White Paper The Case for Managed Security Services for Log Monitoring and Management www.solutionary.com (866) 333-2133
The Case for Managed Security Services for Log Monitoring and Management Contents Introduction...3 Benefits of On-Premise SIEM Solutions Security and Privacy...3 Benefits of an MSSP Efficiency, Scalability and Intelligence...4 Security experts dedicated to your enterprise...5 Efficiency and workflow automation...5 Cost savings and scalability...6 Perspective and intelligence...6 SIEM or MSSP? Comparing Capabilities and Cost...7 Cost analysis for MSSP and SIEM solutions...8 Barriers to Success Operational Risk Factors for SIEMs and MSSPs...10 Assigning resources for an on-premise SIEM...10 Continuous security staffing challenges...11 Risky staff allocation...11 The Cost of Failure...12 Conclusion and Recommendations...13 About Solutionary...13 Appendix...14 Flexible service delivery...14 ActiveGuard service platform...14 Purpose-built for big data...14 2
Introduction When it comes to security log monitoring and management, enterprises can opt to purchase, install and manage an on-premise Security Information and Event Management (SIEM) product, or they can partner with a Managed Security Service Provider (MSSP). Log monitoring is an important part of an enterprise security program, enabling enterprises to detect and protect against threats. The need for a log monitoring solution may also be rooted in a compliance requirement, such as the Payment Card Industry Data Security Standard (PCI DSS), it may be driven by an internal audit process or it may be required by the organization s customers. Merger and acquisition activity may also play a role. Log monitoring is an important part of an enterprise security program, enabling enterprises to detect and protect against threats. This whitepaper compares the benefits of on-premise SIEM products with the advantages of an MSSP engagement. It also discusses the financial, operational and organizational considerations that may accompany a purchasing decision. For example, when legal requirements prevent an enterprise from exporting log data for analysis, a SIEM solution (managed and maintained in-house) may be needed. However, for many other organizations unfettered by legal and regulatory requirements, an MSSP can deliver greater cost efficiency and more effective security monitoring. By comparing and contrasting the strengths and weaknesses of both options for log monitoring and management, enterprises can make an informed and intelligent choice about which solution is right for their business. Benefits of On-Premise SIEM Solutions Security and Privacy There are numerous vendors that provide products that range from standard log collection without analytics or intelligence to full-blown SIEM solutions that integrate with disparate systems and provide comprehensive threat detection. SIEM solutions are often scoped, priced and sold with a great deal of customization, based on the buyer s specific needs. 3
The primary benefits of on-premise SIEM solutions include: A highly secure log collection, correlation and analysis environment to accommodate non-internet-facing systems. No external transfer of security log data for organizations subject to stringent privacy requirements. The ability to customize SIEM solutions to accommodate the unique needs of each enterprise customer. Certain environments are not well-suited to an MSSP solution. If an organization has systems with no Internet connectivity, an on-premise SIEM deployment may be needed to provide security monitoring. Also, if an organization has systems that produce sensitive log data that cannot leave the network infrastructure (such as government systems that require specialized clearance or access) these may require the use of an on-premise, product-based solution. Certain environments are not well-suited to an MSSP solution. If an organization has systems with no Internet connectivity, an on-premise SIEM deployment may be needed to provide security monitoring. Benefits of an MSSP Efficiency, Scalability and Intelligence As with on-premise SIEM products, MSSP solutions for log monitoring and management can satisfy compliance mandates and increase security. These can range from self-service solutions that require clients to view their own incident alerts in a portal to full-service solutions that will proactively alert clients when security incidents occur. Some MSSPs also provide forensically sound log storage to satisfy regulatory requirements without demanding the enterprise to acquire and maintain more on-site hardware. The top benefits of partnering with an MSSP for log monitoring and management include: Access to security expertise, research and threat intelligence. Highly efficient processes and workflow automation to significantly improve time to remediation for security issues. Cost savings and scalability achieved by outsourcing time-consuming manual correlation and analysis. Cross-device and cross-vendor correlation to improve security awareness and reduce risk. 4
