained analysis.
* A best-of-breed MSSP should provide early warning for global/emerging threats. If they are monitoring a significant portion of the Internet, you can get value from what they've already seen and analyzed elsewhere.
Cons:
* MSSPs are going to miss some things. This can occur from:
-Device placement (e.g., your MSSP who only monitors border devices shouldn't be expected to detect an internal-only attack.)
-Device configuration (e.g., if your NIPS can't see decrypted SSL traffic, it will not detect HTTP attacks.)
-MSSP error
When they make an error (as with any service provider), swift corrective action is necessary.
* MSSPs are provide a commodity service, which only lends itself to a set amount of customization.
An MSSP will not remove the need for local security staff. You will still need to provide onsite staff for escalation and remediation. However, using an MSSP will let you outsource first-line log analysis, etc. and let your staff focus on other security responsibilities.
Anonymous has some valid points about the value of MSSP's, but ultimately I think that if an organization is capable and willing to invest in their own security department then that is the way to go.
Obviously this is not always realistic or possible, so that is where MSSP's can step in and provide a service.
I would suggest that both threads are valid, how you leverage an MSSP to offset the mundane tasks that are repetitive and frankly not as interesting as when you get to find the real threat. Leverage the MSSP to align to your goals and requirements, offload the tasks that they can do at a lower cost (device tuning, signature updates, customization, vetting the incidents) and leverage the internal knowledge on the ‘real incidents’ that also keep your employees engaged.
In a co-sourced model, both organizations leverage on their strengths and take advantage of the intellectual property and efficiencies of their teams. The end result is a stronger overall security program.