outsourcing security management
DESCRIPTION
Brief Intro on Outsourcing Security Management with focus on vendor selectionTRANSCRIPT
Outsourcing Security ManagementVendor Selection Basics. Nick Krym, 03-20-2005
Nick Krym 03-20-2005 2
Common Drivers for Outsourcing• High / prohibitive start up costs
– Establishing security infrastructure– Establishing processes and procedures– Hardware, networking, software licensing
• Complex and long ramp up– Resource acquisition (hard to find expertise, complex
certifications, etc.)– Establishing security infrastructure– Establishing processes and procedures
• High / prohibitive cost of operations– 24x7 SOC staffing– Resource retention– R&D and staying current
Nick Krym 03-20-2005 3
Scope of Security Management• Managed Security Services Providers (MSSP) also
known as Managed Security Monitoring (MSM) Vendors typically offer the following services:– 24x7 security monitoring through dedicated SOCs– Monitoring security infrastructure covers variety of
components such as firewalls, intrusion detection sensors and antivirus systems and analyzing the data they generate for indications of security problems
– Periodic scanning of various nature for the perimeter and internal components of data centers and corporate networks
– Ongoing configuration of the security infrastructure components
– Prevention and remediation of security vulnerabilities and recovery from incidents
– Consulting services that include various types of audits, ethical hacking, development of security audit remediation plans, disaster recovery and business continuity planning
Nick Krym 03-20-2005 4
Making Outsourcing Decision• Outsourcing security is not appropriate for every
organization. Making decision on outsourcing should be based on a typical “buy vs. build” analysis as it applies to products and services.
• For many small organizations do not need to go through buy vs. build analysis as the answer is quite obvious. As sheer expense of building SOC and staffing it on 24x7 is more than enough to move straight to vendor selection.
• For large companies as well as organizations with security being a core part of the business decision should be based on comprehensive research and Cost / ROI analysis.
Nick Krym 03-20-2005 5
Finding “Right” Vendor• Develop the team and the process
– Information Security Committee – Vendor selection team– Vendor selection process
• Vendor selection process highlights– Learn what Managed Security Services Providers (MSSP) have to offer (also
consider Managed Security Monitoring (MSM) abbreviation for your Google search).
– Possibly issue an RFI to get additional insights– Define drivers specific to your organization– Define selection criteria– Build RFP around your selection criteria– Create a target list (use Gartner materials if available or just Google) – Issue RFP to selected group of vendors– Shortlist vendors to 2-3 prospective partner– Negotiate Terms & Conditions– Make final selection
• Tips for successful execution – Define budgets upfront – Secure organizational commitment– Secure executive sponsorship– Make process and selection criteria as transparent as possible– Don’t burn the bridges with vendors as your final selection may not work out
through the painful process of “integration”
Nick Krym 03-20-2005 6
Gartner Magic Quadrants
Nick Krym 03-20-2005 7
Scope of MSSP Agreement• The scope of a typical MSSP agreement includes
– Security and Availability monitoring and analysis for various security devices such as firewall and intrusion detection system (IDS)
– Security and Availability monitoring and analysis for other devices and components that are critical to business operations
– Firewall and IDS configuration and management.– Periodic vulnerability scanning for multiple components
of the monitored network– Periodic application penetration testing / ethical hacking – Zero day alerts and other information services– Various consulting services, typically related to
remediation of items discovered during scans and audits
Nick Krym 03-20-2005 8
Common Selection Criteria• General business considerations
– Overall KPIs (number of customers, revenue, profitability, etc.) – Company financial stability– Company track record in multiple aspect of service– Customer retention / customer satisfaction– Company position vis-à-vis competition
• Technical Expertise / Technology– Overall company expertise, thought leadership– Company expertise in areas of security relevant to your needs– Individual staff expertise and certification level– Vendor Neutrality. Is the vendor business model tied to specific
products?– Low Install Impact. Network requirements for service deployment.
• Vendor Maturity– Process maturity / SOC certification– Exposure to various clientele with diverse needs– Global Intelligence / View. Global customer base providing visibility into
threats.– Network visibility / Overall coverage (number of devices under
management)
Nick Krym 03-20-2005 9
Common Selection Criteria, cont.• Vendor Security Infrastructure
– Typical SLA. – Infrastructure scalability guarantees– SOC redundancy, business continuity and disaster recovery
• Vendor Service Capabilities – Is Managed Security Monitoring a core competency? – Is business model focused on services?– Proven Systems / Processes. Time-to-market delivering new services
and features and ticket Handling.
• Organizational Capabilities – Staffing / recruiting capabilities and track record– Process and cultural compatibility with your organization– Account and project management capabilities
• Bottom Line– Presales: Staff / Proposal– Overall annualized cost of the solution– Contract terms – Customer references– Brand recognition / Association impact