MSSPs range from niche vendors with a narrow focus on only certain types of devices or logs, to enterprise-class providers offering a full suite of security management capabilities for the entire IT infrastructure. Regardless of the provider s size or the scale of specific deployments, MSSP solutions can be divided into two types of service: Monitoring only In this deployment, an MSSP takes in security logs and other device logs, only alerting and advising the client about security events based on some level of service (e.g., 15 minute notice for high priority alerts, daily log reviews to minimally meet compliance, etc.). Monitoring and Management In this deployment, an MSSP monitors security logs, and additionally makes changes to the client s environment based on event analysis and security intelligence. MSSPs bear the cost of keeping personnel trained on the latest equipment from multiple vendors, and they have crossplatform experience, which is key for managing multi-vendor client environments. For many organizations, the highly-qualified MSSP team becomes, in effect, an extension of in-house resources. Security experts dedicated to your enterprise One of the biggest advantages of working with an MSSP is access to a dedicated team of security experts. Organizations may lack the in-house security expertise needed to monitor and/or manage devices from a wide variety of sources or vendors. Some large enterprises have dedicated security teams and security researchers. However, that is certainly not typical. For many organizations, the highly-qualified MSSP team becomes, in effect, an extension of in-house resources. Organizations are able to take advantage of the security expertise that the MSSP has acquired by working with numerous clients across a variety of industries. Typically, MSSPs will also have a security research team that is consistently focused on threat intelligence. Efficiency and workflow automation In many cases it s not lack of knowledge, but business constraints that prevent in-house security staff from complete and efficient access to all device logs. For example, business controls may dictate that firewalls are only accessed by a networking group, or that VPN and single sign-on logs only be viewed by the identity management or user compliance team. Once an MSSP is set up to receive logs from all enterprise devices, or whatever portion is preferred, it can assist with tasks such as maintaining clear and consistent rule sets for firewalls and other network security devices. As an external vendor, an MSSP can also provide independent and overarching change control procedures as to how, when, and why the rules on these in-scope devices get updated. 5
Since MSSPs work with multiple clients and have documented, repeatable processes, they are able to provide workflow automation and to significantly improve time to remediation for security issues. MSSPs validate security events in the Security Operations Center (SOC) before notifying the client. This helps to dramatically reduce the number of false positive alerts clients must respond to, reducing costs and increasing efficiency. Cost savings and scalability MSSP solutions offer a cost-effective option for 24/7 log monitoring and management. Many organizations do not have a dedicated Security Operations Center (SOC) or the ability to staff three shifts of analysts year-round. While a SIEM solution requires constant monitoring by in-house staff, MSSP solutions provide 24/7 monitoring without the need for additional headcount. With a SIEM product, there is a constant need for manual review and confirmation of security events, correlation with other incidents or tickets and remediation of any issues identified. MSSPs can fill this need for organizations, identifying the real security incidents and notifying clients in a timely manner. With a view of the threat landscape across their client base, MSSPs are also able to incorporate intelligence gleaned across the client base to improve threat detection and response. MSSP solutions also have the advantage of scale. There are many organizations that are already using the MSSP service, so the infrastructure and processes needed to support new organizations has already been built. The MSSP works with clients to customize rules and notifications, reducing the burden on in-house resources. Perspective and intelligence The lessons learned from managing hundreds or even thousands of client environments gives MSSPs a much broader view than a single in-house security organization. MSSPs leverage that knowledge and experience across their entire client base. With a view of the threat landscape across their client base, MSSPs are also able to incorporate intelligence gleaned across the client base to improve threat detection and response. Many organizations that purchase SIEM solutions are unpleasantly surprised by the amount of data the SIEM produces. Their in-house resources are often overwhelmed by the number of security events, making it impossible to identify actual security incidents among the many false positives. Given their economies of scale, purpose-built technology and expertise, MSSPs are able to filter the events and validate the actual security incidents for improved security intelligence. 6
