Outsourcing Security ManagementVendor Selection Basics. Nick Krym, 03-20-2005

Nick Krym 03-20-2005 2

Common Drivers for Outsourcing• High / prohibitive start up costs

– Establishing security infrastructure– Establishing processes and procedures– Hardware, networking, software licensing

• Complex and long ramp up– Resource acquisition (hard to find expertise, complex

certifications, etc.)– Establishing security infrastructure– Establishing processes and procedures

• High / prohibitive cost of operations– 24x7 SOC staffing– Resource retention– R&D and staying current

Nick Krym 03-20-2005 3

Scope of Security Management• Managed Security Services Providers (MSSP) also

known as Managed Security Monitoring (MSM) Vendors typically offer the following services:– 24x7 security monitoring through dedicated SOCs– Monitoring security infrastructure covers variety of

components such as firewalls, intrusion detection sensors and antivirus systems and analyzing the data they generate for indications of security problems

– Periodic scanning of various nature for the perimeter and internal components of data centers and corporate networks

– Ongoing configuration of the security infrastructure components

– Prevention and remediation of security vulnerabilities and recovery from incidents

– Consulting services that include various types of audits, ethical hacking, development of security audit remediation plans, disaster recovery and business continuity planning

Nick Krym 03-20-2005 4

Making Outsourcing Decision• Outsourcing security is not appropriate for every

organization. Making decision on outsourcing should be based on a typical “buy vs. build” analysis as it applies to products and services.

• For many small organizations do not need to go through buy vs. build analysis as the answer is quite obvious. As sheer expense of building SOC and staffing it on 24x7 is more than enough to move straight to vendor selection.

• For large companies as well as organizations with security being a core part of the business decision should be based on comprehensive research and Cost / ROI analysis.

Nick Krym 03-20-2005 5

Finding “Right” Vendor• Develop the team and the process

– Information Security Committee – Vendor selection team– Vendor selection process

• Vendor selection process highlights– Learn what Managed Security Services Providers (MSSP) have to offer (also

consider Managed Security Monitoring (MSM) abbreviation for your Google search).

– Possibly issue an RFI to get additional insights– Define drivers specific to your organization– Define selection criteria– Build RFP around your selection criteria– Create a target list (use Gartner materials if available or just Google) – Issue RFP to selected group of vendors– Shortlist vendors to 2-3 prospective partner– Negotiate Terms & Conditions– Make final selection

• Tips for successful execution – Define budgets upfront – Secure organizational commitment– Secure executive sponsorship– Make process and selection criteria as transparent as possible– Don’t burn the bridges with vendors as your final selection may not work out

through the painful process of “integration”

Nick Krym 03-20-2005 6

Gartner Magic Quadrants

Nick Krym 03-20-2005 7

Scope of MSSP Agreement• The scope of a typical MSSP agreement includes

– Security and Availability monitoring and analysis for various security devices such as firewall and intrusion detection system (IDS)

– Security and Availability monitoring and analysis for other devices and components that are critical to business operations

– Firewall and IDS configuration and management.– Periodic vulnerability scanning for multiple components

of the monitored network– Periodic application penetration testing / ethical hacking – Zero day alerts and other information services– Various consulting services, typically related to

remediation of items discovered during scans and audits

Nick Krym 03-20-2005 8

Common Selection Criteria• General business considerations

– Overall KPIs (number of customers, revenue, profitability, etc.) – Company financial stability– Company track record in multiple aspect of service– Customer retention / customer satisfaction– Company position vis-à-vis competition

• Technical Expertise / Technology– Overall company expertise, thought leadership– Company expertise in areas of security relevant to your needs– Individual staff expertise and certification level– Vendor Neutrality. Is the vendor business model tied to specific

products?– Low Install Impact. Network requirements for service deployment.

• Vendor Maturity– Process maturity / SOC certification– Exposure to various clientele with diverse needs– Global Intelligence / View. Global customer base providing visibility into

threats.– Network visibility / Overall coverage (number of devices under

management)

Nick Krym 03-20-2005 9

Common Selection Criteria, cont.• Vendor Security Infrastructure

– Typical SLA. – Infrastructure scalability guarantees– SOC redundancy, business continuity and disaster recovery

• Vendor Service Capabilities – Is Managed Security Monitoring a core competency? – Is business model focused on services?– Proven Systems / Processes. Time-to-market delivering new services

and features and ticket Handling.

• Organizational Capabilities – Staffing / recruiting capabilities and track record– Process and cultural compatibility with your organization– Account and project management capabilities

• Bottom Line– Presales: Staff / Proposal– Overall annualized cost of the solution– Contract terms – Customer references– Brand recognition / Association impact