Business Case Outsourcing Information Security: The Benefits of a Managed Security Service

Transcription

1 Business Case Outsourcing Information Security: The Benefits of a Managed Security Service seccuris.com (866)

2 Contents Introduction... 3 Full- Time Experts vs. a Part- Time In- House Staff... 3 Established, State- of- the- Art Infrastructure... 4 Full- Time Security and Accountability... 4 Specialized Forensics Services... 5 MSSP: A Cost- Effective Solution... 5 Extended Cost Structure... 6 The Right Solution for Managed Security Service Copyright 2014

3 Introduction Over the past decade, the level of attacks, breaches and potential dangers to vital data/information security have escalated to the point where organizations in every industry are taking measures to ensure their assets and technical infrastructures are safeguarded. A key part of that protection is knowing where your environment is vulnerable and the type of risks that may threaten it. While there are a multitude of threat and vulnerability monitoring solutions available, including a product- based Security Information and Event Management (SIEM) solution, the key is determining which option is the most effective and efficient for each organization. But no matter which solution your organization may choose, in most cases, it will cost you a considerable amount of time, money and effort to install, develop and maintain both the technology and personnel necessary to monitor your system 24 hours a day. Rather than installing an in- house monitoring system, a more cost- effective solution may be to outsource the responsibilities to a proven Managed Security Services Provider (MSSP) that will observe and preserve critical data on your organization's behalf. In order to determine if a product- based SIEM or an MSSP is the right choice for your organization's security, there are several factors to consider, including expertise, training, staff, technology, infrastructure and accountability, as well as initial and extended costs. Full- Time Experts vs. a Part- Time In- House Staff In most cases, organizations attempting to create an in- house security service are only able to dedicate a part- time staff due to cost constraints, or simply because there is not enough effort to justify adding additional personnel to monitor the service full time. As a result, it is difficult to expect part- time staffs to develop the same expertise as Information Security (IS) professionals at MSSPs who not only work exclusively in security, but also bring a broad, cross- industry perspective to the service. Typically, since MSSP analysts 3 Copyright 2014

4 possess years of experience providing information security to multiple customers, they have developed insight and expertise in a wide variety of security issues, solutions, and products. MSSP organizations also typically support capability teams across various security specialities, including threat and vulnerability management, audit and compliance, and more. Therefore, an MSSP can provide a higher- level of expertise and value to your organization than trying to hire, develop and maintain an in- house department and personnel. Established, State- of- the- Art Infrastructure Many MSSPs have established, dedicated security operations centers (SOCs) that are physically hardened sites with state- of- the- art infrastructure managed by trained personnel. MSSPs are also frequently government certified for secure data handling and controls. This certification requires regular audit and assessment of logical and physical security controls in place, as well as security clearance requirements for all staff working within the SOC. This provides a level of assurance and infrastructure resiliency that would be difficult or even impossible for organizations to replicate in- house. Full- Time Security and Accountability MSSPs offer expert near real- time security monitoring and services 24 hours a day, seven days a week. They can also be held accountable for the service standards they provide, including availability, response and escalation service level expectations. It is typically extremely difficult and costly to replicate this level of security service in- house because staff may be limited to monitoring during normal business hours. Even organizations that implement on- call services after hours do not have the full protection that 24- hour MSSP services offer. 4 Copyright 2014

5 Specialized Forensics Services Information security solutions and technologies such as firewalls, intrusion detection and prevention systems (IDS/IPS), virtual private networks (VPNs), and vulnerability assessment tools are far more effective when they are managed and monitored by dedicated and specialized security services professionals offered by MSSPs. These professionals are better able to determine the validity and true priority of every security threat and vulnerability. They focus on security response efforts so an organization's in- house staff can concentrate on other vital IT issues. MSSP s also provide an enhanced level of support for products both developed by the MSSP and trusted third- party provider products monitored by the MSSP. MSSP: A Cost- Effective Solution As indicated above, the cost for an organization to develop and maintain an in- house information security department is, in most cases, considerably more expensive than outsourcing to an MSSP. In order to provide the same level of 24- hour monitoring service as an MSSP, an organization needs to consider costs that include the price of an initial SIEM product hardware and software, as well as future upgrades and replacements; a minimum of four security analysts that require initial and ongoing training; and the supporting infrastructure to accommodate all of them. In contrast, outsourcing to an MSSP is a more affordable solution because MSSPs use a utility/shared services model that enables costs to be spread over multiple clients, which reduces the cost per client. 5 Copyright 2014

6 Here is an example cost breakdown of outsourcing an MSSP for a staff organization: One Time Cost In House SIEM OneStone Savings % SIEM Appliance & Storage $45,000 Included Internal Staff Implementation Effort Cost* $6,400 Included End User Training $3,000 Included Internal Staff Deployment Support $1,600 OneStone Fees $3,200 Total One Time $54,400 $4,800 $49,600 91% Annual Cost In House SIEM OneStone Savings % Security Analysts - 2; Primarily business hr coverage $140,000 Included Annual Training and Certification $6,000 Included Maintenance and Support Agreement $9,000 Included Depreciation - 4 year useful life $11,250 Included Internal Staff Remedation to Escalated Events $4,080 OneStone Fees $129,600 Total Annual $166,250 $129,600 $36,650 22% *SIEM pricing based on SC Magazine review of price and appliance recommended for organizational size. ** Based on two- person staff working two weeks. Comparison of total annual costs for the above and other size organizations: SIEM - In House OneStone $500,000 $400,000 $300,000 $200,000 $100,000 $0 Small Organization < 50 Staff Midsize Organization Staff Large Organization Staff Enterprise Organization Staff Extended Cost Structure It is the nature of capital expenses to prove more expensive in the year it is purchased with a tendency to lower the total cost of ownership over an 6 Copyright 2014

7 extended period. The table below shows a five- year comparison of the cost of an in- house SIEM vs. an MSSP. The SIEM includes the total costs of software licenses, SOC infrastructure, computing resources, product maintenance fees, and professional consulting services: Time Frame SIEM Solution MSSP Savings % Year 1 Cost Comparison $ 332,560 $ 225,860 $ 106,700 32% 3 Year Total Cost Comparison $ 840,880 $ 662,400 $ 178,480 21% 5 year Total Cost Comparison $ 1,427,600 $ 1,104,000 $ 323,600 23% The cost benefit of an MSSP decreases in around year three, beginning to favor the SIEM solution. But it is important to keep in mind that most SIEM solutions will likely need a hardware/software refresh within four to five years, which can cost.8 to 1.5 times the cost of the original solution. The Right Solution for Managed Security Service The OneStone Information Assurance Portal is a managed information security service that provides organizations 24x7 visibility into security issues and risks across the enterprise. Utilizing Seccuris advanced security information and event management technology, OneStone enables organizations to select various information security monitoring, vulnerability and threat assessment, and asset management services on demand. Threat Management: OneStone provides 24 7 monitoring and management of internal and external threats to an organization s network environment. Once a threat event, data loss or malicious activity is identified and validated, the OneStone Threat Management service delivers an alert and escalates the potential threat via the portal and e- mail enabling corrective action to be taken. Tailored event correlation, backed by Seccuris expert analysts, and integrated, automated incident handling workflow adapt to any organization s threat management requirements and processes. 7 Copyright 2014

8 Vulnerability Management: OneStone provides on- demand scanning and assessment of the technical and environmental vulnerabilities in an organization s computing infrastructure. Detailed dashboard screens and available reports identify, quantify, and prioritize the information security strengths and weaknesses of an organization s computing environment and provide a plan- of- action to mitigate the risk of serious consequences Asset Classification and Tracking: OneStone tightly couples organizational assets with threat and vulnerability data, enabling business risk to be more effectively measured. Information assets are identified and classified based on business criticality, function, and importance, allowing calculation of related threats and vulnerabilities to present a complete risk picture. Customers can generate reports dynamically for compliance, performance, and assurance issues via the OneStone interface. Knowing the value of your asset that is being threatened can help prioritize the alert and remediation activities. Log Management: OneStone extends the threat management capabilities by providing vital referential data via access to historical log information that has been collected and processed by OneStone. The capability provided by OneStone focuses on incidents actually impacting the business supporting effective risk- based decision making at all levels of the organization based on accurate real- time information about the organization s current security posture and exposure to the external environment. For Executives this means a top- down view of the organization s information security risk exposure and how it affects their business objectives and critical information assets. For Information Security Managers it provides an operational view of the status of security incidents and the organization s current security 8 Copyright 2014

9 posture. It also enables more effective decisions for planning security operations and executing day- to- day activities. For Information Security Analysts and IT Practitioners it provides an advanced tool- set (including state- of- the- art correlation algorithms, security information event management, and workflow applications) for identifying and correlating threat events, prioritizing and responding to incidents, managing vulnerabilities, and supporting daily security operations. 9 Copyright 2014

10 About Seccuris As the leader in Enterprise Security Architecture and Information Assurance Integration, Seccuris provides our clients with information security and risk management consulting services, managed security services, security solution integration, and education services. Seccuris also maintains an active research and development portfolio, working collaboratively with organizations across North America and Internationally. Through our commitment to quality, research, and knowledge transfer, Seccuris delivers innovative, comprehensive and proven information assurance services and solutions that provide value to our clients. To learn more about how Seccuris can address all aspects of your information risk management, visit seccuris.com or call 1 (866) Trademarks OneStone and the OneStone logo are registered trademarks of Seccuris Inc. Product names mentioned in this document may be trademarks or registered trademarks of their respective companies and are hereby acknowledged Copyright 2014