Re: Managed Security Metrics

[Adam Shostack <adam () homeport org>]

On Tue, Mar 06, 2001 at 11:43:13AM -0500, Mike Smith wrote:
| I'm looking for a service provider that covers more than firewall
| management; it should offer internal IDS, anti-virus, content filtering
| (incoming and outgoing), etc.  Down the road, I may look for services like
| password management, PKI management, maybe even integrated physical
| security.

I think you need to break these down; what do you really expect from
each of them?  For example, what do you want the content filtering to
do?  How intrusive can it be?  What do you do about encrypted mail?
SSL traffic?  (I'm not a big fan of content filtering.)

For AV stuff, I would contract for a maximum response time, the vendor 
to fix the machines damaged by viruses in the lapse-time, etc.

For internal IDS, what do you expect to catch?  Is it password
guessing?  Portscanning?  Generally, IDS is still a fairly new
field--you may want to look at the kind of advances coming in
conferences like "Recent Advances in Intrusion Detection" to see what
people think of as cutting edge..

Adam


| My research tells me the SLA is the main way to tell what I'm getting for my
| money and to compare providers.  I expect the provider to have a service
| that implements my security policy (after we jointly review, and update if
| necessary, that policy to make sure it's appropriate and supportable with
| the provider's offering; I expect the provider to give advice in that area
| as part of the service).
| 
| The SLA is also my contract.  It defines "good" service, and ideally defines
| rebates (to me) or penalties (to the provider) if the service isn't "good."
| But "good" has to be objective and the provider has to be able to
| demonstrate that it was "good" during a given reporting period.
| 
| Mike Smith
| 
| -----Original Message-----
| From: Adam Shostack [mailto:adam () homeport org]
| Sent: Monday, March 05, 2001 6:01 PM
| 
| I think that theres a lot of process issues which are not easily
| quantified.  For example, I want to know that an account will be shut
| off within 5 minutes of a lost token report, but more than that I want
| them to go through a list of accounts quarterly to ensure that there
| is a known, employed user using the account.
| 
| I'd like to see log monitoring, a guaranteed response time to
| certain classes of events eg, any user not on a shortlist becoming
| root leads to a phone call that connects with my escalation tree
| inside of 15 minutes.
| 
| Perhaps you can make the question more specific: What are you trying
| to protect?  What is the service selling you?  Is it "firewall and in,
| end-to-end security?"  Is it firewall log monitoring?
| 
| 
| On Mon, Mar 05, 2001 at 01:37:10PM -0500, Mike Smith wrote:
| | So I'm back to asking, what are suitable, measurable criteria for judging
| | the quality of my security service provider's performance?
| |
| | Mike Smith
| 
| _______________________________________________
| firewall-wizards mailing list
| firewall-wizards () nfr com
| http://www.nfr.com/mailman/listinfo/firewall-wizards

-- 
"It is seldom that liberty of any kind is lost all at once."
                                                       -Hume


_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards