Beyond Point Technology and The Managed Security Service Provider (MSSP) Co-management applied across the entire security environment

Transcription

1 Beyond Point Technology and The Managed Security Service Provider (MSSP) Co-management applied across the entire security environment Whitepaper May 2015

2 2 Table of Contents THE RISE OF CO-MANAGEMENT... 3 MSSPs DON'T SOLVE THE NEED... 3 MSSPs DON'T KNOW THE ENVIRONMENT... 3 WHY THE MSSP MODEL IS BROKEN... 4 DATA SWIMMING IN COMMUNITY POOLS... 4 THE PROBLEM WITH ONE-SIZE-FITS-ALL... 5 JUST DRIVE THE CAR, LET THEM WORRY ABOUT THE GAS AND TIRES... 5 WHAT CO-MANAGEMENT IS NOT... 6 SHORTSIGHTED DEFINITION OF CO-MANAGEMENT... 6 BUYER BEWARE, COMMON MYTHS OF CO-MANAGEMENT STEPS TO CHOOSING THE CO-MANAGED SERVICE PROVIDER... 7 FINAL NOTES... 9 "When we talk about co-management, it s not just a SIEM technology. It s not just and IDS/IPS. It s the vision of enabling our customers, by giving them the access to the people and processes they need in order to get the ROI they desire from existing technology investments, proactively stay secure and focus more on their core business." Brian Murphy President & CEO, ReliaQuest

3 3 The Rise of Co-Management When it comes to importance in building a successful security posture, technology still ranks a distant third behind people and process. Regardless of how automated and integrated a manufacturer touts its software or hardware to be, it will require someone to build, maintain, tune and operate the offering, and interpret the information generated by the technology. This should be an ongoing, continuous process. Now consider this: Securing environments of all sizes requires far more than just one technology. Since each needs the same maintenance as described above, you begin to realize the issues prevalent around people and process in an environment, regardless of a business size or sophistication. MSSPs DON'T SOLVE THE NEED Since the late 1990s the answer has been to try to outsource management, tuning, running, optimizing, and interpretation of these technologies to third-party managed security service providers (MSSPs), depending on their people and processes to protect valuable data. This model is no longer effective, and pales in comparison to the promise of co-managed security. We take this concept further, co-managing the entire environment, rather than just having a point product in the environment. There is much documented information on the shortcomings of MSSPs. Some of the challenges with these outsourced services include lack of knowledge of the client s environment, the standardization of services into a one-size-fits-all offering, lack of visibility into the provider s environment, data control issues, and the lack of clearly defined role-based security between the client and the provider. Let s explore some of these issues and look at how co-management solves for them. MSSPs DON'T KNOW THE ENVIRONMENT Organizations often seem alike but rarely operate in the same manner. Effective security not only controls and alerts users on access, but also understands the intent of the user in the security environment. Coupled with the dynamic of the organization s security posture and policy running alongside the organization s IT environment, and it becomes near impossible to send data to a third-party and wait for an iterative report on what is happening. What is deemed a concern in one environment might be a daily operating function in another. And while pooling data across a large subset of industries can be useful, it isn t beneficial to use a general assessment to determine the importance of a security event for a specific organization. Often, organizations that use an MSSP spend more time wading through false positives on a weekly report then they do responding to actionable security information from the MSSP. Over time, the MSSP service becomes something the organization can simply use to check a compliance box, yet the service adds no value in actively securing the environment. The issue is simple, the MSSP doesn t know the customer s environment as well as the customer, and can t be effective in analyzing what is most important because they aren t actively working in the environment. The

4 4 MSSP doesn t know the customer s environment as well as the customer, and can t be effective in analyzing what is most important because they aren t actively working in the environment. The threat landscape for each organization is different; if services are not customized the organization will miss key information. The truth within most services is that the MSSP only logs into the customer environment if a preset alert is triggered. Most often, important information is missed while waiting for logs to be sent and analyzed by an automated system. Many organizations distance themselves from their MSSP over the life of a contract because working with them presents more burden than benefit. Co-management strikes at the heart of this problem by integrating with the customer s existing security and IT operations teams. Co-management, when done correctly, uses a role based security model to outline the rules of engagement inside the customer s environment by being actively logged in and monitoring real time without the need to send customer data to a third-party. This model allows the customer s team to work directly with the service provider to understand the environment while tuning and optimizing the technology specific to that customer s organizational setup and operation. Comanagement removes the black box issues created by an MSSP trying to make judgments from afar, instead of working directly in the customer s environment. Why The MSSP Model Is Broken DATA SWIMMING IN COMMUNITY POOLS The MSSP model raises too many concerns around where data lives once it is sent to the third-party. To draw a parallel, consider how some doctors attempt to create two different waiting rooms during flu season a healthy waiting room, and an unhealthy waiting room to keep healthy patients from germ exposure while waiting for treatment. Now, apply this approach to the MSSP model. It isn t as simple of saying the healthy data will be here and all the unhealthy data will be there. Organizations can t assume MSSPs will treat the data the way its advertised. If there is an issue, all the MSSP loses is a customer. But the organization can be culpable for much worse in the event of a data breach or loss. Co-management solves these issues by not requiring the data to leave the customer s environment. When done

