MSSP Couples Counseling“It’s Not You It’s Me”

Atif GhauriChief Technology Officer

The Odds Are…a) You’re currently using an Managed Security

Services Provider (MSSP)?

b) You’re looking for an Managed Security Services Provider (MSSP)?

c) And you may have even fired a Managed Security Services Provider (MSSP)?

Agenda

• Why engage a Managed Security Services Provider (MSSP)?

• Case Study – The Struggles of Bob and Alice

• MSSP Focus Areas1. Technical Capabilities2. Operational Readiness & Onboarding3. Alerts, Investigation, Response4. SLAs and Contract Terms

Why engage an MSSP?• I don’t have the bodies

– Painful to do 24x7x365– Brains onsite, muscles offsite– Cannot scale team with business

• I can’t find or retain the skills

• I want the Network Effects

• I need it now!

Come in and have a seat on the sofa…

The Struggles of Bob and Alice

Meet BobSnapshot

– Anxious Account Manager @ Global MSSP

– Personally manages dozens of customers

– Incented on SLA adherence and customer sat

– Competent but over-stretched

Bob’s Complaints– “I’m still waiting for XYZ requirements”– “You don’t show up to meetings”– “You only talk to me when it’s an

emergency”– “I need your attention”

Meet Alice• Snapshot

– Crafty CISO of Major Retailer– Small team of engineers– Budget increasing but no headcount– Multiple “strategic partners”– Has little influence over business units

• Alice’s Complaints– “You use to ask me how I’m doing”– “You don’t show me things anymore”– “Why do I have to ask for everything? You should know!”– “You use to give me more attention”

Bob and Alice’s Story (in 90 seconds)

http://www.jasonheadley.com/INATN.html

What’s the nail? (Blind Spots)

Bob the MSSP•Incented to ‘set and forget’•Wants to get paid quickly – rush onboarding•Demands requirements but isn’t proactive•Missing Alice’s business context•Meets SLA and that’s it

Alice the Client•Minimal organization influence•Outdated technology with default configs•Doesn’t have access to stuff herself•Doesn’t know what do to with an escalation

Let’s Talk Managed Services

Focus Area #1Technical Capabilities

What logs to collect (Initially)?Low Hanging Fruit

– Firewall– Active Directory– IPS– Critical Servers– Anti-Virus

Possible Added Value– Application Logs– DB Logs– Security Devices (URL, DLP, WAF, Endpoint)

What logs to collect (Eventually)?Core Security

•Access Control / Auth Server•Analysis•Anti Virus•Application Firewall•DLP•Firewall•IDS / IPS / Other Intrusion•Physical Security•VPN•Vulnerability / Asset Scanner

Host• Application Servers• Load Balancing• Mail• Mainframe• Midrange• Unix /Linux• Virtualization• Web Servers/Proxies• Windows / Apple

Network and Storage• Application Delivery• Configuration

Management• Messaging• Routers• Switches• Wireless Devices/Access

Points• Database• Document• Storage/File Server

Big Data Analytics Improving Context

Traditional SIEM•Rules based environment•Linear detection of logs for incident reporting

Big Data Analytics•Seeks anomalies to correlate•Examines entire environment for log relationships•Tracks unusual activity working backwards to context

Actively investigate anomalies and provide context around incident detection.

Anomaly DetectionProactively identify the unknown through machine based learning to identify data pattern changes. Alert Trending creates a visual context for the behavioural anomalies.

Threat Analytics

Dashboards vs Reports

Focus Area #2Operational Readiness &

Onboarding

Do you have your house in order?CSIRT Ready – Is Incident Response defined, documented, practiced?

Asset Classification and Owners – Defined and updated?

Ticket Pile-Up – How reactive are IT and Product teams to findings?

War Games – When was the last table-top IR exercise?

Response Procedures – What will we actually do when attacked?

What happens during onboarding?Onboarding is conducted using systematic processes with detailed operational readiness checklists

Operational Item Description Develop detailed project plan Define a comprehensive project plan including stakeholders, timelines, and key assumptions/risks Asset list Document the asset list of record including serial and version numbers Architecture documentation Define reference implementation architecture including security zones, network information, and

management interfaces Account creation for the operational team

Catalog the authorized users and account permission levels including the approved process to provision and manage system accounts

Run and Build Books Establish operational run books for managed technologies OS and application are up-to-date Validate the operating systems are updated and have the appropriate licensing defined Endpoint Catalog Documentation of valid end-points and procedures for adding and removing endpoints into

protection scheme Establish Health Monitoring Assure visibility into the system health of the managed devices to provide up/down reporting Provide appropriate ticket system access

Assure access to the system and appropriate permissions exist to manage tickets as defined in SLAs

