The danger of unmanaged security service providers

operations control centre at kim chuan depot61316

The job of keeping networks safe from attack is growing more complex by the day. At the same time, demand for trained and experienced information security analysts is exceeding the supply. This combination of factors is leading to an almost inevitable result -- the outsourcing of day-to-day security operations to outside companies. 

These companies, typically referred to as managed security service providers, or MSSPs, usually handle functions such as network monitoring, firewall management and incident response, freeing the customer from worrying about security so that they can focus on running their business. 

While the theory of security outsourcing is sound in principal, like many other sound principals, it can break down in the execution. As a result, some customers who are sleeping soundly in the knowledge that their MSSP has their back, may be in for an unfortunate awakening when they discover that their outsourcing company is not doing the job they expected. 

Nick Selby, in a blog written this week, reported on a financial institution that hired him to respond to an security incident in progress. He was told on arrival that the institution had signed a contract three years earlier with a well-known MSSP. They would quickly discover that the monitoring appliance installed for the MSSP had been placed on the wrong side of the firewall, meaning it could not see most of the relevant traffic. Once corrected, the process of getting the provider to look at the box and help them determine what was going on was almost comical. 

Initially, the financial institution was told that their contract only covered monthly reporting. When they attempted to look at the appliance themselves, they quickly found that it was not customer-accessible. When they persisted with the provider, they finally found someone who reluctantly agreed to help, but cut the conversation with his desperate customer off because he had to jump on a conference call. 

While there are many MSSPs that do a great job, the increased demand for such providers has brought in some that are not really equipped to do what they say they can. Many of the larger ones with the necessary resources cannot seem to live up to their commitments in some instances. 

I was personally exposed to such an issue in the past few weeks, when a well-known company (a household name in fact) failed to respond to a ransomware attack in accordance with their contract, thus exposing their customer to a greater potential loss of data. 

As they saying goes, I don't want to throw the baby out with the bath water. An MSSP can provide a tremendous value, providing services that companies often cannot handle themselves. Outsourcing this critical aspect of a company’s operation without the proper due diligence and oversight, however, can result in complete disaster. 

If you are considering an MSSP, I do not mean to discourage you. If you think you can do it easily however, I intend to burst your bubble. It will still take a large amount of time and effort, initially and thereafter, but if done right, can save you from a major security incident. Consider the following points when working with an MSSP: 

Choose carefully

Make sure the provider you consider really has the personnel and experience to do what they say. Review resumes for their key personnel, and talk to references from companies similar to yours. Do a Google search for articles mentioning them. Really get to know your MSSP prospect before you sign anything. 

Understand what the contract requires, and what it doesn't

Talk is cheap, so understand what your MSSP is committing to in writing, and just as important, what they require from you in return. In the case of Nick Selby’s financial customer mentioned above, a “monitoring” service that providers only a monthly report is close to useless. You will not find much value in knowing what went on in your network three weeks ago. 

Know who to call

Any contract should include provision for an account manager or key contact. If you run into a problem getting the support you need, you will need someone specific you can reach out to for help. Insist on having their cell phone number. 

Monitor their performance

Once you fully understand what the contract requires, you can more easily monitor your provider to ensure that they are doing what they say. Review their reports, and evaluate their response to any suspected incidents. If you go a month without them advising you about suspicious network traffic they discovered, something is likely wrong. 

Test them

Your MSSP strategy must involve some form of regular testing. This testing can take many forms, from a coordinated simulation, to a surprise generation of suspicious network traffic. Make sure your contract provides for such testing. Consider employing a consultant to help generate a realistic test. 

If it is not working, find someone else

If your MSSP is not performing, do not hesitate to dump them and find someone else. Make sure your contract allows you to get out if the provider does not perform. 

Bottom line -- MSSPs can provide a valuable service that can be of significant value to your business. You cannot, however, engage a provider and then ignore them and your organization’s security. They can help, but not replace, your own ongoing security program.  

The secret is in seeing them as a partner, not a utility.

This article is published as part of the IDG Contributor Network. Want to Join?

New! Download the State of Cybercrime 2017 report