Intrusion Detection FAQ: What is MSSP (Managed Security Service Provider) and how can it help my organization?

Dennis Davis

Faced with the growing complexity of networks and a threat that is becoming increasingly real, an increasing number of businesses and organizations are opting for a different approach to intrusion detection by outsourcing the function to managed security service providers (MSSPs). What has led to this trend? MSSPs offer the small to medium-sized company or organization with access to resources that they could not otherwise afford to maintain internally. While many companies feel competent to handle a multitude of security issues, they lack the overall skill necessary to implement an enterprise-wide security strategy. Intrusion detection is but one of the many components that is necessary in developing this security strategy. When combined with the increasing salary demands of security professionals and the overall lack of skilled specialists, outsourcing seems to be an attractive alternative.

According to the Gartner Group, by the year 2004, a total of 40% of security expenditures will be influenced by MSSPs (0.7 probability). The technological shift will be toward transaction-level intrusion detection for business transactions. Intrusion detection at the perimeter will move to managed service providers. The Yankee Group, a technology consultant, forecasted that the overall spending for managed security by large enterprises would increase from $140 million in the year 2000 to $1.7 billion by the year 2005. This represents a significant shift in how security is implemented and maintained.

Traditionally, the local area network (LAN) was viewed as a trusted network. Perimeter protection came in the form of a corporate firewall that was viewed as the cornerstone of protection from a threat that was deemed to be largely external. Coupled with an ever-increasing web presence, many businesses have seen the need to implement some form of intrusion detection to protect vital information assets, as well as their reputation. The proliferation of virtual private networks or VPNs resulted in an easy method of bypassing this protection.

For a number of years, corporations and organizations have been reluctant to outsource security because it entailed placing trust in an outsider and letting others see the inner workings of their operation. A reluctance to give up control in an area that was so critical stalled a process that may have come about much sooner. While there has been substantial growth, setbacks have occurred that may ultimately change the course of managed intrusion detection.

Pilot Network Services, a company that has provided managed Internet access and security services for 6 years, recently shut down its operations. Operating in six data centers all over the world, the company specialized in intrusion detection, remote firewall management, VPN management, and scanning for computer viruses. This was preceded by an estimated net loss of $11.2 million on a revenue of $9.7 for the quarter ending December 31st.

Smaller could potentially feel the repercussions that include a loss of trust when it comes to outsourcing critical services such as security to smaller unproven companies.

Many factors need to be taken into consideration before the decision is made to outsource intrusion detection to an MISSP.
  • Is the service provider capable of writing custom signatures that can address "zero-day exploits" or are they limited to the signature that are provided by the manufacturer of the intrusion detection system. What assurance is there that the devices that are being maintained are continually updated with the latest signatures? An intrusion detection system that is not updated is comparable to virus protection software that is out of date. It can provide a false sense of security that can fail when it is needed the most.
  • Does the service provider offer an assortment of solutions that can readily address a variety of environments or do they specialize in a one size fits all solution? No service provider can be in expert in all possible solutions. They should, however, be able to offer a choice of products that can complement each other and provide a solution that offers an optimal amount of protection.
  • Do not overlook physical security. How secure is the facility from which the service is being provided? Does the service provider utilize proper access controls and is access to management consoles provided only to those who need it.
  • What provisions are in place with respect to fault tolerance? How often are the security devices being polled and what process is in place for notification should a problem occur? While a device may appear to be "up," any number of problems could arise. Is logging being checked periodically and how? Are critical processes that run on the sensor being monitored to determine if they are functioning properly? What about routine maintenance of the device such as checking for disk space? Is there a centralized log server in the event that the security device, itself, is compromised? How much activity is kept, that is, how far back is logging maintained? If a compromise is discovered well after the fact, can accurate data be pulled to help in the investigation?
  • Does the service provider have out-of-band access to managed devices? Is there built-in redundancy or is the provider "blinded" and unable to access devices and receive alarms? If you run a high-profile site this is a potential point of attack.
  • Does the company specialize in security or is it merely and add-on to an existing business?
  • How does the MSSP handle staff turnover? Are passwords routinely changed and do they utilize common passwords across multiple devices? Do they perform background checks on prospective employees and are they bonded?
  • What emphasis if any does the provider place on certifications? While certifications do not in and of themselves guarantee expertise, they do provide a means of determining the level of knowledge that the staff has regarding intrusion detection. Look for non-vendor specific certifications, as well as vendor-specific certifications.
  • To what extent does the service provider provide continuing education or training for staff members? Intrusion detection is a field that is rapidly advancing. The service provider should be able to readily address and provide information regarding new exploits. Part of the benefit of out-sourcing intrusion detection is that the service provider should be able to provide up-to-date information that would be beneficial in addressing new threats. By providing a proactive approach rather merely reactive, they can more readily determine "patterns of activity" that could pose a threat to an enterprise ahead of time.
Speak with those staff members that will actually be providing the service ahead of time to ensure that they are both knowledgeable and well trained. Look at sample reports. Do they provide an adequate level of analysis beyond merely reporting on what alarm was triggered on the device? Since many opt out of the "automated response" approach to intrusion detection, little can be derived from the service if one is merely seeing reports of port scans that should be blocked by the firewall. Is the service provider capable of providing event correlation of observed activity or are they merely providing reports of isolated incidents? The service provider should be able to pull reports that show an overall breakdown of activity from specific address blocks over time.