Complete Escalation Process Document Document the end-to-end escalation tree for primary, secondary, and backup contacts for all levels of agreed upon service descriptions

Production Readiness Plan the cutover deployment timing and relevant stakeholders to approve transition rollback criteria

Six Onboarding Best Practices1. Define “notable event" vs "incident" based: Disruption,

Degradation, Nuisance

2. Build work products such as asset lists, critical applications, SEV priority

3. Vulnerability scoring definition

4. Defined ownership of process and escalation

5. Poor man’s owner lists: use top users, emp directory, last logon

6. Agreed upon operational readiness checklist

Sample Operational Readiness Checklist

• How many users on the network?• What is the make model of each appliance and the management

server?• Are any of the appliances near eol?• Any unresolved support issues with the manufacturer?• What policies are in place today? Fim? Ips? Firewall?• What new policies are required?• Are the devices strictly firewall only, or multi-purpose/next-gen?• Are there other features enabled? AV, IPS, email GW, web proxy/GW?  • How many physical appliances are in-scope for managed services?• What is the location of each appliance? Head office? Main data

center? • Any new physical or virtual interfaces on existing platforms to be

operationalized?

Focus Area #3Alerts, Investigation, Response

Fundamentals of SecOps• Detection• Evidence

Collection• Containment• Forensic Analysis• Remediation• Communication

Mr. Fundamental

It’s all about the use cases1. Identify and Analyze MVAs (Most Valuable

Assets) and HBIs devices (High Business Impact)

2. Model use-cases around your MVA and HBI devices

3. Use cases will tell you what logs you need (not the opposite)

4. Then pick the tech to implement use cases

Six Best Practices for Use Case Dev1. First Things First - Ensure critical conditions produce

notification

2. Environment Centric - Build alert rules specific to environment and requirements

3. Fluid Thresholds - Ensure appropriate thresholds are applied to reduce false alarms

4. What and Why - Know what event sources are logging to the SIEM and why

5. What’s most important - Categorize alerts according to severity levels

6. Track Them All - Ensure non-critical events are excluded from notification but reviewed

Sample Use Case References• What situations keep you up at night? • What alerts and reports do you expect to get from the SIEM? • Will the platform be managed internally or outsourced? • Is there a list of all devices/assets to be monitored by the SIEM? Which

are most critical?• Which devices are natively supported by the SIEM and which ones

require a custom parser?• Is the SIEM required to meet some form of compliance (e.g. HIPAA, PCI,

SOX)?• How are the monitored devices geographically dispersed? • How do asset owners (of the monitored devices) feel about an agent

versus agentless solution?• What devices need to send logs to the SIEM in order to get those alerts

and reports? • Is there a requirement to incorporate network data elements into the

SIEM? • If managed internally, what training options does the vendor provide

and who exactly will be managing/monitoring/maintaining the solution?

Sample Use Case ReferencesPopular SIEM Starter Use Cases AlienVault SIEM Use-Cases SANS Critical Security Controls ***NIST 800-53 ***

***Not purely use cases, but great source to help brainstorm

Focus Area #4SLAs and Contracts

Do’s and Don’ts• Don’t do a POC of MSSP

• Do unannounced VA scans and pen tests

• Don’t have 5 minute SLAs

• Do provision enforceable SLA penalties

• Don’t just default on a one-year contract

• Do define success with simple KPIs

In Closing, a bit about Herjavec Group

Information Security Is What We DoWe provide

Information Security Solutions for Enterprises globally.Our expertise includes:•Consulting & Compliance•Product and Service Delivery•Security Management•Incident Response

Recognized for our Flexible & Agile Managed Services practice which includes On Prem, Cloud and Hybrid models.

One of North America’s fastest growing technology companies. Successfully scaled to service enterprises globally with customers across NA, EMEA & APAC.

RANKED # 2 ON CYBERSECURITY 500 Global ranking of information technology providers, integrators and managed services companies.

We Manage 24.7.365.Herjavec Group can administer, maintain, support, and monitor your security technology 24.7.365.

• Designed for large, complex, multi technology

• enterprise environments• Relevant alerts & Regular reports • Big Data Analytics• Cloud Service

• 24/7/365 hot-hot, geo redundant site to site VPN access• Threat Intelligence & smart filters• Flexible ticketing systems• Minimize risk of false positives• SOC 2 Type 2 certified

Thank You

How did things go?(we really want to know!)

Did you enjoy this session? Is there anyway we could make it better? Let us know by filling out a speaker evaluation.

•Start by opening the IAPP Events App.

•Select this session and tap “Click the following link for speaker evaluations.”

•Once you’ve answered all three questions, tap “Done” and you’re all set.

•Thank you!