This document summarizes a presentation given by an executive from a managed security services provider (MSSP) about engaging an MSSP for security services. It begins with a poll asking about current and past MSSP usage. The presentation then discusses why organizations use MSSPs, focusing on lack of internal skills, resources, and scale. It uses a case study of "Bob and Alice" to illustrate common struggles between MSSPs and clients around communication and expectations. The rest of the presentation outlines key areas for MSSPs to focus on, including technical capabilities, onboarding process, managing alerts and investigations, and defining service level agreements and contract terms.

1. MSSP Couples Counseling
“It’s Not You It’s Me”
Atif Ghauri, CISSP, CISM
Senior Vice President at Herjavec Group

2. Live Survey – Show of Hands
a) Are you currently using an Managed Security Services Provider (MSSP)?
b) Are you looking for an Managed Security Services Provider (MSSP)?
c) Have you fired an Managed Security Services Provider (MSSP)?

3. Agenda
3
• Why engage a Managed Security Services Provider (MSSP)?
• Case Study – The Struggles of Bob and Alice
• MSSP Focus Areas
1. Technical Capabilities
2. Operational Readiness & Onboarding
3. Alerts, Investigation, Response
4. SLAs and Contract Terms

4. Why engage managed services?
• I don’t have the bodies
• Painful to do 24x7x365
• Brains onsite, muscles offsite
• Cannot scale team with business
• I can’t find or retain the skills
• I want the Network Effects
• I need it now!

5. Agenda
5
• Why engage a Managed Security Services Provider (MSSP)?
• Case Study – The Struggles of Bob and Alice
• MSSP Focus Areas
1. Technical Capabilities
2. Operational Readiness & Onboarding
3. Alerts, Investigation, Response
4. SLAs and Contract Terms

6. Case Study - Come in and have a seat on the sofa…
The Struggles of Bob and Alice

7. Meet Bob
Snapshot
• Anxious Account Manager @ Global MSSP
• Personally manages dozens of customers
• Incented on SLA adherence and customer sat
• Competent but over-stretched
Bob’s Complaints
• “I’m still waiting for XYZ requirements”
• “You don’t show up to meetings”
• “You only talk to me when it’s an emergency”
• “I need your attention”

8. Meet Alice
• Snapshot
• Crafty CISO of Major Retailer
• Small team of engineers
• Budget increasing but no headcount
• Multiple “strategic partners”
• Has little influence over business units
• Alice’s Complaints
• “You use to ask me how I’m doing”
• “You don’t show me things anymore”
• “Why do I have to ask for everything? You should know!”
• “You use to give me more attention”

9. Bob and Alice’s Story (in 90 seconds)
http://www.jasonheadley.com/INATN.html

10. What’s the nail? (Blind Spots)
Bob the MSSP
• Incented to ‘set and forget’
• Wants to get paid quickly – rush onboarding
• Demands requirements but isn’t proactive
• Missing Alice’s business context
• Meet SLA and that’s it
Alice the Client
• Minimal organization influence
• Outdated technology with default configs
• Doesn’t have access to stuff herself
• Doesn’t know what do to with an escalation

11. Agenda
11
• Why engage a Managed Security Services Provider (MSSP)?
• Case Study – The Struggles of Bob and Alice
• MSSP Focus Areas
1. Technical Capabilities
2. Operational Readiness & Onboarding
3. Alerts, Investigation, Response
4. SLAs and Contract Terms

12. Focus Area #1
Technical Capabilities

13. What logs to collect (Initially)?
Low Hanging Fruit
• Firewall
• Active Directory
• IPS
• Critical Servers
• Anti-Virus
Possible Added Value
• Application Logs
• DB Logs
• Security Devices (URL, DLP, WAF, Endpoint)

14. What logs to collect (Eventually)?
Core Security
• Access Control / Auth Server
• Analysis
• Anti Virus
• Application Firewall
• DLP
• Firewall
• IDS / IPS / Other Intrusion
• Physical Security
• VPN
• Vulnerability / Asset Scanner
Host
• Application Servers
• Load Balancing
• Mail
• Mainframe
• Midrange
• Unix /Linux
• Virtualization
• Web Servers/Proxies
• Windows / Apple
Network and Storage
• Application Delivery
• Configuration Management
• Messaging
• Routers
• Switches
• Wireless Devices/Access
Points
• Database
• Document
• Storage/File Server

15. Big Data Analytics Improving Context
Traditional SIEM
• Rules based environment
• Linear detection of logs for incident reporting
Big Data Analytics
• Seeks anomalies to correlate
• Examines entire environment for log
relationships
• Tracks unusual activity working backwards to
context
Actively investigate anomalies and provide context around incident detection.

16. Proactively identify the unknown through machine based learning to identify data
pattern changes. Alert Trending creates a visual context for the behavioural anomalies.
Anomaly Detection

17. Threat Analytics

18. Dashboards vs Reports

19. Focus Area #2
Operational Readiness & Onboarding

20. Do you have your house in order?
• CSIRT Ready – Is Incident Response defined, documented, practiced?
• Asset Classification and Owners – Defined and updated?
• Ticket Pile-Up – How reactive are IT and Product teams to findings?
• War Games – When was the last table-topIR exercise?
• Response Procedures – What will we actually do when attacked?

