Making the Case for Managed Security

By Tom Schmidt

Effective security monitoring and management entails combining advanced technology with expert human analysis. And today's highly complex threat landscape requires IT teams to continuously monitor systems while remaining up-to-date on all potential vulnerabilities. Yet, many small and midsize financial institutions often lack the time, expertise, and technical resources to maintain effective security on a 24/7 basis. For these reasons, outsourcing security to a Managed Security Service Provider (MSSP) is becoming an increasingly attractive -- and cost-effective -- security solution for many institutions.

This article examines the key elements of managed security offerings and provides guidance on how to select a managed security service provider that will strengthen an institution's security posture.

Demystifying security management vs. monitoring
Given the complexity of today's threat landscape, the integration of security management and monitoring practices is necessary to enable a timely response to intrusions. A high- quality MSSP will supplement the management and maintenance of security devices, such as firewall, intrusion detection systems, servers, and routers, with real-time monitoring of all data generated by those devices. This human analysis is critical to anticipating and preventing attacks. And an MSSP that can offer the right combination of human expertise and technology will allow small and midsize financial institutions to focus on their core businesses while maintaining an effective security posture.

Specifically, security management should provide the following capabilities:

• Fault management This function provides regular checks of devices to detect potential problems, notification of failures, and guidance to remediate problems as well as status reports detailing the activity of security devices over specified periods of time.
• Configuration management This usually includes modification and upgrades of operating systems and security device applications, policy and signature changes to security devices, and periodic reports summarizing all upgrades and changes performed.
• Performance management Performance management requires collecting and presenting all statistics pertaining to an institution's security devices, such as the speed and efficiency of its network, identification of bottlenecks hindering performance, and consolidated reports featuring log data generated by the security devices.

In terms of comprehensive monitoring, services offered by an MSSP should include:

• Data collection and normalization This process ensures that data collected by an institution's security devices is translated into a standardized format, which enables MSSPs to isolate and analyze malicious activity regardless of the device's brand or type.
• Data mining Highly sophisticated data mining is necessary to provide cross-correlation of malicious activity. An MSSP must have the ability to scale its data mining abilities and to continuously refine existing queries to detect threats.
• Automated security event correlation This function enables MSSPs to group malicious activity by predefined criteria such as attack source, type, and destination. In the absence of automated correlation, security experts would have to piece together attack sequences by manually screening millions of lines of security data.
• Expert response to events In response to a security breach or threat, analysts must choose a course of action ranging from client notification to alerting the authorities.
• Event reporting This function entails establishing a reporting process to notify institutions about security events detected on their networks. This type of reporting can be handled through a variety of methods such as immediate communication, email, web portal updates, periodic reports, or any combination of the above.

Distinguishing security monitoring claims
It may be somewhat confusing for institutions to determine what specific services are included in an MSSP's offerings. The following are some common security monitoring claims made by MSSPs:

• Up-time monitoring This means that an MSSP will ensure that a security device is operating, but it doesn't go as far as identifying and preventing attacks. A high-end MSSP will provide this function as part of its security management.
• Log redirection Some MSSPs offer this capability as an alternative to data mining and correlation, thus putting the onus on the institution to review data and identify suspicious activity.
• Data consolidation This capability allows MSSPs to collect security data from disparate devices and consolidate it into a single view. However, without automated processes capable of connecting the pieces, this function alone cannot detect and respond to threats in a scalable fashion.
• Manual correlation MSSPs that lack the technology to automate correlation often offer to perform correlation by manually screening logs for signs of malicious activity. However, manual correlation is not as reliable as automated correlation in reconstructing network attacks.

The right MSSP can make a difference
Small and midsize institutions seeking to outsource their security management and monitoring should consider the following criteria when choosing an MSSP:

• Longevity Institutions will want to look for a vendor with a large customer base and a reputation for delivering high-quality services over a long period of time.
• Annual revenues MSSPs with yearly revenues of $10 million or more are best positioned to support growth and enhancement of services.
• Breadth of channel partners MSSPs that have solid partnerships in place are able to devote more funds to research and development while supplementing their offerings with those of their partners.
• Breadth of services Best of breed MSSPs will offer a complete security management and monitoring solution, including managed firewall, intrusion detection, antivirus, vulnerability assessment, and consulting services.
• Security management process Leading MSSPs will provide a variety of attack notification methods and incident response services enabling institutions to mitigate risks in real time.
• Auditing A reputable MSSP will have third-party auditor validate and certify its facilities, processes, and procedures.
• Technology and expertise Expert human analysts are necessary to distinguish between real and false threats and therefore should support the technology used to correlate individual signs of malicious activity.
• Reporting High-quality MSSPs will provide thorough reports, including detailed log data, recommended responses, information on any changes or upgrades made to the security devices, and updates on the latest threats.
• Security operation centers To remain abreast of the latest threats and to ensure business continuity, MSSPs need to operate multiple security operations centers, from which they can monitor and manage security issues for their customers.

Conclusion
The recent growth of online fraud and the spread of spyware and adware are constantly threatening the security posture of small and midsize institutions. Maintaining the necessary vigilance against these threats requires costly investments in staff, IT systems, and training. Leveraging the capabilities of a managed security service provider allows these institutions to focus on their revenue-generating core competencies while achieving a stronger security posture.

Tom Schmidt writes frequently about information security topics. He has more than 15 years' experience as a writer and editor in high-tech publishing.