Managed Security Service Providers vs. SIEM Product Solutions

Transcription

1 White Paper The Business Case for Managed Security Services Managed Security Service Providers vs. SIEM Product Solutions (866)

2 The Business Case for Managed Security Services Contents Introduction The Need for Log Collection and Correlation Benefits of On-Premise SIEM Solutions Benefits of MSSP Solutions Comparing SIEM versus MSSP Financial, Operational and Organizational Costs of MSSP and SIEM Solutions Conclusions and Recommendations

3 Introduction For consumers and potential buyers the question of whether to have a Managed Security Service Provider (MSSP) manage your security, or purchase a Security Information and Event Management (SIEM) product and manage it yourself, can be difficult to determine on your own. The following paper identifies the benefits of on-premise SIEM products and an MSSP approach, as well as provides an overview of financial, operational and organizational considerations that purchasers of security solutions may wish to consider. Regardless of the motivation, security buyers are continually confronted with the decision of whether to bring event/log management in-house or employ a managed security service provider. The Need for Log Collection and Correlation In the current threat landscape, security buyers are often confronted with the need to identify an acceptable solution that can collect and correlate log information from disparate systems in a centralized manner, across the entire enterprise. This solution might be called upon to collect logs from servers and workstations, firewalls and VPN gateways, routers and switches, even down to the database and application level. Often, the requirement for logging may be rooted in a compliance requirement, such as the Payment Card Industry Data Security Standard (PCI DSS), or it may be driven organizationally through new people or processes. Other business drivers, such as mergers and acquisitions, may also play a role. Regardless of the motivation, security buyers are continually confronted with the decision of whether to bring event/log management in-house or employ a managed security service provider. Each approach has its advantages. Benefits of On-Premise SIEM Solutions There are numerous product vendors that provide offerings with features ranging from standard log collection with no analytics or intelligence, to full-blown SIEM solutions that integrate with disparate systems and provide indexed, comprehensive threat 3

4 measures for every device in the enterprise. SIEM solutions are often scoped, priced and sold with a great deal of customization, based on the buyer s specific needs and devices. This high level of customization makes SIEM solutions effective for organizations of all types and sizes, regardless of industry or infrastructure. Certain environments naturally serve as better places to deploy an on-premise, product-based SIEM solution, as opposed to sending logs and data to an external vendor like a MSSP. If an organization has systems with no Internet connectivity, as is often the case with government facilities and other sites with highly classified information, it would be an excellent candidate for an on-premise SIEM deployment, as no managed service working over the Internet can bridge the connectivity gap. Also, if an organization has systems that produce sensitive log data that cannot leave the network infrastructure (such as government systems with log data requiring specialized clearance or access) these are also ideally-suited for a product-based SIEM solution. MSSP Options There are numerous MSSPs, ranging from niche vendors who focus on only certain types of devices or certain types of logs, to more enterprise-scale vendors offering full management of the entire network infrastructure. Benefits of MSSP Solutions There are numerous MSSPs, ranging from niche vendors who focus on only certain types of devices or certain types of logs, to more enterprise-scale vendors offering full management of the entire network infrastructure. Regardless of the provider s size or scale of specific deployment, MSSP solutions can be separated in two ways: Monitoring only In this deployment, an MSSP takes in security logs and other device logs, only alerting and advising the client about changes they should make based on some level of service (e.g., 15 minute notice for High Priority Alerts, daily log reviews to minimally meet compliance, etc.). Monitoring and Management In this deployment, an MSSP monitors security logs, and additionally makes changes to the client s environment based on events collected and security intelligence. MSSPs bear the cost of keeping SOC personnel trained on the latest equipment from multiple vendors, and they have cross-platform experience, which is key for managing multi-vendor client environments. 4