5 5 correctly the co-management provider connects directly to the customer s environment using a secure connection from the provider s secured operating center (SOC). A simple site visit, management of the connection, and verification of compliance audits gives the customer the same confidence in the service provider s security as they would have in their own. THE PROBLEM WITH ONE-SIZE-FITS-ALL In Back to the Future II Marty McFly travels 30 years into the future and is given pants and a jacket that automatically resize to fit him perfectly. Unfortunately, that just doesn t work in security. One size rarely, if ever, fits all. Pooling data and running the same standard protocols on the data doesn t offer customers the indepth information they need about their specific environments. Imagine if doctors couldn t give you a specific diagnosis, but instead give you a report on what might be happening based on a large pool of subjects. Frustrating, to be sure. But this is exactly how MSSP customers feel when they are given iterative, vague reports about their data. Scheduling meetings to discuss this overgeneralized information doesn t help, as the analysts can only give interpretations of general issues and events across a large subset. They aren t working in the customer s environment each day, and simply don t know the business. Co-management removes the one-size-fits-all issues while still offering the industry-, size-, and compliancespecific trend information customers find helpful. Because the co-managed provider is connected directly into the customer s environment, participates in weekly team calls, reports at the beginning and end of each shift, and is there to talk to the customer about their environment around the clock, it is truly an extension of the customer. JUST DRIVE THE CAR, LET THEM WORRY ABOUT THE GAS AND TIRES The MSSP model creates so many issues around connectivity, service level agreements, troubleshooting responsibilities, and deliverables because they are typically collecting data from one point technology that is interdependent on other factors in the customer s environment. When something goes wrong the MSSP often answers with the standard support answer of the problem must be on your side. Connections get lost, connectors fail, addresses change and infrastructure moves, often on a daily basis. The nature of the service offering makes troubleshooting normal infrastructure changes in an MSSP model extremely time-consuming for the customer, defeating the purpose of outsourcing. The customer becomes a broker between the MSSP, product manufacturers, and even the customer s own IT infrastructure team, when trying to resolve problems. Mid-size organizations (avg. 2,500 devices), customers found that they saved 20%-30% annually with a comanaged model in comparison to the average cost of a traditional MSSP

6 6 Organizations are facing more threats, more often, and are being asked to do it with less manpower. Comanagement solves these issues by offering robust field engineering teams that are there regardless of the technology, timeframe or location. What Co-Management Is Not SHORTSIGHTED DEFINITION OF CO-MANAGEMENT Security professionals, processes, and technologies don t work in a vacuum. Everything is interconnected and interdependent with regards to security and the IT environment. Often, security and IT are service providers to the business as a whole. When the concept of co-management is discussed the conversation must reach further than a solitary technology or process. Many of the software manufacturers are beginning to offer co-managed and managed services around their products. The issue with these services is they are only co-managing or managing one specific technology. Once the customer environment requires the service to take another process or technology into consideration, it falls outside the manufacturer s scope of services. Co-management and co-monitoring of a SIEM technology can save your security team on average up to mintutes per alert, or between hours a week, given alerts be week. A prime example of this need for a broader view is the security information event management (SIEM) technology space. There are plenty of manufacturers of SIEM technologies that will sell you the hardware and software, and then overlay a service offering to connect to the environment to monitor and manage the technology for the customer. The problem with this model is these companies only know how to use a specific SIEM technology. What good is co-management from a service provider or manufacturer if they only know how to use one point product? This is especially true in the case of SIEM, in which you must have expertise and experience working with a wide range of processes and technologies to be effective. Another major shift in thinking within the concept of co-management is that these services cannot be delivered remotely. Service providers must have robust field engineering teams capable of being onsite for regular meetings, issue response, upgrades, installations, enhancements, and training. The industry is pushing the definition of co-management to truly mean what is mine is yours, meaning available expertise is at your full disposal, regardless of the technology or location. This concept requires service providers to back up stated claims, and build complex lab and SOC environments in which customers can connect back into the provider environments to test new products, upgrades, patches, and custom scripts.

