Outsourcing Security Management Vendor Selection Basics. Nick Krym, 03-20-2005

Common Drivers for Outsourcing High / prohibitive start up costs Establishing security infrastructure Establishing processes and procedures Hardware, networking, software licensing Complex and long ramp up Resource acquisition (hard to find expertise, complex certifications, etc.) Establishing security infrastructure Establishing processes and procedures High / prohibitive cost of operations 24x7 SOC staffing Resource retention R&D and staying current

High / prohibitive start up costs

Establishing security infrastructure

Establishing processes and procedures

Hardware, networking, software licensing

Complex and long ramp up

Resource acquisition (hard to find expertise, complex certifications, etc.)

Establishing security infrastructure

Establishing processes and procedures

High / prohibitive cost of operations

24x7 SOC staffing

Resource retention

R&D and staying current

Scope of Security Management Managed Security Services Providers (MSSP) also known as Managed Security Monitoring (MSM) Vendors typically offer the following services: 24x7 security monitoring through dedicated SOCs Monitoring security infrastructure covers variety of components such as firewalls, intrusion detection sensors and antivirus systems and analyzing the data they generate for indications of security problems Periodic scanning of various nature for the perimeter and internal components of data centers and corporate networks Ongoing configuration of the security infrastructure components Prevention and remediation of security vulnerabilities and recovery from incidents Consulting services that include various types of audits, ethical hacking, development of security audit remediation plans, disaster recovery and business continuity planning

Managed Security Services Providers (MSSP) also known as Managed Security Monitoring (MSM) Vendors typically offer the following services:

24x7 security monitoring through dedicated SOCs

Monitoring security infrastructure covers variety of components such as firewalls, intrusion detection sensors and antivirus systems and analyzing the data they generate for indications of security problems

Periodic scanning of various nature for the perimeter and internal components of data centers and corporate networks

Ongoing configuration of the security infrastructure components

Prevention and remediation of security vulnerabilities and recovery from incidents

Consulting services that include various types of audits, ethical hacking, development of security audit remediation plans, disaster recovery and business continuity planning

Making Outsourcing Decision Outsourcing security is not appropriate for every organization. Making decision on outsourcing should be based on a typical “buy vs. build” analysis as it applies to products and services. For many small organizations do not need to go through buy vs. build analysis as the answer is quite obvious. As sheer expense of building SOC and staffing it on 24x7 is more than enough to move straight to vendor selection. For large companies as well as organizations with security being a core part of the business decision should be based on comprehensive research and Cost / ROI analysis.

Outsourcing security is not appropriate for every organization. Making decision on outsourcing should be based on a typical “buy vs. build” analysis as it applies to products and services.

For many small organizations do not need to go through buy vs. build analysis as the answer is quite obvious. As sheer expense of building SOC and staffing it on 24x7 is more than enough to move straight to vendor selection.

For large companies as well as organizations with security being a core part of the business decision should be based on comprehensive research and Cost / ROI analysis.

Finding “Right” Vendor Develop the team and the process Information Security Committee Vendor selection team Vendor selection process Vendor selection process highlights Learn what Managed Security Services Providers (MSSP) have to offer (also consider Managed Security Monitoring (MSM) abbreviation for your Google search). Possibly issue an RFI to get additional insights Define drivers specific to your organization Define selection criteria Build RFP around your selection criteria Create a target list (use Gartner materials if available or just Google) Issue RFP to selected group of vendors Shortlist vendors to 2-3 prospective partner Negotiate Terms & Conditions Make final selection Tips for successful execution Define budgets upfront Secure organizational commitment Secure executive sponsorship Make process and selection criteria as transparent as possible Don’t burn the bridges with vendors as your final selection may not work out through the painful process of “integration”

Develop the team and the process

Information Security Committee

Vendor selection team

Vendor selection process

Vendor selection process highlights

Learn what Managed Security Services Providers (MSSP) have to offer (also consider Managed Security Monitoring (MSM) abbreviation for your Google search).

Possibly issue an RFI to get additional insights

Define drivers specific to your organization

Define selection criteria

Build RFP around your selection criteria

Create a target list (use Gartner materials if available or just Google)

Issue RFP to selected group of vendors

Shortlist vendors to 2-3 prospective partner

Negotiate Terms & Conditions

Make final selection

Tips for successful execution

Define budgets upfront

Secure organizational commitment

Secure executive sponsorship

Make process and selection criteria as transparent as possible

Don’t burn the bridges with vendors as your final selection may not work out through the painful process of “integration”

Gartner Magic Quadrants

Scope of MSSP Agreement The scope of a typical MSSP agreement includes Security and Availability monitoring and analysis for various security devices such as firewall and intrusion detection system (IDS) Security and Availability monitoring and analysis for other devices and components that are critical to business operations Firewall and IDS configuration and management. Periodic vulnerability scanning for multiple components of the monitored network Periodic application penetration testing / ethical hacking Zero day alerts and other information services Various consulting services, typically related to remediation of items discovered during scans and audits

The scope of a typical MSSP agreement includes

Security and Availability monitoring and analysis for various security devices such as firewall and intrusion detection system (IDS)

Security and Availability monitoring and analysis for other devices and components that are critical to business operations

Firewall and IDS configuration and management.

Periodic vulnerability scanning for multiple components of the monitored network

Periodic application penetration testing / ethical hacking

Zero day alerts and other information services

Various consulting services, typically related to remediation of items discovered during scans and audits

Common Selection Criteria General business considerations Overall KPIs (number of customers, revenue, profitability, etc.) Company financial stability Company track record in multiple aspect of service Customer retention / customer satisfaction Company position vis-à-vis competition Technical Expertise / Technology Overall company expertise, thought leadership Company expertise in areas of security relevant to your needs Individual staff expertise and certification level Vendor Neutrality. Is the vendor business model tied to specific products? Low Install Impact. Network requirements for service deployment. Vendor Maturity Process maturity / SOC certification Exposure to various clientele with diverse needs Global Intelligence / View. Global customer base providing visibility into threats. Network visibility / Overall coverage (number of devices under management)

General business considerations

Overall KPIs (number of customers, revenue, profitability, etc.)

Company financial stability

Company track record in multiple aspect of service

Customer retention / customer satisfaction

Company position vis-à-vis competition

Technical Expertise / Technology

Overall company expertise, thought leadership

Company expertise in areas of security relevant to your needs

Individual staff expertise and certification level

Vendor Neutrality. Is the vendor business model tied to specific products?

Low Install Impact. Network requirements for service deployment.

Vendor Maturity

Process maturity / SOC certification

Exposure to various clientele with diverse needs

Global Intelligence / View. Global customer base providing visibility into threats.

Network visibility / Overall coverage (number of devices under management)

Common Selection Criteria, cont. Vendor Security Infrastructure Typical SLA. Infrastructure scalability guarantees SOC redundancy, business continuity and disaster recovery Vendor Service Capabilities Is Managed Security Monitoring a core competency? Is business model focused on services? Proven Systems / Processes. Time-to-market delivering new services and features and ticket Handling. Organizational Capabilities Staffing / recruiting capabilities and track record Process and cultural compatibility with your organization Account and project management capabilities Bottom Line Presales: Staff / Proposal Overall annualized cost of the solution Contract terms Customer references Brand recognition / Association impact

Vendor Security Infrastructure

Typical SLA.

Infrastructure scalability guarantees

SOC redundancy, business continuity and disaster recovery

Vendor Service Capabilities

Is Managed Security Monitoring a core competency?

Is business model focused on services?

Proven Systems / Processes. Time-to-market delivering new services and features and ticket Handling.

Organizational Capabilities

Staffing / recruiting capabilities and track record

Process and cultural compatibility with your organization

Account and project management capabilities

Bottom Line

Presales: Staff / Proposal

Overall annualized cost of the solution

Contract terms

Customer references

Brand recognition / Association impact