Identifying and choosing a managed security service provider (MSSP) can be time consuming and difficult. At their core many are very similar, but how do you narrow down your selection and find the one that is right for you and your organization? Among the myriad of criteria you should evaluate, here are five key questions you should ask to help narrow things down and be sure the provider you select is your best option.
1. How do you collect, store, process, and analyze the huge amounts of data you bring in?
MSSP’s are going to have hundreds to thousands of customers. That means they are going to be handling billions upon billions of data logs per day. A good provider will have defined collection processes and provide both log management as well as security monitoring and detection. It is critical that they are able to process, analyze, and ask questions of the data and get a response back quickly. Most SIEMs – a tool for analyzing logs and identifying security threats – are able to generate real time alerts, but struggle returning results quickly for even basic queries. In some cases it can take days to get an answer to a query. This is completely unacceptable. Ensure that the provider you engage can process and query data rapidly – ask them to get specific.
2. What security technologies do you integrate with?
It is not critical that the MSSP integrate with all of your security technologies, in fact it is likely that none will completely. But it is important that they integrate with enough of your appliances to provide adequate security from day one and that the MSSP is willing to work with you to integrate your other devices. At a minimum, the MSSP must be compatible with your firewalls, IDS/IPS, and anti-virus (not to mention standard syslogs). Ideally, the MSSP would already have an integration with your vulnerability management system, end-point protection, data-loss prevention, and other devices. However, no one service will integrate with all your products, so be judicious in terms of what is a deal breaker and what is not. Just because they don’t today integrate with your end-point protection product of choice, does not mean they are not the right fit.
3. Do you have a customer portal where I can view my own data and see the alerts?
MSSPs should strive to be as transparent as possible, after all, it is your data. You should be able to view your logs and view the alerts being generated. Essentially, you should be able to see all the information that the MSSP can see. Even more ideal, though not critical, the portal would include dashboards that summarize your data and the threats being discovered.
The value such visibility provides is substantial. It allows you and your security team have access to your data quickly in the event of an incident response, it allows you to employ your own internal threat hunting, or simply to ask questions of your data when you need to.
4. If I have an incident, what kind of support will I get from you?
Few MSSPs moonlight as incident responders, so you should not expect the one you select to be your IR team. However, you should expect that your MSSP will stand by your side and give you support as you need it. They should be there to pull historical logs, review past alerts, and provide needed information to your IR team. If your IR launches late on a Friday night, you should expect them to have folks available to provide support that night and through the weekend. There are no days off in security operations.
5. Will you show me the use cases you use for detection and alerting?
Effective security monitoring detection and alerting should have a heavy dose of reliance on use cases. Too often MSSPs primarily detect via reputation lists or standard signatures, but do not move much beyond that. Effective MSSPs employ use cases that can be built as simple detection signatures or even as advanced behavioral analytics. Example use cases include malware beaconing, data exfiltration, privilege escalation, and many more. Essentially, they have built detection rules focused on behaviors and patterns which in turn provides a higher level of confidence when the alert fires.
There are many other questions and criteria that you will want to consider when evaluating an MSSP and these are just a few of the critical ones. It is important that you find a service that is right for you and provides you the greatest level of security. The whole point of an MSSP at its core is to alleviate the direct burden on you and your organization by providing you expert service for something that is very costly and difficult to do in house.
About Security On-Demand
At Security On-Demand, we are confident in and proud of our MSSP services. Having been providing these services for over 10 years, we have experienced what is effective and what is not and we continually refine our service to ensure that our customers are receiving the security they expect and deserve and provide them the transparency and partners that they need.