7 A true co-managed provider will have the ability to create custom, specific, meaningful content and applications to ensure they are both working together to light the dark corners of the entire environment. BUYER BEWARE, COMMON MYTHS OF CO-MANAGEMENT Organizations must be cautious to not buy into sales hype when considering co-management services. Many companies selling co-management services have very little experience as security service providers, and try to cut the costs of around-the-clock management by leveraging less capable offshore workforces. In addition to lack of experience, many manufacturers and providers operate in less-than-stellar security environments. Instead, these providers offer virtual SOC services, meaning an engineer can connect to a remote customer environment, with no controls on who has access. Similar to MSSPs, these environments often do not meet compliance requirements. Also similar is the lack of training and certification programs for a lot of the companies offering these services are limited or non-existent leaving the end user customer holding the bag for their inexperience. Co-management can t simply be the definition used by the service provider to explain their need to accommodate remote, work-fromhome workforce eliminating the need for the provider to make the substantial investment in infrastructure, process, procedure and people required to build, run, and constantly enhance complex lab and SOC environments. The good news with the above issues is they are easy to avoid by doing some simple due diligence on the provider. 7 8 STEPS TO CHOOSING THE CO-MANAGED SERVICE PROVIDER Step 1 Step 2 Step 3 Can they send you a current SAE 16 SOC 2 Type 2 (continuous) report? In some cases they may have an SAE 16 SOC 2 Type 1 (point in time) report but they should at the very least have the SOC 2 Type 2 scheduled with a letter from the third-party audit firm attesting to that fact. If they aren t investing in their own security how much will they invest in your organization s security? Do they have a US-based SOC and do they perform all shifts of their 24/7/365 co-managed services out of their US-based SOCs? Using overseas afterhours SOC infrastructure may not be an issue for all companies but companies must make sure those overseas facilities meet the proper compliance, training, and facility requirements required by US based auditing and compliance standards. Can they describe the roles in their security environment? Service providers should be able to detail the role based security plan for their own environment as well as the service offering including but not limited to detailing training plans, promotion tracks, retention strategies, etc. These companies are in the business of building people, if they can t describe to you the process by which they do that you may want to look elsewhere or you could face massive turnover and inexperience on your account.

8 8 Step 4 Do they have a proven field service infrastructure? Are they engineers? These are important points; there are many providers that have a field team or remote operations, and will offer simplistic assessments of high-level controls. It is important that the provider has security engineers that can turn the wrenches needed to fix the wide range of technology that exists in the customer environment. This can be accomplished with targeted reference checks. Step 5 Are they constantly logged in to their customer environments or are they relying on alerts to notify them when they might have an issue and should log in? The service offering should be an active offering allowing your organization s team to focus on other areas of security. Are their capabilities limited to one specific manufacturer or one specific point technology? A good co-management provider should be able to provide reference across multiple technologies and shouldn t be limited to one specific brand in a given technology category. Step 6 For example, if they are claiming to be able to co-manage SIEM, they should be able to give references for multiple SIEM technology that they are currently co-managing. The same goes for a service that claims to only manage SIEM. What good does that do you if your SIEM isn t the problem? If they only know SIEM how can they write the content and rules you need to properly bring in logs from all the different point products that exist in your environment. They shouldn t just be relying on the out-of-box connectors built by the manufacturer and should be able to show examples of customer content and rules built using their own expertise while tying in to the technologies API. Step 7 A service provider should be able to walk through a library of all the custom content they have built and should be able to explain to you how that is going to enhance your environment. They should also have a lab environment with the various technologies on which they ll be working with. Step 8 The easiest way an organization can get comfortable with this service provider is to go visit their SOC facilities. Take a tour and see it for yourself. Most legitimate providers will even pay to fly an organization in for a tour. If they are trying to pass off work-from-home employees as a service, they won t be able to show you what is not there at their location. Your organization is paying for the infrastructure, processes, and procedures to be built out by a service provider so your organization doesn t have to build it and run it for yourself, so it is always best to see it with your own eyes first.

9 9 Final Takeaways Co-management is a positive trend for the security industry and the scope of the definition of the term comanagement continues to expand in the right direction. Service providers and organizations of all sizes will continue to partner to expand the capability of these offerings in a way that can be customized by the customer. People and process will continue to be the priority and most important factor in achieving effective security with partnership leading the way in information and capability sharing. We hope this will help you in your search for the right co-managment service provider. If you are interested in learning more about co-managed cyber security, or would like to disucss how ReliaQuest can help you improve your existing security posture, visit us at W. Kennedy Boulevard, Suite 430, Tampa, FL