5 Similar to on-premise SIEM products, MSSP solutions can also satisfy compliance requirements and increase security. Depending on the level of service, MSSPs will alert clients when security incidents occur. MSSPs can also store logs off-site, in a forensically-sound manner, helping meet regulatory requirements for log storage without the need for additional on-site hardware and storage. One of the biggest advantages of an MSSP solution is access to security expertise. Depending on the level of service chosen by the client, MSSPs will validate security events in the SOC before notifying the client. This helps to dramatically reduce the number of false positives to which clients must respond, reducing costs and increasing efficiency. Organizations may lack security expertise to monitor and/or manage devices from a wide variety of sources or vendors. Many times, business controls are in place that do not give the security group access to all of the devices (e.g., firewalls are solely accessed by a network group, VPN and single sign-on are part of identity management or user compliance). In addition to roles and responsibilities to monitor and manage devices effectively, organizations also require a way to input security intelligence into the organization and produce actionable output that is tailored to the organization s specific environment. Many large enterprises have dedicated security teams (and dedicated security researchers); however, it may not be cost-effective or aligned with business goals for organizations in every industry to have their dedicated security teams or even a dedicated security person. This makes MSSP solutions very attractive, as the highly-qualified security team at an MSSP becomes, in effect, an extension of in-house resources. Organizations are able to take advantage of the security expertise that the MSSP has acquired by working with numerous clients across a variety of industries. Typically, MSSPs will also have a security research function that identifies new security threats and incorporates the intelligence into the service. MSSPs can assist with tasks such as maintaining clear and consistent rule sets for firewalls and other network security devices. As an external vendor, an MSSP can also provide independent and over arching change control procedures to how, when and why the rules on these in-scope devices get addressed and updated. 5

6 Organizations may also seek out MSSP solutions to assist with staffing security teams on a 24/7 basis. Many companies do not have a dedicated Security Operations Center (SOC) or the ability to staff three shifts of engineers year-round. While a SIEM solution requires constant monitoring by in-house staff, MSSP solutions provide 24/7 monitoring without the need for additional head count. While a SIEM product is always running, there is always going to be a need for manual review of security events, or manual steps for event confirmation, correlation with other incidents or tickets and remediation of any issues identified. MSSPs do this for organizations, identifying the real security incidents and notifying clients in a timely manner. MSSP solutions have the advantage of scale. There are many companies that are already using the MSSP service, so the infrastructure for bringing on new organizations is already built. The MSSP can work with clients to customize rules and notifications, so that in-house resources are not over-burdened. Since MSSPs work with multiple clients and have documented, repeatable processes, they are able to provide workflow automation, often improving time to remediation, when issues arise. The lessons-learned from managing hundreds (if not thousands) of client environments gives MSSPs a much broader view than a single in-house security organization, allowing the MSSP to leverage that knowledge and experience across their entire client base. Many organizations that buy SIEM solutions are unpleasantly surprised by the amount of data that the solution produces. In-house resources are often overwhelmed by the number of security events, making it impossible to know which events are actual security incidents versus false positives. At that point, the SIEM solution becomes less effective at improving security. MSSPs (given their economies of scale, purpose-built technology and expertise) are able to filter these events, and then validate the actual security incidents. Comparing SIEM versus MSSP On-premise SIEM solutions provide some of the same benefits as MSSP services, but 6

7 at a higher cost to the organization. The following table outlines the similarities and differences between SIEM and MSSP solutions. Feature SIEM MSSP Monitors log events Helps attain regulatory compliance Flexible service delivery Provides 24/7 analysis by security analysts Stores logs off-site in forensically-sound facility Provides security intelligence and expertise as part of solution Built-in disaster recovery and business continuity planning (DR/BCP) Predictable, ongoing fixed cost Requires up front investment in new technology May demand upgrades and additional infrastructure (server, network devices, storage, etc.) Must be routinely updated, patches and upgraded Requires significant on-site, resources and training for management (rule changes, tuning, etc.) Table 1 Financial, Operational and Organizational Costs of MSSP and SIEM Solutions When deciding to purchase a product-based SIEM for internal deployment or using an external MSSP, there are several factors to consider. From a financial standpoint, it is important to note that a SIEM product is usually purchased and financed as a capital expense, where a service is typically purchased and financed as an operating expense. With an MSSP, the annual cost of maintenance for the next three years (at a minimum) are defined and known, whereas the maintenance on product purchases can adjust annually (unless a three-year maintenance term is negotiated at time of purchase). The initial training and personnel costs will be higher on any product purchase over a service since the product needs to be installed and configured (usually by a reseller or 7

8 consultant), as well as internal staff needing training and a plan for how to utilize the tool in the organization s security operations. Additional costs for consideration for an on-premise SIEM solution include datacenter costs such as rack space, power, network connectivity, database configuration and connectivity. The example below details an actual Solutionary enterprise client that recently evaluated the cost differences between the purchasing and ongoing maintenance of a SIEM tool versus adopting an MSSP approach. The cost breakdown is as follows: Cost Breakdown SIEM Solution MSSP Savings % Tools (Product Cost) SOC Infrastructure (to support product purchase) $400,000 MSSP Fees/Initial Charges $100,000 $30,600 TOTAL - Initial $500,000 $30,600 $469,400 94% Annual/Ongoing Expenses Resources (2FTE) $212,500 Management Costs $106,250 Security Engineering Costs $78,750 Training $11,250 Tools Maintenance $90,000 SOC Operating Expenses $9,200 Depreciation and Amortization $166,667 Consulting Services Ongoing $12,500 Network IDS/IPS $10,000 MSSP Fees/Charges $511,240 TOTAL - Recurring $697,117 $511,240 $185,877 27% Table 2 As shown above, the customer realized an immediate capital expense savings of $469,400, a 94% savings over the initial cash outlay required to buy a comparable SIEM solution. If the recurring costs required to support that same SIEM solution (extra 8

