Here are some best practices to consider before you shop around for an MSSP.
There are two steps to the MSSP process for an SMB:
- Determine what functions, if any, should be sent off to the provider.
- Shop for a provider and calculate costs.
MSSPs offer a wide range of services. They can monitor firewalls, run intrusion detection systems (IDS), monitor logs and handle incident response. To your pager-toting IT staff members, already bleary-eyed from long hours handling their already heavy daily routines, an MSSP can be a dream come true -- or their worst nightmare come true, if not overseen properly.
Here are some of the services offered by MSSPs. Keep in mind that you can usually pick and choose what you need without having to buy a whole package, too:
- Virtual private network (VPN) setup and management.
- Firewall management and review, which may also include VPN management.
- Intrusion detection and prevention systems (IDS/IPS).
- Monitoring and log review.
- Vulnerability scanning.
Determine your needs
Take a close look at what you really need. Do a thorough review of how your IT department currently handles information security and what it should offload. Can your existing IT staff members manage your firewalls? This is a basic part of the job description for a network manager and something they may already be handling effectively. They may also already be handling your VPN, if you have one, another function wrapped in firewall management.
This is a textbook scenario of where you might want to keep firewall management in-house, but send IDS, log review and incident response functionality out the door to an outsourced MSSP. Again, pick and choose the services carefully based on your needs. That's what an MSSP does. It can be a one-stop shop, but it doesn't have to be either.
One advantage of an MSSP, particularly in monitoring, scanning, IDS and incident response, is that established players have their own secure operations centers (SOC). SOCs are fully staffed round-the-clock with experienced information security personnel.
Larger MSSPs even have SOCs around the globe that can respond immediately to news of virus attacks, for example. They have their own intelligence networks monitoring reports of suspected phishing and other hacking activity. From this perspective, hiring an MSSP is like having a private FBI or CIA operation working for you. Most SMBs just don't have the staff to take on tracking vulnerabilities real time at that level. Your IT staff might get a chance, at best, to sneak a peek at an online hacker bulletin board and then not have the time or resources to respond to an attack.
When you've decided what functions to outsource, shop for a provider. Once a preserve only of Internet service providers (ISP), the field has shifted to more independent players, especially those with the capability to monitor large chunks of Internet traffic.
Mountain View, Calif.-based Counterpane Internet Security Inc. offers real-time monitoring of its customers systems through to 24x7 SOCs. It can manage customers systems, handling security incidents as they occur, or provide security advice for customers still wanting to manage their own systems in-house during breaches.
Leuven, Belgium-based Ubizen N.V. has four SOCs around the world with customers in 50 countries. They have their own event analysis engine for tracking security events.
Other vendors with SOCs and device monitoring are RedSiren, Internet Security Systems Inc. and VeriSign Inc. Cybertrust offers a range of services from simple device monitoring of firewalls and routers to a full-blown SOC -- flexible for any size SMB.
Since these services are all under contract, prices are individually tailor-made and not publicly available. But expect to pay from $40,000 to $150,000 a year for a basic menu of MSSP services.
For an SMB, that's a lot of money. Is it worth it? That depends on your own evaluation of your systems and your particular needs.
Joel Dubin, CISSP, is an independent computer security consultant. He is a Microsoft MVP in security, specializing in Web and application security, and is the author of The Little Black Book of Computer Security available from Amazon.
This was first published in October 2006