RE: How to choose an IDS/FW MSS provider

[THolman () toplayer com]

A managed solution still presents the same problems that an IDS/IPS solution
would do in house, but also gives a scary amount of control to the MSS
vendor as to what they consider dangerous, or not.

Only with a full internal network audit and assessment of all nodes can the
accuracy of an IDS be improved, and this is where local knowledge is a must.
One would be crazy if you just thought you could buy an IDS/IPS black-box
solution, stick it on the perimeter of your network, and expect blanket
coverage.  

Although ISS have a great SOC, and world-reknowned XForce team, they do not
have the resource to visit each and every customer to ensure the accuracy of
their managed solution, as is the same with most other large, multinational
MSS providers.

In fact, a lot of the time, an incident will occur, the MSS will flag it,
alert the client, the client will work out whether or not it's a false
positive, and maybe 12 hours or so later, the anomaly will be identified, by
which time if it was malicious than the damage would already have been done,
or if benign, time wasted, so I sometimes fail to see the value a managed
IDS service can provide (unless it's done PROPERLY, but the true cost of
this is often prohibitive).

This is where local expertise is a must - I would favour a small, local MSS
that could give me instant support during a crisis, rather than from someone
who only offers a SOC hundreds of miles away...

Regards,

Tim
   

-----Original Message-----
From: fuijdancer () yahoo com [mailto:fuijdancer () yahoo com] 
Sent: 12 March 2005 09:10
To: focus-ids () securityfocus com
Subject: Re: How to choose an IDS/FW MSS provider

In-Reply-To: <422C2FDB.5030404 () ecologie net>

Appears that the discussion is more about selecting a right IDS/IPS solution
rather then selecting a Managed Security Service provider, which was the
question.

When selecting a MSS provider (IDS/FW alike) of course you must be convinced
that the use the right tools/products. Some providers use commercial ones
like Netscreens, CP, ISS,...... others use there own spin-offs or open
source. More importantly is almost how they provide there services, the SLA
and operational procedure agreements, there incident handling capability and
of course the security experience they bring to your company. For example
ISS is strong as a product vendor but is just moving to the market for
delivering services. When selecting a MSS also normal classic outsourcing
aspects must be considered. Since you are outsourcing part of your security
monitoring and incident handling process special care should be taken here.
For example there are large companies or product vendors who "also do
security services", but there are also dedicated MSS companies. Often small
specialized companies but with a large insight in the issues that really
matter. Remember, it's no
 t just the product that you buy, it's about the service and quality of the
monitoring and incident handling that protects your company assets. Everyone
will sooner or later get (there own) products working, that's not the issue
here. Smaller companies can also better control who is monitoring your
networks and systems. Big MSS providers just have a pool of people
monitoring, maybe even from different SOCs. However some customers require
that they must be convinced that only a limited number of persons are
involved providing the service. My company for example only works with
top-level screened security staff. Therefore we are able to guarantee who is
doing what, when and how. 

And what about incident handling and response? If something might happen is
your MSS there for Protect & proceed or Pursue & prosecute? Product vendors
or normal IT companies entering the MSS market often lack this experience. 

Global market presence is often only limited needed since MSS is only
providing a small part of the total infrastructure. Therefore small MSS
companies may just pickbag on already in place service structures. The MSS
services themselves are completely independent of location. 

Author works at a highly specialized dedicated Forensic and MSS company
providing services to global customers and law enforcement.
 

--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from 
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
--------------------------------------------------------------------------

--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from 
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
--------------------------------------------------------------------------