Re: How to choose an IDS/FW MSS provider

[<fuijdancer () yahoo com>]

In-Reply-To: <74399981AAC3AC4BAA836846471E76E6ED0E28 () atlmaiexcp02 iss.local>

Sorry Paul. I did not mean to say ISS does not do a good job. Their R&D is suprb and they are in the business for a 
long time. ISS is also one of the leaders to push new developments. You do earn credit for that. 

However (at least in my experience) when it comes to providing a dedicated MSS service, especialy on monitoring (IDS) 
and incident handling/response improvements are certainly possible. Larger service providers (and/or coming from a 
large IDS product vendor background) are often not capable enough to integrate with the business of their customer when 
advanced response techniques are called for. To solve this some are offering their services through local ICT 
compamnies, e.g. Counterpane is offering its services using Getronics. However the experience of the MSS team is than 
largly cancelled out by the local service delivery inexperience. Small highly dedicated MSS providers, focussing on 
detecting and reaction (thus not managing large numbers of firewalls, leave that to the IT departments) are capable of 
this highly integration with the customer.

Nevertheless, the industry needs your R&D and XForce talent to keep everyone on the edge of things!

regards,

Sky


> Received: (qmail 10218 invoked from network); 16 Mar 2005 21:30:54 -0000
> Received: from outgoing.securityfocus.com (HELO outgoing2.securityfocus.com) (205.206.231.26)
>  by mail.securityfocus.com with SMTP; 16 Mar 2005 21:30:54 -0000
> Received: from lists.securityfocus.com (lists.securityfocus.com [205.206.231.19])
>       by outgoing2.securityfocus.com (Postfix) with QMQP
>       id CD0E7144299; Wed, 16 Mar 2005 14:19:48 -0700 (MST)
> Mailing-List: contact focus-ids-help () securityfocus com; run by ezmlm
> Precedence: bulk
> List-Id: <focus-ids.list-id.securityfocus.com>
> List-Post: <mailto:focus-ids () securityfocus com>
> List-Help: <mailto:focus-ids-help () securityfocus com>
> List-Unsubscribe: <mailto:focus-ids-unsubscribe () securityfocus com>
> List-Subscribe: <mailto:focus-ids-subscribe () securityfocus com>
> Delivered-To: mailing list focus-ids () securityfocus com
> Delivered-To: moderator for focus-ids () securityfocus com
> Received: (qmail 346 invoked from network); 15 Mar 2005 18:01:09 -0000
> X-MimeOLE: Produced By Microsoft Exchange V6.0.6603.0
> content-class: urn:content-classes:message
> MIME-Version: 1.0
> Content-Type: text/plain;
>       charset="us-ascii"
> Content-Transfer-Encoding: quoted-printable
> Subject: RE: How to choose an IDS/FW MSS provider
> Date: Tue, 15 Mar 2005 12:43:33 -0500
> Message-ID: <74399981AAC3AC4BAA836846471E76E6ED0E28 () atlmaiexcp02 iss.local>
> X-MS-Has-Attach: 
> X-MS-TNEF-Correlator: 
> Thread-Topic: How to choose an IDS/FW MSS provider
> Thread-Index: AcUpFueHzWQWyEfsT3efERe9drvleQAbvy/Q
> From: "Palmer, Paul (ISSAtlanta)" <PPalmer () iss net>
> To: <fuijdancer () yahoo com>, <focus-ids () securityfocus com>
> X-OriginalArrivalTime: 15 Mar 2005 17:44:53.0381 (UTC) FILETIME=[B1B67B50:01C52986]
>
> > For example ISS is strong as a product vendor but is just moving to
> the market for delivering services.
>
> ISS has more experience in the MSS market than you give us credit for:
>
> "Internet Security Systems (ISS) has been setting the standard for
> accountability, reliability and protection in Managed Security Services
> since 1995."
>  -- http://www.iss.net/products_services/managed_services/
>
> -----Original Message-----
> From: fuijdancer () yahoo com [mailto:fuijdancer () yahoo com]=20
> Sent: Saturday, March 12, 2005 4:10 AM
> To: focus-ids () securityfocus com
> Subject: Re: How to choose an IDS/FW MSS provider
>
>
> In-Reply-To: <422C2FDB.5030404 () ecologie net>
>
> Appears that the discussion is more about selecting a right IDS/IPS
> solution rather then selecting a Managed Security Service provider,
> which was the question.
>
> When selecting a MSS provider (IDS/FW alike) of course you must be
> convinced that the use the right tools/products. Some providers use
> commercial ones like Netscreens, CP, ISS,...... others use there own
> spin-offs or open source. More importantly is almost how they provide
> there services, the SLA and operational procedure agreements, there
> incident handling capability and of course the security experience they
> bring to your company. For example ISS is strong as a product vendor but
> is just moving to the market for delivering services. When selecting a
> MSS also normal classic outsourcing aspects must be considered. Since
> you are outsourcing part of your security monitoring and incident
> handling process special care should be taken here. For example there
> are large companies or product vendors who "also do security services",
> but there are also dedicated MSS companies. Often small specialized
> companies but with a large insight in the issues that really matter.
> Remember, it's no  t just the product that you buy, it's about the
> service and quality of the monitoring and incident handling that
> protects your company assets. Everyone will sooner or later get (there
> own) products working, that's not the issue here. Smaller companies can
> also better control who is monitoring your networks and systems. Big MSS
> providers just have a pool of people monitoring, maybe even from
> different SOCs. However some customers require that they must be
> convinced that only a limited number of persons are involved providing
> the service. My company for example only works with top-level screened
> security staff. Therefore we are able to guarantee who is doing what,
> when and how.=20
>
> And what about incident handling and response? If something might happen
> is your MSS there for Protect & proceed or Pursue & prosecute? Product
> vendors or normal IT companies entering the MSS market often lack this
> experience.=20
>
> Global market presence is often only limited needed since MSS is only
> providing a small part of the total infrastructure. Therefore small MSS
> companies may just pickbag on already in place service structures. The
> MSS services themselves are completely independent of location.=20
>
> Author works at a highly specialized dedicated Forensic and MSS company
> providing services to global customers and law enforcement.
> =20
>
> ------------------------------------------------------------------------
> --
> Test Your IDS
>
> Is your IDS deployed correctly?
> Find out quickly and easily by testing it with real-world attacks from=20
> CORE IMPACT.
> Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
>
> to learn more.
> ------------------------------------------------------------------------
> --
>
>
> --------------------------------------------------------------------------
> Test Your IDS
>
> Is your IDS deployed correctly?
> Find out quickly and easily by testing it with real-world attacks from 
> CORE IMPACT.
> Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
> to learn more.
> --------------------------------------------------------------------------

--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from 
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
--------------------------------------------------------------------------