Re: Managed Security Metrics

["R. DuFresne" <dufresne () sysinfo com>]

On Mon, 5 Mar 2001, shawn . moyer wrote:

> Mike Smith wrote:
> > What security metrics should I be looking for in a service level agreement
> > from a managed security service provider?  Traditional service level
> > agreements cover things like performance (throughput) and availability.  If
> > I have an outsourcer manage my firewall, what kinds of service targets
> > should I insist on?
>
> Well, I think some of the standard SLA-type stuff still applies like
> uptime, response time to outages and change requests, etc. -- all of
> these are just as relevant if not more so when outsourcing FW / IDS /
> VPN management. 
>
> I'd wager the biggest additional point of contention would be attack
> response... For example, what metric is used to determine if an attack
> is in progress? How is the response handled and how quickly? Who is
> notified, what countermeasures are taken, etc.? This gets pretty hairy
> to define. 
>
> Offhand I'd consider any suspicious activity that hits more than some
> arbitrary number of IP's to be a warning shot; for example if I saw
> someone scanning my network for the rpc.statd vulnerability and saw more
> than, say, five IP's hit in sequence I'd consider this worthy of
> investigation, and if I were paying someone to manage my security I'd
> expect them to agree, although on a very busy network with a lot of
> suspicious traffic you have to pick your battles a bit. 
>
> I'd want to verify that whoever I was going with a Security MSP shared
> my own philosophy on what is worthy and what is not worthy of reporting
> and logging. 
>
> Another service I'd expect from a Security MSP would be more advanced
> trend analysis -- I'd expect a monthly report of the overall percentage
> of anomalous traffic in relation to "good" traffic (again, a tough thing
> to define), and I'd want to know whether the trend was toward an
> increase or a decrease. 
>
> I'd also expect a Security MSP to be able to track and locate "problem"
> IP's and networks -- this brings up the old problem of an attacker that
> might be profiling a network over a long period of time, generating only
> a few "low priority" alarms -- when viewed from a trend analysis
> standpoint this traffic is malicious, but from a "daily" or "monthly"
> standpoint this traffic might not be relevant. I'd expect my logs to be
> stored and added to a trending database for at least 12 months.
>
> I'd also look for a *wide* range of supported tools and platforms... No
> sense getting married to a dead-end platform if you can help it. I'd
> expect (without getting into firewall / IDS wars) at least Gauntlet,
> Raptor, Checkpoint, PIX, Netscreen, and IPF support from the firewall /
> VPN side, and NFR, Netranger, RealSecure, Dragon, and Snort support on
> the IDS side.


In such cases you are assuming that the client will allow you to take
action, is this the case?  I know one major providor did not think this
would fly well and so, side-stepped the issue in only giving out e-mail or
pager flashes of the first sighting.  This left decision making in the
hands often of omeone not wishing to know the gory details and unable to
make proper decisions, but, then again, I do not recall us ever getting a
point off in that area.  Most often lose of conectivity was the factor
that most comsumed their minds for sure, nevermid the reason or rational.

So our SLA's merely gave a timeframe of when we would issue a warning upon
a 'trouble ticket' surrounding an event.  Of course, we misplaced those
IDS sensors out front, so they logged up all sorts of garbage that gave
the mgt folks and clients TONs of data to build nice little graphs and
charts from, nevermind the true value of the data...

Thanks,

Ron DuFresne
-- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        admin & senior consultant:  darkstar.sysinfo.com
                  http://darkstar.sysinfo.com

"Cutting the space budget really restores my faith in humanity.  It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation."
                -- Johnny Hart

testing, only testing, and damn good at it too!

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards