For most companies, information security management is not part of their core business and it is impossible to endlessly invest in this non-critical business. Managed Security Services Provider (MSSP) may be a solution to consider.
Broadly defined, MSSP covers many models, such as penetration testing, vulnerability scanning, equipment management, equipment maintenance, system tuning and configuration, log monitoring and analysis, and even regular issues of management reports, so business users can analyze their own security weaknesses and strengthen them according to their actual needs with a combination of customized solutions.
In addition, whether it is external environmental fluctuations or internal environmental changes triggered by new equipment, new business types or business processes, all inevitably lead to changes in information security management needs, which require perfect protection tools, rich professional skills and sufficient management manpower to quickly respond to and solve problems. If you have a service window that you can rely on for a long time and have professional staff to assist you in taking care of all these things, you can not only reduce the burden of management and mitigate the risk of confidential leaks, but also turn huge capital expenditures into regular sharing of rental fees, reduce maintenance costs, and relieve financial pressure, which is a multi-benefit.
Currently, the financial industry, retail industry, manufacturing industry and government units have a high level in the adoption of managed security services. The financial industry usually adopts information security services (such as vulnerability scanning) and equipment management services, while many small and medium-sized enterprises in the manufacturing industry and government units take MSSP services into consideration when purchasing IT installations, and the service content is mainly regular inspections.
But the question is, there are many MSSPs in the market, some have the strength of a single or a few areas of information security product supply, while others started from the system integration business and have different backgrounds. Faced with a variety of options, how can enterprises choose the best MSSP?
The number of reference cases is a key evaluation factor. In fact, there are many evaluation factors to filter out the real quality and suitable MSSP, among which the most critical item is case reference. The more experience the providers have, the more mature and advanced they become.
The next important point to observe is the professional strength, but it is difficult to determine this through quantitative data.
If MSSPs are willing to invest in SOCs to improve their talent cultivation programs, and if the personnel are generally not short of experience, it means that the technical capabilities of the industry are relatively comprehensive. Of course, the quality of talent now is not the same as the quality of talent in the long term, so companies should also check whether their talent retention incentives are sufficient, such as benefits, working environment, staff turnover rate, staff training system...etc. Also, as technologies and scams are developing with time, the MSSP you choose should be constantly keeping an eye on the latest tech trends and attacks.
The third key observation is the quality of service. Otherwise, if a company pays an MSSP to analyze logs for them, the result is only a thick pile of raw data, not the key information.
Finally, one should measure the security of MSSP infrastructure. Take personal information law as an example, the evidence of log data is based on non-repudiation, and there should be no risk of it being tampered with in any way. In order to avoid this shortcoming, enterprises must define a strict check list in advance and carefully audit the management structure of MSSP, even if the physical structure is fine, they must also sign a strict confidentiality agreement with it.
4 evaluation factors of MSSPs:
- The number and industry of case references
- Professional strength inferred from SOC personnel's years of experience and retention incentives
- Quality of service
- Infrastructure security
Can the company just leave its IT security to the MSSP?
When an enterprise signs a service level agreement (SLA) with an outsourced vendor to assist in information security maintenance, it should consider the time expectation for notification and resolution of the outsourced vendor in the event of an internal security incident or maintenance abnormality, as well as a reasonable penalty system. If a number of service standards are defined, consideration can be given to deducting points or adding points for a single item so that the overall agreement will not be terminated or invalidated due to a breach of one of the SLAs; as for penalties, it is recommended that the percentage of the total project price be used for planning.
However, some companies think that after selecting a trustworthy MSSP and signing a service level agreement (SLA), they can focus on their core business and can rest easy and ignore any matters related to information security management.
First, even if the enterprise assigns the MSSP to manage the equipment and logs, the ownership of these things still belongs to the enterprise. If the enterprise is unaware of the network interruption, causing the logs not to be sent out, or causing the SOC staff to be unable to monitor the status of the equipment from the remote, and the MSSP immediately notifies them and gets ignore, who is right and who is wrong in this matter?
In case of any unexpected situation that may make it difficult to clarify the division of rights and responsibilities between each other, it is better to explain everything clearly in black and white in the contract beforehand, so as not to leave disputes in vain.
Secondly, enterprises should turn passivity into initiative and maintain a cooperative relationship with MSSPs, instead of just waiting for reports or incident notifications to arrive.
If the enterprise staff at the front line notify the MSSP whenever they detect any unusual activities and provide immediate feedback, it is more likely that the risks would be nipped in the bud.
In addition, enterprises should take up the responsibility of supervising outsourced vendors, and it is suggested that periodic audits can be considered to check whether the daily operations of outsourced vendors comply with standard operating procedures or regulations by visiting their information centers or maintenance operation sites, and then setting quantitative service standards based on the number of audit deficiencies or improvement periods. When a certain number of points are accumulated, a fine or service termination or change of vendor will be required.
It is inevitable that the marriage between the company and the MSSP will require a period of adjustment at the beginning, and it is up to both parties to strive for a high degree of consensus in order to make the SLA more reasonable and create a win-win relationship between the client and the customer.