Keeping your organization secure is vital but it's also time consuming and requires a high level of skill. Instead of attempting to run all your IT security operations in-house, it could make sense to hand over some or all of them to a specialist managed security service provider (MSSP).
What does an MSSP offer? - An MSSP takes over responsibility for specific security functions for your organization. At one extreme this can involve taking over every aspect of your security including:
- Installation, configuration, management and monitoring of security appliances and software such as firewalls, IDS/IPS systems and anti-malware scanners; and/or
- Providing maintenance, upgrades, patches, service and support for security systems and vulnerable applications.
This level of service may be offered remotely of could involve regular site visits by MSSP staff. At the other extreme, an MSSP may simply take over responsibility for monitoring security system logs and alerting you when any security problems are detected.
What type of company can benefit from using an MSSP? - Small companies in particular can benefit from a relationship with an MSSP, according to Paula Livingstone, managing director of Scotland-based MSSP Rustyice Solutions.
"These companies often find that their scarcest resources are time and manpower, and they will certainly have little time to devote to analyzing their security logs. Typically, their IT department will be just one or two guys, and there is a danger that the elements of security that are not being taken care of won't be obvious until it is too late," he said.
But larger companies can benefit too, said Robbie Higgins, VP of Security Services at Glasshouse, a Massachusetts-based IT services company . That's because of the complexity of the security measures required to protect this type of organization.
"Even for large businesses, hiring and retaining good security people can be a challenge. And security goes from Layer 0 to Layer 7, but how many experts in each area are you really going to have? When you use an MSSP you get access to a deep pool of security experts in each one," he said.
What can you expect from an MSSP - The first thing any MSSP will do is come in to your organization to carry out an audit of your existing security infrastructure and procedures. It should also spend some time gaining an understanding of your business processes and how your business works. "This is important," said Livingstone. "An MSSP needs to get to known a company's processes to understand the implications of an attack on the business."
They'll then use this information to carry out a gap analysis; looking at your existing security measures and identifying where the gaps in your security are. This will be followed by a set of recommendations to rectify any security problems, which could include purchasing new security hardware and software or changing existing security procedures. Then the MSSP will discuss which security measures (if any) it makes sense for you to continue to be responsible for, and which it would benefit you to hand over to be managed.
"If you are coming up against budget limits, we would then highlight which things were most important and which could be considered optional," said Livingstone.
For example, a service which provides log monitoring 24x7 may be preferable for security purposes, but if that proves too expensive then this could be reduced to monitoring within business hours.
Once the responsibilities of the MSSP have been agreed, the final stage is to formalize this with a service level agreement (SLA) defining those responsibilities, response times, and other details.
When the service is up and running, most MSSPs will have a monthly or quarterly review meeting with you to discuss if any changes need to be considered, perhaps to deal with emerging threats. Although it's easy to be cynical and suggest that these are just an opportunity for the MSSP to justify its fees, these are also an important way to build a relationship with your MSSP and ensure that it understands your business.
"You can imagine a situation where your MSSP needs to take steps to rectify some security problem which is not covered in your service agreement. If you can't be contacted but you have a strong relationship then the MSSP can do what it thinks is necessary, secure in the knowledge that it is the right thing to do for your business," said Livingstone.
Cost - MSSP's fees are rarely straightforward, but are often based on a setup fee for new equipment and initial configuration, plus a monthly fee made up of charges for different services. These fees may be calculated on a per-appliance-under-management basis, with additional charges for 24x7 monitoring or guaranteed response times, for example.
MSSPs also commonly offer to cover any initial equipment purchasing costs themselves, rolling these costs in to their monthly fees in return for an initial 12, 18 or 24 month commitment.
Perhaps the most important thing to be clear about is that while an MSSP should increase your organization's security levels and reduce the chances of a costly security breach, it is unlikely to save you money directly.
"Companies often do the bare minimum, or even less than the minimum, when they do security internally, so it's very unlikely that we can provide solid security for less than that [amount of money]," said Higgins. "The driver for using an MSSP should not be to reduce costs, but to improve security."
Paul Rubens has written about business IT as a staff and freelance journalist for over 20 years. In that time he has written for leading UK and international publications including The Economist, The Times, Financial Times, the BBC, Computing and ServerWatch.