Re: MSSP / IDS Selection

["Mike Coliton" <MCOLITON () twmi rr com>]

KJP

after being involved in MSSP  from back in 99, I did then and still have
today these thoughts.     Each organization should ask themselves these
questions before choosing a MSSP company:

1.   What is my enterprise and network topography?
2.   What Security products available today best suit my environment
(application level, OS level, and Network performance level)?
3.   What providers can manage those specific products well?
4.   Can these providers manage my legacy products effectively as well?
5.   Which providers will allow me to control the SLA?
6.   Which providers can effectively do this within my budget?
7.   What is my business reason for outsourcing mgmt?

Ask yourself these questions, then do the homework on the technology
(Neohapsis and NSS have neat whitepapers).
Get references from each MSSP, though mainly references with similar
environments as yours.

Best of luck

Mike



----- Original Message ----- 
From: "David W. Goodrum" <dgoodrum () nfr com>
To: "KJP" <kjp011975 () gmail com>
Cc: <focus-ids () securityfocus com>
Sent: Saturday, March 19, 2005 4:38 PM
Subject: Re: MSSP / IDS Selection


> If you're still trying to determine whether or not to go with an MSS vs
> building it inhouse, I think you need to look at a number of factors.
> We find ourselves often recommending our smaller installations to go
> with an MSS so that they can get the full benefits of an expert staff
> and the 24 x 7 operations.  Larger enterprises typically already have an
> "expert" staff and can leverage off that to implement their own
> systems.  But, as you've stated, the costs of going with an MSS
> sometimes seem a bit overwhelming.  But, potentially, the reason for the
> sticker shock is because of the vendors you've selected to evaluate as
> an MSP.  You picked the big names that everybody knows.  At NFR we have
> a number of providers that we recommend depending on the need of the
> customer.  Some customers don't care about 24 x7, and don't want to pay
> an MSS for that type of service.  For those customers we often recommend
> local shops that are often cheaper than some of the big names that you
> have chosen below.  Perhaps you are looking for the managed IDS without
> all the bells and whistles to save on cost.  Those providers do exist,
> but you usually won't find them unless you go through the IDS vendor for
> the recommendation.  I notice that NFR was not on your list, but you
> could easily contact the other IDS vendors you mentioned below and they
> could probably point you in the direction of some of the less expensive
> MSPs. You could take one vendor recommendation and then compare those
> "smaller" MSP's to see how they compare.
>
> On the other hand... if you have the staff, or just want the experience,
> you could always try doing it in house first.  Most MSPs will happily
> take over an existing install if you later decide to outsource the
> management of your system.
>
> -dave
>
> KJP wrote:
>
> > I have spent much time researching various MSSP's NetSec, Verisign,
> > Counterpane, and LURHQ for my company.  After much research we decided
> > to go with Verisign for numerous reasons.  After selecting Verisign we
> > began narrowing down pricing.  On a monthly level the pricing looks
> > ok, until you look at it at a yearly level the pricing starts to get
> > scary.
> >
> > We looked into doing the same service internally using Snort.  I
> > remembered the comercial implentation of Sourcefire and began
> > researching it.  It appears to offer services that Snort does not, RNA
> > and Defense Center offer the pieces missing from Snort, plus it
> > packages the support so I don't need to worry about hardware support,
> > OS support, etc.
> >
> > What are the opinions of Snort and Sourcefire versus ISS, Cisco,
> > Enterasys, Symantec?
> >
> > Thanks in advance.
>
> --------------------------------------------------------------------------
> > Test Your IDS
> >
> > Is your IDS deployed correctly?
> > Find out quickly and easily by testing it with real-world attacks from
> > CORE IMPACT.
> > Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
> > to learn more.
>
> --------------------------------------------------------------------------
> >
>
> -- 
> David W. Goodrum
> Senior Systems Engineer
> NFR Security
> 703.731.3765
>
>
> --------------------------------------------------------------------------
> Test Your IDS
>
> Is your IDS deployed correctly?
> Find out quickly and easily by testing it with real-world attacks from
> CORE IMPACT.
> Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
> to learn more.
> --------------------------------------------------------------------------


--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from 
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
--------------------------------------------------------------------------