Firewall Wizards mailing list archives
Re: Managed Security Metrics
From: "R. DuFresne" <dufresne () sysinfo com>
Date: Mon, 5 Mar 2001 18:23:05 -0500 (EST)
On Mon, 5 Mar 2001, shawn . moyer wrote:
Mike Smith wrote:What security metrics should I be looking for in a service level agreement from a managed security service provider? Traditional service level agreements cover things like performance (throughput) and availability. If I have an outsourcer manage my firewall, what kinds of service targets should I insist on?Well, I think some of the standard SLA-type stuff still applies like uptime, response time to outages and change requests, etc. -- all of these are just as relevant if not more so when outsourcing FW / IDS / VPN management. I'd wager the biggest additional point of contention would be attack response... For example, what metric is used to determine if an attack is in progress? How is the response handled and how quickly? Who is notified, what countermeasures are taken, etc.? This gets pretty hairy to define. Offhand I'd consider any suspicious activity that hits more than some arbitrary number of IP's to be a warning shot; for example if I saw someone scanning my network for the rpc.statd vulnerability and saw more than, say, five IP's hit in sequence I'd consider this worthy of investigation, and if I were paying someone to manage my security I'd expect them to agree, although on a very busy network with a lot of suspicious traffic you have to pick your battles a bit. I'd want to verify that whoever I was going with a Security MSP shared my own philosophy on what is worthy and what is not worthy of reporting and logging. Another service I'd expect from a Security MSP would be more advanced trend analysis -- I'd expect a monthly report of the overall percentage of anomalous traffic in relation to "good" traffic (again, a tough thing to define), and I'd want to know whether the trend was toward an increase or a decrease. I'd also expect a Security MSP to be able to track and locate "problem" IP's and networks -- this brings up the old problem of an attacker that might be profiling a network over a long period of time, generating only a few "low priority" alarms -- when viewed from a trend analysis standpoint this traffic is malicious, but from a "daily" or "monthly" standpoint this traffic might not be relevant. I'd expect my logs to be stored and added to a trending database for at least 12 months. I'd also look for a *wide* range of supported tools and platforms... No sense getting married to a dead-end platform if you can help it. I'd expect (without getting into firewall / IDS wars) at least Gauntlet, Raptor, Checkpoint, PIX, Netscreen, and IPF support from the firewall / VPN side, and NFR, Netranger, RealSecure, Dragon, and Snort support on the IDS side.
In such cases you are assuming that the client will allow you to take action, is this the case? I know one major providor did not think this would fly well and so, side-stepped the issue in only giving out e-mail or pager flashes of the first sighting. This left decision making in the hands often of omeone not wishing to know the gory details and unable to make proper decisions, but, then again, I do not recall us ever getting a point off in that area. Most often lose of conectivity was the factor that most comsumed their minds for sure, nevermid the reason or rational. So our SLA's merely gave a timeframe of when we would issue a warning upon a 'trouble ticket' surrounding an event. Of course, we misplaced those IDS sensors out front, so they logged up all sorts of garbage that gave the mgt folks and clients TONs of data to build nice little graphs and charts from, nevermind the true value of the data... Thanks, Ron DuFresne -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ admin & senior consultant: darkstar.sysinfo.com http://darkstar.sysinfo.com "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart testing, only testing, and damn good at it too! _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://www.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- Managed Security Metrics Mike Smith (Mar 05)
- Re: Managed Security Metrics R. DuFresne (Mar 05)
- Re: Managed Security Metrics shawn . moyer (Mar 05)
- Re: Managed Security Metrics R. DuFresne (Mar 06)
- Message not available
- Re: Managed Security Metrics Marcus J. Ranum (Mar 06)
- IP Spoofing and counter measures Tib (Mar 09)
- Re: IP Spoofing and counter measures Ryan Russell (Mar 11)
- <Possible follow-ups>
- RE: Managed Security Metrics Bob . Eichler (Mar 05)
- RE: Managed Security Metrics Mike Smith (Mar 05)
- Re: Managed Security Metrics Adam Shostack (Mar 06)
- RE: Managed Security Metrics R. DuFresne (Mar 06)
- Re: Managed Security Metrics shawn . moyer (Mar 06)
- RE: Managed Security Metrics Mike Smith (Mar 06)
- Re: Managed Security Metrics Adam Shostack (Mar 09)