What You Need to Know When Choosing a Managed Security Services Provider (MSSP)
June 04, 2013
In my initial 6Labs post we covered, ‘How Managed Security Services (MSS) Can Be a “Win-Win-Win” for Small and Mid-Sized Businesses’. We know that many SMBs face challenges with regard to limited staffing, challenges meeting compliance, and cost control. This is where MSS can benefit you. Identifying the challenges are easy, but now comes the real task—selecting a Managed Security Services Provider (MSSP). If you are considering engaging an MSSP or have already begun evaluating providers, here are seven key considerations you should include in your decision-making process:
- MSS Offering Suite – One of the most critical factors in your process should be whether or not your MSSP is able to manage and monitor your specific technologies. For example, if you need your Security Information & Event Management (SIEM) deployment managed for log collection, confirm the MSSP supports the SIEM and all connecting technologies. This should be identified by any qualified MSSP during the scoping process. You do not want to commit to a multi-year term and come to the conclusion they are unable to manage and/or monitor key parts of your network.
- Staffing & Qualifications – As you speak to different MSSPs, you should qualify the engineers and staff behind the scenes. How accessible are they? Where are they based? How much do they really know? After all, you are putting your network in their hands. Do not hesitate to ask for all of these criteria. Any MSSP should be willing to give you statistics around response times, employee count, location and experience held by their engineers. If these employees are not subject matter experts in the technologies they are managing on your behalf, then perhaps there is a better option available. Also, you should have a designated Service Delivery Manager to be readily accessible to answer non-technical questions about general account handling.
- Data Center Locations, Disaster Recovery Sites & Redundancy – Following on the tails of staffing, it is just as important to understand where your data resides and from where it is being managed. Does the data reside in the US or outside the country? This becomes important with regards to maintaining privacy and compliance as it can often depend on the country’s regulations. For U.S.-based organizations, a priority should typically be placed on U.S.-based providers. You should also understand if and where the MSSP has a disaster recovery site. Your data should not reside in the same general geographic location as your primary data center in case of a natural disaster. At any time your MSSP should be able to operate out of a redundant Security Operations Center (SOC) to manage and monitor your devices and network.
- Company Reputation – As with any complex service offering, it is good to know and understand the reputation of your MSSP. Important aspects to consider would be experience in the industry, longevity in business and strong industry partnerships. Ideally your MSSP is an established company with years of information security experience with close ties to manufacturer partners. You want a trusted advisor behind the scenes always looking out for your best interests with a solid reputation in the industry. Get to know the managed services team and their reputation. It will benefit you greatly in the long run.
- Service Level Agreement (SLA) – Now that you have determined your MSSP has the right offerings, knowledge, redundancy and experience, it's time to confirm how quickly the team of engineers can identify and report an issue within your environment. First, you must determine how to gauge the criticality of an issue and who to contact in these emergency situations. Your MSSP should use a known standard, such as ITIL v3 (Information Technology Infrastructure Library) and SSAE 16 (Statement on Standards for Attestation Engagements) or other acceptable industry guidelines, to identify and gauge the severity of your incidents. You should also have the ability to customize your communication hierarchy as to whom your MSSP contacts with regards to alerts based on severity. For example, if the incident is a category six (highest critical level), then please call the Director of IT’s mobile number at any time. If the incident is a category two than perhaps an email to the entire IT team is sufficient. A good MSSP will have a Service Level Agreement that requires notification within at least 15 minutes if an incident is identified. After all, this is why you have a third party monitor and/or manage your network 24/7/365.
- User Portal – A nice option your MSSP should be offering is a web portal to provide you with insight into your devices and logs. Even though you are paying a MSSP to manage these specified activities for you, it is important to have the ability to view dashboards, status of systems, submit tickets, access on-demand reporting, review changes or perform actual log queries. Many times a simple dashboard view is exactly what management wants to see, and the portal should be an instant place to get this type of data to make your life easier.
- Threat Intelligence – Ask your MSSP what you are gaining by using their service from a risk mitigation perspective. A good MSSP will correlate the data they have from all clients and other security sources (breaches, threats, government alerts, etc.) to help educate and inform you and your team. This includes vulnerabilities or attacks that are currently the most prevalent and widely seen, both on the whole and specific to your vertical industry. This is a value you as a client could never achieve on your own and thus a must-have benefit of using a MSSP. Just as an example, we at FishNet stress the use of proven frameworks that incorporate traditional all-source fusion intelligence in an intel/ops environment, ensuring that our threat intelligence function is actively feeding information to operations and the client via standard weekly reports.
In conclusion, identifying and selecting the best MSSP for your company is not always easy. Although there is no “one-size-fits-all” MSSP out there, hopefully this has given you some important aspects to consider and review as you move forward with this endeavor. Good luck, and please let me know if we can help!