9 head count, training, consulting) are factored in, the client realized a year one savings of $185,877 (a 27% savings) by following a MSSP approach. While the numbers for the initial deployment are favorable for an MSSP solution, the question does the cost benefit hold up over time? remains. The table below shows a five year cost comparison of hard costs such as software licenses, SOC Infrastructure, computing resources, product maintenance fees, and professional consulting services as compared to MSSP fees: Time Frame SIEM Solution MSSP Savings % Year 1 Cost Comparison $921,250 $541,840 $379,410 41% 3 Year Total Cost Comparison $1,763,750 $1,564,320 $199,430 11% 5 Year Total Cost Comparison $3,106,250 $2,586,800 $519,450 17% Table 3 As Table 3 above shows, the cost benefit of an MSSP solution begins to decrease in the year 3-4 time frame, and then begins to favor the SIEM solution. However, another important factor to consider is that any SIEM product solution will likely have a usable life for 4-5 years before a SIEM vendor requires customers to purchase new hardware appliances, update software versions, or repurchase the solution altogether. Conclusion MSSPs can provide real value to organizations of all sizes, giving them the visibility they need into their environment and the ability to comply with regulations without the hassles of managing and maintaining an on-premise solution. Solutionary puts the service in managed security services, operating as an extension of the client s internal security team. At Solutionary, clients come first and each employee, from the management team to the analysts in the SOC, is dedicated to client satisfaction. 9

10 Flexible Service Delivery Understanding and addressing these individual client needs is key to the Solutionary client-first culture. By gaining a detailed understanding of individual client needs, Solutionary combines deep security expertise and proven operational processes with the patented ActiveGuard service platform to enhance security and address regulatory compliance. ActiveGuard Service Platform The cloud-based, patented ActiveGuard service platform provides powerful crosscorrelation and event-handling capabilities to recognize threats and reduce false positives, making security more operationally efficient. ActiveGuard is able to accurately collect and correlate vast amounts of data from virtually any device capable of producing a log file, including applications, databases, endpoints, firewalls and network devices. Solutionary combines the superior event-handling capabilities of ActiveGuard with security intelligence from the Security Engineering Research Team (SERT) and services provided by analysts in its SOCs. Purpose-Built for Big Data ActiveGuard was purpose-built to handle large amounts of disparate data. As the number of devices that require monitoring has increased, so has the ability of ActiveGuard to scale. The volume of log data produced by enterprises requires more scale and better analytics in order to provide intelligence about the information being gathered. The ability to handle big data of this type is a key component of ActiveGuard. All Solutionary managed security services clients receive Log Management that provides one year of log retention for all log received. 10

11 About Solutionary Solutionary is the leading pure-play managed security services provider. Solutionary reduces the information security and compliance burden, delivering flexible managed security services that align with client goals, enhancing organizations existing security program, infrastructure and personnel. The company s services are based on experienced security professionals, global threat intelligence from the Solutionary Security Engineering Research Team (SERT) and the patented ActiveGuard service platform. Solutionary works as an extension of clients internal teams, providing industry-leading customer service, patented technology, thought leadership, years of innovation and proprietary certifications that exceed industry standards. This client focus and dedication to customer service has enabled Solutionary to boast a client retention rate of over 98%. Solutionary provides 24/7 services to mid-market and global, enterprise clients through two security operations centers (SOCs) in North America. For more information, visit Contact Solutionary at: info@solutionary.com or ActiveGuard US Patent Numbers: 7,168,093; 7,424,743; 6,988,208; 7,370,359; 7,673,049. Solutionary, the Solutionary logo, ActiveGuard, the ActiveGuard logo, are registered trademarks or service marks of Solutionary, Inc. or its subsidiaries in the United States. Other marks and brands may be claimed as the property of others. The product plans, specifications, and descriptions herein are provided for information only and subject to change without notice, and are provided without warranty of any kind, express or implied. Copyright 2012 Solutionary, Inc. 11 Solutionary.com Solutionary, Inc Underwood Ave., 3rd Floor Omaha, NE WP 04/12