SIEM or MSSP? Comparing Capabilities and Cost On-premise SIEM solutions and managed security services can both solve log monitoring and management challenges. However, they work from very different approaches, with different advantages and disadvantages. The following table outlines the similarities and differences between SIEM and MSSP solutions. Feature SIEM MSSP Monitors log events Helps attain regulatory compliance Flexible service delivery Provides 24/7 analysis by security analysts Stores logs off-site in forensically-sound facility* Provides security intelligence and expertise as part of the solution Built-in disaster recovery and business continuity planning (DR/BCP) Predictable fixed cost May require additional infrastructure (server, network devices, storage, etc.) Must be routinely updated, patched, and upgraded * Some MSSPs store raw log data on customers premises, which may involve additional cost, and where it may not be protected against alteration or theft. 7
Cost analysis for MSSP and SIEM solutions Cost is an important factor when deciding whether to purchase a product-based SIEM for internal deployment or engage an MSSP. SIEM products are usually purchased and financed as a capital expense (CAPEX), while a service is typically purchased and financed as an operating expense (OPEX). With an MSSP, the annual cost of maintenance for three years (the typical MSSP contract term) is defined and known, whereas the maintenance and other costs related to product purchases can adjust annually. The initial training and personnel costs will be higher for any product purchase since the product needs to be installed and configured (usually by a reseller or consultant), and because internal staff will require training and planning for the tool s utilization in the security environment. On-premise SIEM solutions also incur operational costs such as rack space, power, network connectivity, database configuration and connectivity. The following example details an actual cost comparison recently performed by a Solutionary enterprise client. The client evaluated the cost differences between the purchase and ongoing maintenance of a SIEM tool versus an MSSP approach. Note: In this analysis, the customer planned to staff the SIEM with one SIEM Engineer and one Security Analyst. As a result, there would be very little ability to provide off-hours support. In contrast, the MSSP service would provide full 24x7 monitoring support. Cost Breakdown SIEM MSSP Savings % Initial One-Time Costs SIEM Platform (including data storage) $892,500 Included SIEM Implementation Labor Costs $20,000 Included Computers and Software for Additional Employees $8,000 Included Initial SIEM Training $12,000 Included MSSP Fees/Charges $20,000 Total - Initial $932,500 $20,000 $912,500 98% Annual/Ongoing Expenses SIEM Engineer $125,000 Included Security Analyst $80,000 $8,000 Personnel Management Cost $75,000 Included Security Engineering Costs $8,000 Included Maintenance and Support Contracts $44,625 Included Depreciation and Amortization $300,167 $6,667 MSSP Fees/Charges $550,000 Total Recurring $632,792 $564,667 $68,125 11% 8
As shown in the table below, the client realized an immediate capital expense reduction of $912,500 by selecting an MSSP. When the recurring costs required to support an SIEM solution (extra headcount, training, consulting, equipment for added employees) and the first-year costs for the MSSP service are factored in, the client realizes a year one cost reduction of $687,125 (a 54 percent savings). While the cost analysis for initial deployment definitely favors an MSSP solution, the question remains, does the cost benefit hold up over time? The table below shows a ten year comparison between SIEM and MSSP costs. The nearly linear cost curve of the MSSP service contrasts with the three-year upgrade cycle of the SIEM product. Annual costs for the SIEM solution are lower in years two and three and in years five and six. However, when factoring the initial purchase and installation cost of an SIEM, and the periodic upgrade and re-initialization costs, the SIEM approach represents a higher accumulated cost throughout the 10-year projected analysis. $1,400,000 When the recurring costs required to support an SIEM solution (extra headcount, training, consulting, equipment for added employees) and the first-year costs for the MSSP service are factored in, the client realizes a year one cost reduction of $687,125 (a 54 percent savings). $1,200,000 $1,000,000 $800,000 $600,000 SIEM MSSP $400,000 $200,000 $0 1 2 3 4 5 6 7 8 9 10 9
Barriers to Success Operational Risk Factors for SIEMs and MSSPs In-house SIEM projects and MSSP implementations also differ regarding the prospects for immediate and long-term success. For an MSSP engagement to succeed, the client must verify that the features and capabilities of the MSSP meet the project requirements. The client should monitor the implementation and ongoing service delivery to verify and ensure the provider s effectiveness. Assigning resources for an on-premise SIEM The barriers to success for an on-premise SIEM project are much more extensive. First, adequate staff resources must be assigned to the project. These resources also need the right expertise to deploy, configure and manage the SIEM. Unfortunately, many times the needed employees are not actually hired or they are assigned additional duties that detract from their focus on the SIEM solution. It can also be difficult and cost-prohibitive to find new employees or contractors with the skills and experience required. Training can fill some gaps, but is unlikely to provide the depth of knowledge needed to meet project goals. For an MSSP engagement to succeed, the client must verify that the features and capabilities of the MSSP meet the project requirements. Several implementation tasks require in-depth knowledge of the SIEM tool and related systems, and may add unexpected time and cost to the SIEM project. These include: Configuring logging on standard and non-standard systems. Tuning complex devices, such as network IDS/IPS, web application firewalls and file integrity monitoring systems. Writing custom rules and tuning existing correlation rules in the SIEM. Configuring thresholds and advanced features in the SIEM. Customizing report data and formatting. Defining environment assets, subnets and zones. 10
Once the SIEM solution is up and running, its continued effectiveness relies on performing an additional set of tasks. Monitored devices and the SIEM tool must be frequently updated in order to: Reflect changes in the computing environment. Support version upgrades. Respond to changes in the threat landscape. Continuous security staffing challenges Ongoing internal monitoring efforts are subject to several challenges as well. One particular challenge is the limited view afforded to the security staff. Seeing only the events that hit their organization makes it difficult to develop and maintain staff skills. Since serious security events are infrequent, it s also difficult for the staff to stay focused on the monitoring effort. Even with rotation, the need for night, weekend and holiday coverage places a significant burden on security staff. Review and response to alerts is an ongoing responsibility. Even with rotation, the need for night, weekend and holiday coverage places a significant burden on security staff. Another staffing challenge for in-house solutions is employee development. To stay motivated and focused, security staff needs training and a career path. The small size of internal security departments limits the opportunity for advancement. These factors of limited view, off-hours support and lack of advancement opportunities combine to drive a high turnover rate for security staff. In addition to the time and cost involved in backfilling positions, the employees who leave take their knowledge of the environment with them. Organizations that cannot find a replacement before the previous employee leaves lose valuable knowledge transfer and suffer gaps in security monitoring. Risky staff allocation Enterprises commonly place a single staff member in charge of the SIEM solution who is solely responsible for the configuration and operation of the tool. As a result, many of these organizations experience a systematic failure. The project of installing and configuring a SIEM tool is much more interesting and rewarding than the dayto-day operation of that system. After completing the installation, the employee has a significantly enhanced skillset and resume. At this point, the employee commonly makes a career change, taking their knowledge of the SIEM tool with them and leaving the enterprise without the resources needed for ongoing success with the SIEM. 11
In a different scenario, enterprises may staff their SIEM projects with employees who have other responsibilities. If another project needs additional resources, the enterprise may borrow the security analysts to help. While assigned to these other tasks, the security employees create an immediate, measureable business benefit. Assuming that a critical security event doesn t happen at the same time, there s no downside to this approach. Unfortunately, this means that staff originally assigned to security monitoring often wind up permanently engaged in other work. Should a critical security event occur, it may go undetected. If the SIEM goes without administrative oversight for a significant period of time, whatever the reason, data overflows at the collection agents, consoles and databases can cause system failures and data corruption. This situation can even necessitate a complete re-installation of the SIEM. The Cost of Failure If the SIEM goes without administrative oversight for a significant period of time, whatever the reason, data overflows at the collection agents, consoles and databases can cause system failures and data corruption. If an MSSP does not perform successfully, the client can terminate the contract. In this case, the organization has lost the time and effort of the project, some minor hardware and setup fees, and the service fees for the time the contract was in effect. At that point, another MSSP or a SIEM product could be implemented as an alternative. If an SIEM project fails, it s much more serious. The initial costs of an SIEM project include licensing the product, purchasing needed servers and storage infrastructure, hiring employees or contractors, training and provisioning equipment and software needed for the added staff. Typically, organizations plan to amortize these costs over a three-year period. However, project failure leaves no way to recoup these sunk costs. The organization is faced with the choice of investing significant additional funds into fixing or replacing the solution, or trying to somehow limp along with the failed system until the end of the amortization period. 12