Keep in mind that in some instances the intrusion detection function is best handled internally. In situations where the risk is relatively low and where automated response is not an option, routine inspection of IDS logs can be handled by existing security staff. Despite the hype, not all businesses are being actively targeted by hackers. Keeping patches up-to-detail will prevent most security incidents.

Never underestimate the capabilities of your existing security staff. They are often more familiar with the peculiarities of your network environment and can more readily address the many false positives that you will be receive. A little training can go a long way and can in some situations lead to a more cost-effective situation. Remember, security is all about risk management. Don't spend more money addressing a threat that doesn't exist.

Existing operations staff can often be leveraged to address issues that may arise outside of normal work hours. Even if this is not an option, it is still necessary to develop CIRT and incident response plan that can readily address any threat that is identified by the MSSP. The weak link in many incident response plans is often the interface between the MSSP and the point of contact that is responsible for addressing any security incidents that may arise. Make certain that your service provider is not merely providing a warm body that will call you periodically when your network is port scanned.

Confidentiality agreements should be drafted with MSSPs. From the time that discussions are first initiated, the MSSP is privy to confidential information that should not be disclosed. Drafting such an agreement ensures that both parties will arrive at acceptable solutions to security concerns.

By utilizing existing security expertise whenever available, an optimal working relationship can be established. This should include all stages from the initial proposal to negotiations and eventually to the day-to-day operations of the network environment.

References

[1] Bartlett, Michael. "Security Worth $1.7 Bil By 2005 - Yankee Group." May 22, 2001.http://www.newsbytes.com/news/01/166005.html?&_ref=1745144517

[2] Dejesus, Edmund X. "Managing Managed Security" Jan 2001. http://www.infosecuritymag.com/articles/january01/cover.shtml

[3] Gaspar, Suzanne. "Security Concerns Dominate NW500 Survey." May 7, 2001. http://www.nwfusion.com/research/2001/0507feat2.html?&_ref=650835007

[4] Davidson, Stephanie and Friedman, Rich. "Special Report: Outsourcing Update."Feb 28, 2001. http://www.itworld.com/Career/1875/ITW0228outsourrcing/

[5] Gartner Group, “Information Security in an E-Business World: Coping With the Threats.”

[6] Messmer, Ellen and Pappalardo, Denise. “Demise of Pilot Seen As Blow To Outsourcing.” May 7, 2001. http://www.nwfusion.com/news/2001/0507pilotcrash.html

top^

SANS gives real world examples of tools and how to use them.
-Nichole Kennedy, OKDOC

Network Security 2013 - Las Vegas

Latest Whitepapers

Web Application Injection Vulnerabilities: A Web App's Security Nemesis?
By Erik Couture

Electronic Medical Records: Success Requires an Information Security Culture
By Thomas Roberts

Analyzing Polycom® Video Conference Traffic
By Chris Cain

Latest Tweets

#windowssecurity "Windows Security Course: Las Vegas in Sept [...]
June 7, 2013 - 5:47 AM

New Blog Post: Windows Memory Analysis In-Depth - Discount C [...]
June 7, 2013 - 12:37 AM

Save $500 through 6/12 on important cybersecurity courses at [...]
June 6, 2013 - 10:05 PM

Contact Us

(301) 654-SANS (7267)
Mon-Fri 9am - 8pm EST/EDT
info@sans.org

"As a security professional, this info is foundational to do a competent job, let alone be successful."
- Michael Foster, Providence Health & Security

"Because of the use of real-world examples it's easier to apply what you learn."
- Danny Hill, Friedkin Companies, Inc.

"SANS is far more in-depth than other training I have attended."
- Frank Rajnai, Sears Canada Inc