Firewall Wizards mailing list archives
Re: Managed Security Metrics
From: "Jack McCarthy" <Security.Info () jackmccarthy com>
Date: Tue, 6 Mar 2001 16:30:55 -0500
Hey Mike, Here are some of my thoughts when I read your post. Some may be helpful and some are just that, thoughts. This is a link to a product called WebTrends, it provides Firewall Security Report - now I'm not promoting their product but just using the report that product produces as a guideline to some of the metrics you may be looking for. <http://www.webtrends.com/reports/reports.asp?reports=product&product=fire> If you havent done so already, you might want to throw this topic to a few other lists, like: -Security How-to List -E-Commerce Security List Can be found at <http://www.ntsecurity.net/go/loader.asp?id=/security/subscribe-ntsd1.htm>. SecurityFocus.com has some good mailing lists, but you probably know about these too. (now standing in your shoes) As one of the customers of this outsourcing co. I want or would like: -To know all statistics everything from pings to scans to attempts. Anything that touches my border, I want to know about. Maybe in a weekly or monthly report, with exception of course for attacks and intrusions where immediate notification would be justified. <This may be asking too much, but a good place to begin if you have to start backing-off of a few things.> -Accountability checks and balances. I want to be able to check and make sure youre doing your job and doing it correctly. Some way of independently checking on you, your reports and findings. <I think self education on the material/technology and real-time access just like they have is the most accurate checks and balances.> A way to be able to check if the latest patches, service packs, upgrades are installed or exploits plugged. I want to be able to verify it myself, not just take your word for it. <A certain level of paranoia is a good thing when it comes to security.> Some things that concern me, again being the customer and in your shoes: -Relying 100% on a vender to do business in my best interest and me not knowing enough of the material/technology to know that theyre feeding me BS. There needs to be some way of checking up on them. Questions/comments I might ask/say or just think about: -How do I know your not fudging your reports/finding to support my interests? I dont mean to be so blunt, but were not here to play bingo. -May I talk to some of your current clients? Can I have a list of current clients that I can talk to. -Can I get something on-site that I can view the logs and reports in real-time? -How do you guys keep up with the latest exploits, patches, service packs and upgrades? -How quickly after an exploit has been made public (or known about) do you patch the hole? -What happens if there is a breach of security, WHICH THERE WONT BE but..? What do you do? How do you handle it? -Do you have any experience in tracking down attackers and intruders? -How successful have you been in finding the source of the attack or locating the intruder? Again, these are just some of the thoughts that ran through my head after reading your post but, having these questions answered (with the answers you want) on paper and signed by them would be one of my highest priorities. Hope this helps. -Jack McCarthy --- Mike Smith <msmith () infinity-its com> wrote:
What security metrics should I be looking for in a service level agreement from a managed security service provider? Traditional service level agreements cover things like performance (throughput) and availability. If I have an outsourcer manage my firewall, what kinds of service targets should I insist on? I wouldn't think there'd be any point to counting blocked attacks (as a service metric). I certainly want to know how many attacks got through, but is that a metric for which I can usefully set a target (e.g., no more than 0 successful attacks per month)? If the service provider manages my firewall plus other devices, like VPNs, IDSes, etc., can we or should we set different types of targets for each device/service? Or should there be some global security metrics that apply across the entire service? I'd like to know how much of my bandwidth I'm giving up to the security provider's data streams, but that doesn't tell me how secure I am. Related to this, I recently listened to a Meta audio briefing (http://www.metagroup.com/metaview/mv0314/mv0314.html) that suggested some useful security metrics (aimed more at internal security operations) included things like password reset requests, time to create or delete user accounts, etc. Would these work for measuring an external service provider? J. Michael Smith
_______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://www.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: IP Spoofing and counter measures, (continued)
- Re: IP Spoofing and counter measures Ryan Russell (Mar 11)
- RE: Managed Security Metrics Bob . Eichler (Mar 05)
- RE: Managed Security Metrics Mike Smith (Mar 05)
- Re: Managed Security Metrics Adam Shostack (Mar 06)
- RE: Managed Security Metrics R. DuFresne (Mar 06)
- Re: Managed Security Metrics shawn . moyer (Mar 06)
- RE: Managed Security Metrics Mike Smith (Mar 06)
- Re: Managed Security Metrics Adam Shostack (Mar 09)
- RE: Managed Security Metrics R. DuFresne (Mar 09)
- RE: Managed Security Metrics Crumrine, Gary L (Mar 07)
- Re: Managed Security Metrics Jack McCarthy (Mar 07)