Conclusion and Recommendations Organizations can meet their log monitoring requirements by using SIEM products or MSSP services. SIEM products are needed for organizations that have legal or other requirements that do not allow them to export log data for analysis, and for sites that do not have Internet connectivity. For organizations that have the option, however, MSSPs can provide lower cost, more effective monitoring solutions. An MSSP can provide visibility into organizations environments and the ability to comply with regulations without the hassles and costs of managing and maintaining an on-premise, product-based solution. In addition, the MSSP approach reduces both the likelihood and the cost of failure to meet project goals. About Solutionary Learn More To learn more about Managed Security Services and find ways to implement it in your security plan, contact Solutionary today. Solutionary, an NTT Group security company (NYSE: NTT), is the next generation managed security service provider (MSSP), focused on delivering managed security services and global threat intelligence. Comprehensive Solutionary security monitoring and security device management services protect traditional and virtual IT infrastructures, cloud environments and mobile data. Solutionary clients are able to optimize current security programs, make informed security decisions, achieve regulatory compliance and reduce costs. The patented, cloud-based ActiveGuard service platform uses multiple detection technologies and advanced analytics to protect against advanced threats. The Solutionary Security Engineering Research Team (SERT) researches the global threat landscape, providing actionable threat intelligence, enhanced threat detection and mitigating controls. Experienced, certified Solutionary security experts act as an extension of clients internal teams, providing industry-leading client service to global enterprise and mid-market clients in a wide range of industries, including financial services, healthcare, retail and government. Services are delivered 24/7 through multiple state-of-the-art Security Operations Centers (SOCs). For more information, visit www.solutionary.com 13
Appendix Flexible service delivery Solutionary puts the service in managed security services, operating as an extension of the client s internal security team. At Solutionary, clients come first and each employee, from the management team to the analysts in the SOC, is dedicated to client satisfaction. Understanding and addressing these individual client needs is key to the Solutionary client-first culture. By gaining a detailed understanding of individual client needs, Solutionary combines deep security expertise and proven operational processes with the patented ActiveGuard service platform to enhance security and address regulatory compliance. All Solutionary managed security services clients receive Log Management services that provide one year of log retention for all logs collected and analyzed. ActiveGuard service platform The cloud-based, patented ActiveGuard service platform provides powerful crosscorrelation and event-handling capabilities to recognize threats and reduce false positives, making security more operationally efficient. ActiveGuard is able to accurately collect and correlate vast amounts of data from virtually any device capable of producing a log file, including applications, databases, endpoints, firewalls, and network devices. ActiveGuard uses multiple detection methods, including signatures, anomaly detection, statistical analysis, heuristics and global threat intelligence from the Solutionary Security Engineering Research Team (SERT) to detect advanced threats. Security experts in the Solutionary Security Operations Center (SOC) provide additional analysis, validation and response for security threats. Purpose-built for big data ActiveGuard was purpose-built to handle large amounts of disparate data. As the number of devices that require monitoring has increased, so has the ability of ActiveGuard to scale. The volume of log data produced by enterprises requires more scale and better analytics in order to provide intelligence about the information being gathered. The ability to handle big data of this type is a key component of ActiveGuard. Contact Solutionary at SCSManagement@solutionary.com or 866-333-2133 Solutionary, an NTT Group security company, is the next generation managed security services provider (MSSP), focused on delivering managed security services and global threat intelligence. ActiveGuard US Patent Numbers: 7,168,093; 7,424,743; 6,988,208; 7,370,359; 7,673,049; 7,954,159; 8,261,347. Solutionary, the Solutionary logo, ActiveGuard, the ActiveGuard logo, are registered trademarks or service marks of Solutionary, Inc. in the United States. Other marks and brands may be claimed as the property of others. The product plans, specifications, and descriptions herein are provided for information only and subject to change without notice, and are provided without warranty of any kind, express or implied. Copyright 2014 Solutionary, Inc. Solutionary.com Solutionary, Inc. 9420 Underwood Ave. Omaha, NE 68114 1100WP 03/13