This article featured in a CISO MAG’s edition.
Contributed by Chris Roberts, Chief Security Architect, Acalvio Technologies
So, let’s set the scene. The following are questions I find useful in guiding companies through a solid MSSP selection process. I have learned to ask many of these questions by working with clients through the horror of migrations-gone-bad.
- Have you conducted an extensive evaluation of your security requirements?
- Garbage in, garbage out. No MSSP is going to be able to untangle your mess if you don’t even know what you have AND where it is. Get organized BEFORE you commit.
- If it’s not being logged in your environment, the MSSP isn’t going to miraculously find and deal with it.
- No, they are not going to work out that Gladys in accounting has a local XLS spreadsheet with all the credit card numbers on it. Find ALL your data before you say “I do.”
- No, they wont protect you from stupid. MSSPs are not going to be a silver bullet; they are another pair of hands that WILL help you, but you must still help yourself otherwise the relationship is doomed.
- Do you understand the security measures with which you must comply?
- Handing over the controls does not mean “passing the buck” in the realm of compliance. At the end of the day, if the worst happens and you are breached, it is you, not the MSSP, that’s on the stand giving testimony as to what went wrong.
- Whatever you are required to have in place, your MSSP also must have in place – at a minimum. MSSPs really should have more given that they are a consolidation of everyone’s data and therefore much more of a target.
- If your compliance is due to an auditing or governing body in Q1 and your MSSP leaves it until March 31st to get you a letter of compliance (or something similar), it’s not going to work. Setting realistic goals and deadlines for how your MSSP reports compliance is crucial – especially if you have deadlines to adhere to. Remember, a lack of planning on your part will not constitute an emergency on theirs.
- Have you established a reliable governance model?
- What happens when the MSSP finds something? Who is on point, who is on triage, who is going to get the call at 3 AM and which one of you is going to call the lawyer, the compliance officer, and presumably the spin doctors?
- How much does your MSSP have to declare? If you’ve got someone inside the organization breaking the law and they find the evidence, who calls law enforcement?
- Have you determined which security requirements you expect the MSSP to put in place?
- Just because you managed to get rid of your logs, your alerts, and your local SOC/NOC, it doesn’t mean you are off the hook. How far does your MSSP take an issue, are they simply first line support, are they a 1-2-3 tier SOC/NOC, or what are the limitations of their capabilities?
- Do they know who to wake up in the DBA team at 4 AM when root has just dumped the HIPAA database out to an FTP server in Brazil?
- What are your criteria for success? Although “a good night’s sleep” is actually a relevant criteria for success it’s probably not the one you want to use as the board-level metric for success. Let’s take a quick look at some others.
- Security maturity. Does having the MSSP in place advance your security maturity across any of the core criteria? (If you are looking at this and wondering what the heck a security maturity model is then we probably need to talk). If you can, by integrating an MSSP into your solution stack, increase the overall maturity from “repeatable/defined” to something like “managed,” then this is something worth considering doing.
- If you are looking at stability within the enterprise environment and consolidating the various logging and monitoring solutions, then again, this is something that should be considered. But, as we’ve pointed out earlier, an MSSP is not going to come in, wave the magic wand, and rid you of all your legacy logging gear overnight. The migration project and the integration of THEIR chosen solution will take time and effort so make sure you plan, plan again, ask more questions, check the plan, and only then, sign on the dotted line. The age-old saying of “measure twice, cut once” is very relevant when it comes to any forms of outsourcing.
Now we’ve established that you (hopefully) know what you are protecting and how you want it protected, and you have a plan in place for evaluating your future MSSP. Let’s go shopping with the corporate AmEx.
The Seven Ps of MSSP
- Broad portfolio of security services:
- This might be one of those rare instances when you do want to put all your eggs in one basket. That sentence hurt to write but it’s going to be essential to find an MSSP that can consolidate your mess into something cohesive and usable. What you don’t want to do is add another layer of detachment into an already complex environment. It goes without saying that having a different MSSP for different areas within the enterprise is not going to work well, so compromise on things you can, select the MSSP that has the best overall architecture, solution, and services, and work with them across the entire spectrum.
- Highly respected security intelligence and research professionals:
- Part of the logic for getting an MSSP to look after you is that they do allow you to sleep at night but the only way that happens is if they are one step ahead of things. “One step ahead” doesn’t mean one step ahead of the bad guys, because we have a long way to go before we get there. What they should be is your eyes, ears, and early warning system, and for that they need good people—not just in the NOC/SOC watching your stuff, but good people with their finger on the pulse of the digital world. So select your MSSP accordingly.
- Sophisticated back-end technology:
- Your corporate AmEx is going to be a hit for the proverbial “six”, therefore, make sure you are getting your money’s worth. You want to make sure that your MSSP has not only the latest and greatest technology, but also a carefully selected a balance of reactive and predictive, proactive, preventative technologies to ensure the integrity of your environment as best as possible. And for once, give open source tools a chance here. Just because your MSSP has Oracle or IBM on the back-end, it doesn’t mean they are any good. Heck I’d go with a MicroCentre H/W with Hadoop and HBase any day if the coding and algorithms for detection and analysis were better, their client services shone, and they cared about you. Choose carefully and involve someone to help you ask all the nasty questions. Oh, and find an MSSP that works with multiple vendors, suppliers, partners, and solutions. That way you have the best-of-breed mentality at all times. The bottom line is to remember that the answer is not always Cisco or Palo Alto.
- Excellent reputation:
- This counts for a lot, but the focus here should be on satisfied clients. Don’t focus just on the ones they feed you but ones you can go out on your own and find. Time to brush off the OSINT skills and see who’s using them! Hit the conferences, hit the shows, and do your research. Yes, there will be unhappy customers, there always are. Keep in mind that a lot of them are unhappy probably because they believed in the magic wand. But do you own validation. This covers another point: reference clients. Find not only the happy ones but the annoyed ones, work out what is good, bad, and ugly before you do damage to the corporate budget.
- Broad security infrastructure expertise:
- This one almost goes without saying, but it’s in here because some clients have not done all their homework and get an MSSP to look after their log management, monitoring, and archiving, and then work out if they need a different MSSP to do their compliance, oh, and a third MSSP to do vulnerability assessment and remediation work. That’s never going to work. Best case, you have so much stuff going in so many different directions you sink into TPS reporting hell. Worst case, the vendor blame game happens when each of your MSSPs blames the other for whatever the problem du-jour is. Find an MSSP that can cover most or all your requirements, simple as that.
- Robust, web-based management tool to improve visibility and intelligence:
- Ok, so you’ve handed over all your data, your management, and basically given the front door keys to your chosen MSSP. How do you keep tabs on them, how do you now gain visibility into their world? What management, access, and controls do you and your team have? How easy is it to interface with both the humans and the chosen technology that is now protecting you? And, above all, when leadership and the board ask you to “justify and provide metrics” for your money, how are you going to do that with your new MSSP?
- Financial stability:
- Let’s keep this one simple. I don’t care if they are small up-and-coming or too-big-to-fail, everyone has a weakness when it comes to financial stability. Do your own risk analysis and go from there. You want your MSSP to be around longer than you are.
- Your data is in their hands. How safe are they?
- This is your data, it’s your a** on the line if it goes missing or ends up on a .RU website, so be aware of that when talking to your prospective MSSP. What PPCs do they have in place, what background checks, how often, what do they do with the people, the processes, the technology, how do they respond when you ask them all the nasty questions about how they keep people like me our of their systems? These days, attackers increasingly focus on vendors, partners, and 3rd parties as often they are easier and softer than walking through your front door.
- Customer focused:
- Nobody cares which restaurants or golf courses they took you too when the chips are down. The measure here is on a Sunday night over a holiday when all the red blinky lights start flashing, will you be able to get hold of enough people to keep you functioning, will you be able to recover inside the SLA timeframe and will your MSSP go above and beyond, not just because you have the biggest checkbook, but simply because to them you are more than just a number?
- Global coverage (for that nice 24/7/365, even if Yellowstone goes critical type of coverage)
- I’ll never understand why companies choose to put all their trust in an MSSP that has one data center 100 miles or less from Yellowstone or somewhere in California on a fault line or in the Gulf of Mexico etc. You get the idea. I told you to put everything in one place, but that one MSSP has to be distributed for your sakes. Get out the map, brush off the geography and geo-political analysis tools, and work out where your data’s going to be when the zombie apocalypse hits.
So, now you have the criteria for both analyzing what you want vs. need, what you can integrate vs. hand over, and who’s going to work best for you without relying on the magic-8-ball, i.e. Gartner. Good luck, may the force be with you, and reach out to me if you have questions! J
One last thing, and this one’s a doozy. When you’ve read this, ignored all the bullet points, and chosen your MSSP based on which golf course they took you to, then 18 months later you want to exit them, I hope you previously worked out who owns “your” data when you leave.