Outsourcing Security Management
Download as PPT, PDF4 likes1,718 views
The document discusses outsourcing security management and selecting a managed security services provider (MSSP). It describes common drivers for outsourcing like high costs, lack of expertise, and resource constraints. An MSSP typically offers 24/7 monitoring, scanning, configuration, vulnerability prevention and incident response. The outsourcing decision process involves analyzing costs and benefits. Vendors are selected based on an RFP comparing their offerings, technical expertise, processes, capabilities, and costs.
Outsourcing Security Management
- 1. Outsourcing Security Management Vendor Selection Basics. Nick Krym, 03-20-2005
- 2. Common Drivers for Outsourcing High / prohibitive start up costs Establishing security infrastructure Establishing processes and procedures Hardware, networking, software licensing Complex and long ramp up Resource acquisition (hard to find expertise, complex certifications, etc.) Establishing security infrastructure Establishing processes and procedures High / prohibitive cost of operations 24x7 SOC staffing Resource retention R&D and staying current
- 3. Scope of Security Management Managed Security Services Providers (MSSP) also known as Managed Security Monitoring (MSM) Vendors typically offer the following services: 24x7 security monitoring through dedicated SOCs Monitoring security infrastructure covers variety of components such as firewalls, intrusion detection sensors and antivirus systems and analyzing the data they generate for indications of security problems Periodic scanning of various nature for the perimeter and internal components of data centers and corporate networks Ongoing configuration of the security infrastructure components Prevention and remediation of security vulnerabilities and recovery from incidents Consulting services that include various types of audits, ethical hacking, development of security audit remediation plans, disaster recovery and business continuity planning
- 4. Making Outsourcing Decision Outsourcing security is not appropriate for every organization. Making decision on outsourcing should be based on a typical “buy vs. build” analysis as it applies to products and services. For many small organizations do not need to go through buy vs. build analysis as the answer is quite obvious. As sheer expense of building SOC and staffing it on 24x7 is more than enough to move straight to vendor selection. For large companies as well as organizations with security being a core part of the business decision should be based on comprehensive research and Cost / ROI analysis.
- 5. Finding “Right” Vendor Develop the team and the process Information Security Committee Vendor selection team Vendor selection process Vendor selection process highlights Learn what Managed Security Services Providers (MSSP) have to offer (also consider Managed Security Monitoring (MSM) abbreviation for your Google search). Possibly issue an RFI to get additional insights Define drivers specific to your organization Define selection criteria Build RFP around your selection criteria Create a target list (use Gartner materials if available or just Google) Issue RFP to selected group of vendors Shortlist vendors to 2-3 prospective partner Negotiate Terms & Conditions Make final selection Tips for successful execution Define budgets upfront Secure organizational commitment Secure executive sponsorship Make process and selection criteria as transparent as possible Don’t burn the bridges with vendors as your final selection may not work out through the painful process of “integration”
- 7. Scope of MSSP Agreement The scope of a typical MSSP agreement includes Security and Availability monitoring and analysis for various security devices such as firewall and intrusion detection system (IDS) Security and Availability monitoring and analysis for other devices and components that are critical to business operations Firewall and IDS configuration and management. Periodic vulnerability scanning for multiple components of the monitored network Periodic application penetration testing / ethical hacking Zero day alerts and other information services Various consulting services, typically related to remediation of items discovered during scans and audits
- 8. Common Selection Criteria General business considerations Overall KPIs (number of customers, revenue, profitability, etc.) Company financial stability Company track record in multiple aspect of service Customer retention / customer satisfaction Company position vis-à-vis competition Technical Expertise / Technology Overall company expertise, thought leadership Company expertise in areas of security relevant to your needs Individual staff expertise and certification level Vendor Neutrality. Is the vendor business model tied to specific products? Low Install Impact. Network requirements for service deployment. Vendor Maturity Process maturity / SOC certification Exposure to various clientele with diverse needs Global Intelligence / View. Global customer base providing visibility into threats. Network visibility / Overall coverage (number of devices under management)
- 9. Common Selection Criteria, cont. Vendor Security Infrastructure Typical SLA. Infrastructure scalability guarantees SOC redundancy, business continuity and disaster recovery Vendor Service Capabilities Is Managed Security Monitoring a core competency? Is business model focused on services? Proven Systems / Processes. Time-to-market delivering new services and features and ticket Handling. Organizational Capabilities Staffing / recruiting capabilities and track record Process and cultural compatibility with your organization Account and project management capabilities Bottom Line Presales: Staff / Proposal Overall annualized cost of the solution Contract terms Customer references Brand recognition / Association impact