21. What happens during onboarding?
Onboarding is conducted using systematic processes with detailed operational readiness checklists
Operational Item Description
Develop detailed project plan Define a comprehensive project plan including stakeholders, timelines, and key assumptions/risks
Asset list Document the asset list of record including serial and version numbers
Architecture documentation Define reference implementation architecture including security zones, network information, and management
interfaces
Account creation for the operational team Catalog the authorized users and accountpermission levels including the approved process to provision and
manage system accounts
Run and Build Books Establish operational run books for managed technologies
OS and application are up-to-date Validate the operating systems are updated and have the appropriate licensing defined
Endpoint Catalog Documentation of valid end-points and proceduresfor adding and removing endpoints into protection scheme
Establish Health Monitoring Assure visibility into the system health of the managed devices to provide up/down reporting
Provide appropriate ticket system access Assure access to the system and appropriate permissions exist to manage tickets as defined in SLAs
Complete Escalation Process Document Document the end-to-end escalation tree for primary, secondary, and backup contacts for all levels of agreed
upon service descriptions
Production Readiness Plan the cutover deploymenttiming and relevant stakeholders to approve transition rollback criteria

24. Six Onboarding Best Practices
1. Define “notable event" vs "incident" based on triple ds (disruption,
degradation, nuisance)
2. Build work products such as asset lists, critical applications, SEV priority
3. Vulnerability scoring definition
4. Defined ownership of process and escalation
5. Poor man’s owner lists: use top users, emp directory, last logon
6. Agreed upon operational readiness checklist

25. Sample Operational Readiness Checklist
• How many users on the network?
• What is the make model of each appliance and the management server?
• Are any of the appliances near eol?
• Any unresolved support issues with the manufacturer?
• What policies are in place today? Fim? Ips? Firewall?
• What new policies are required?
• Are the devices strictly firewall only, or multi-purpose/next-gen?
• Are there other features enabled? AV, IPS, email GW, web proxy/GW?
• How many physical appliances are in-scope for managed services?
• What is the location of each appliance? Head office? Main data center?
• Any new physical or virtual interfaces on existing platforms to be operationalized?

26. Focus Area #3
Alerts, Investigation, Response

27. Fundamentals of SecOps
• Detection
• Evidence Collection
• Containment
• Forensic Analysis
• Remediation
• Communication
Mr. Fundamental

28. It’s all about the use cases
1. Identify and Analyze MVAs and HBIs devices (Most Valuable Assets) (High Business Impact)
2. Model use-cases around your MVA and HBI devices
3. Use cases will tell you what logs you need (not the opposite)
4. Then pick the tech to implement use cases

29. Six Best Practices for Use Case Dev
1. First Things First - Ensure critical conditions produce notification
2. Environment Centric - Build alert rules specific to environment and requirements
3. Fluid Thresholds - Ensure appropriate thresholds are appliedto reduce false alarms
4. What and Why - Know what event sources are logging to the SIEM and why
5. What’s most important - Categorize alerts according to severity levels
6. Track Them All - Ensure non-critical events are excluded from notification but reviewed

30. Sample Use Case References
• Popular SIEM Starter Use Cases
• AlienVault SIEM Use-Cases
• SANS Critical Security Controls ***
• NIST 800-53 ***
***Not purely use cases, but great source to help brainstorm

31. Sample Use Case Checklist
• What situations keep you up at night?
• What alerts and reports do you expect to get from the SIEM?
• Will the platform be managed internally or outsourced?
• Is there a list of all devices/assets to be monitored by the SIEM? Which are most critical?
• Which devices are natively supported by the SIEM and which ones require a custom parser?
• Is the SIEM required to meet some form of compliance (e.g. HIPAA, PCI, SOX)?
• How are the monitored devices geographically dispersed?
• How do asset owners (of the monitored devices) feel about an agent versus agentless solution?
• What devices need to send logs to the SIEM in order to get those alerts and reports?
• Is there a requirement to incorporate network data elements into the SIEM?
• If managed internally, what training options does the vendor provide and who exactly will be
managing/monitoring/maintainingthe solution?

32. Focus Area #4
SLAs and Contracts

33. Do’s and Don’ts
• Don’t do a POC of MSSP
• Do unannounced VA scans and pen tests
• Don’t have 5 minute SLAs
• Do provision enforceable SLA penalties
• Don’t just default on a one-year contract
• Do define success with simple KPIs

34. Thank You

35. We provide Information Security Solutions
for Enterprises globally.
Our expertise includes:
• Consulting & Compliance
• Product and Service Delivery
• Security Management
• Incident Response
Recognized for our Flexible & Agile Managed
Services practice which includes
On Prem, Cloud and Hybrid models.
Successfully scaled from 3 staff and $400K
in sales in Canada to a global brand with
250 team members and $140M in sales.
RANKED # 23 ON CYBERSECURITY 500
Global ranking of information technologyproviders,
integrators and managed services companies.
2015 MSSP RANKINGS –”MAJOR PLAYERS”
Information Security Is What We Do

36. DIY vs Outsource?
• Is your focus Strategic or Tactical?
• How important is scale?
• How important is control?
• Where’s the Data?
• Quality will cost millions
• Incur lengthy IT implementations

37. Can 8×5 monitoring be just as good as 24×7?
• YES – Of Course!
• Don’t need 24x7 until good at 8x5
• Focus on fundamentals of incident detection and response
• Prioritize key indicators and alerts to “page out” if fired
• Mature to a SOC for 24x7 to transform IR (NOT other way around)
• NO - Not a Chance!
• Bad guys don’t follow store hours à staff burn out
• Downward Spiral: Focus on tactical vs strategic
• Not enough security talent to retain