Cyber security has garnered substantial media coverage in recent weeks, and CIOs and CISOs (chief information-security officer), along with their bosses, are probably wondering if they are doing enough to protect their company’s mission-critical data/information.

If you want to know if you are doing enough, conducting a security assessment/audit is a great place to start. But the key to assurance is on the back end—taking prescriptive steps for mitigating risks the audit uncovers and considering the use of a Managed Security Services (MSS) provider.

The flow of a security assessment/audit looks like this:

> Discovery—During this phase, the auditor performs reconnaissance to identify the client’s infrastructure and obtain information, both public and private, about the target environment.

> Target Profiling—Using the information obtained during the discovery phase, the auditor further evaluates the client’s infrastructure in order to develop a targeted testing approach.

> Examination—This is the phase where the auditor conducts detailed vulnerability scans against the prioritized target groups. Usually the auditor will use a combination of commercial, open-source, and proprietary tools. The objective of this phase is to identify potential security vulnerabilities that affect the client’s overall security posture.

> Risk Validation—The auditor reviews the vulnerabilities to determine their impact on the client’s overall security posture and performs targeted penetration testing that focuses on the high-risk vulnerabilities. Exploitation of these vulnerabilities often yields access to critical systems and sensitive information vital to the client’s operations. The objective of this phase is to provide the client with a clear understanding of the risks associated with the identified vulnerabilities.

> Evaluation—The auditor evaluates the security impact of the identified vulnerabilities as well as the effectiveness of applicable remediation procedures. The auditor should prioritize vulnerabilities based on a combination of factors, including previous experience, ease of exploitation, impact to the client’s overall security posture, and the required remediation effort. The deliverable for this phase should be a roadmap for remediation that can be effectively executed. Most importantly, you should ensure that the auditor presents the findings in a clear and detailed manner.

Some vendors add an assurance phase consisting of ongoing assessments to ensure that the remediation and mitigation steps outlined in the evaluation phase have been properly implemented.

In summary, it is helpful to think of cyber-security audits as an end-to-end process which not only raises the level of awareness regarding risks/vulnerabilities, but is also prescriptive in what proactive steps are necessary to reduce risks.

“An ounce of prevention is worth a pound of cure.”

― American Remembrancer, 1795

From Audit to Implementation:

For companies ready to take the next steps towards implementing a means for keeping their sensitive and mission-critical company information secure, one option is to seek assistance from a Managed Security Services (MSS) provider. Gartner defines MSS as “the remote monitoring or management of IT security functions delivered via shared services from remote security operations centers, not through personnel on-site.”

We recommend selecting two top-tier providers, one to manage the environment and one to conduct the assessment and review and to oversee the deliverables promised.

A key benefit to outsourcing is fast deployment of functions of that do not fit into a company’s core competency, yet must be done well. Another benefit is reduced costs. MSS are available at a fraction of the cost (hardware, software, and staffing) of adding capabilities in-house.

SourcingFocus.com recently ran a story about outsourcing trends that pointed to “a growing appetite for managed security services” due to the rising complexity and volume of cyber threats. Keeping the enterprise secure is becoming a primary consideration over other business initiatives.

With the increased focus on security, it is important that business and IT leaders understand Managed Security Services (MSS)—what they are, when to use them, and how to maximize the outcomes of a company’s outsourced MSS efforts.

What are Managed Security Services?

Gartner defines managed security services as "the remote monitoring or management of IT security functions delivered via shared services from remote security operations centers, not through personnel on-site.”

MSS broadly includes:

• Monitored or managed firewalls or intrusion-prevention systems (IPS)
• Monitored or managed intrusion-detection systems (IDS)
• Distributed denial-of-service (DDoS) protection
• Managed secure messaging gateways
• Managed secure web gateways
• Security information and event management (SIEM)
• Managed vulnerability scanning of networks, servers, databases or applications
• Security vulnerability or threat notification services
• Log management and analysis
• Reporting associated with monitored/managed devices and incident response

Firewall/intrusion prevention, intrusion detection, and log collection form the core of most MSS engagements. The Fortinet survey referenced in the SourcingFocus.com piece confirms that, noting over three-quarters of IT leaders in large enterprises say “functions like firewall, IPS and email protection would be suitable to apply to an outsourcing strategy in their organization.”

Why Outsource Managed Security Services?

The primary reasons companies seek a MSS provider are:

• Improved visibility to threats: An experienced MSS provider has trained specialists with the tools and know-how needed to deal with potential issues/threats and can do so in a timely manner.
• Advanced security or compliance demands: In some industries, like financial services and healthcare, there are strict compliance requirements and specialized requirements. A MSS provider who has deep knowledge of those industries can quickly and efficiently ensure their client is operating by the book. Also, since cyber security is their area of expertise, these specialists will have access to innovations and leading-edge technologies that can be rapidly deployed.
• Accelerated Time to Market: A key benefit to outsourcing is fast deployment. The services mentioned above probably do not fit into a company’s core competency, yet they must be done well. Rather than climbing a time-consuming learning curve, hiring a seasoned MSS provider can ensure all the necessary security requirements are met quickly.
• Reduced Costs: MSS is available at a fraction of the cost (hardware, software, man-power) of adding capabilities in-house.

A recent study calculated that a large investment management firm achieved a return on investment of 109% and cost savings of $3.36 million, with a nearly immediate payback period, by partnering with an MSS provider.

The report concludes that the organization achieved comprehensive, enterprise-level security monitoring at a lower cost than the alternative of implementing and maintaining an in-house, 24x7 security operations center. The firm also achieved a lower risk of loss due to security breaches and were better able to track security performance for audits and reporting, thus building credibility for their security program within the organization and with customers.

Source: “The Total Economic Impact Of Dell SecureWorks’ Managed Security Services,” a commissioned study.

How to Use Managed Security Services:

When considering whether or not to bring an MSS provider on board, it is important to engage an advisor who can assist in the following areas:

• Conducting an MSS provider assessment to ascertain how ready your business is for outsourcing MSS and to determine which provider best fits your company’s needs, competencies, and culture.
• Communicating the cost/benefits at the executive level so management understands all relevant aspects of implementing proposed services.
• Determining and explaining what changes are needed in your environment for successful implementation of an MSS.
• Deployment, implementation, and integration; which includes provider selection, contracting, and implementation support of the provider offerings.

Also, make sure that your advisor, as well as the candidate service providers, are communicating in a concise, jargon-free manner. Business terms should be clearly spelled out: what am I getting, for how much, and what are the risks?

Selecting a Managed Security Services Provider:

We recommend that companies pick at least two top-tier providers:

• One for managing the environment
• One for assessments, testing, reviews etc. for ensuring services deployed are performing as promised.

______________

Keeping to the progressive, outcomes-based, SYNAPTIC thinking we use here at Capto, we highly recommend that the contracts with MSS providers structure incentives and payment schedules based on reviews, penetration tests, etc.

______________

Closing Thoughts:

It is no surprise that keeping sensitive and mission-critical company information secure has moved to the top priority among those managing enterprise IT functions.  By moving swiftly and proactively to outsource MSS that includes both crisp communication and checks and balances, you can better prepare for the threats that are increasingly part of doing business in today’s dynamic, global environment.