When does MSS make sense? Build vs. Buy

Published on

Over the past decade, the level of attacks, breaches, and potential dangers to vital data have escalated to the point where organizations in every industry need to take measures to ensure their assets and technical infrastructure are safeguarded. A key part of that protection is having the continuous knowledge of where your environment is vulnerable and the type of risks that may threaten it. The approach you take to continuously monitoring for threats and vulnerabilities can vary based on a number of factors, such as existing technology, staffing, and internal processes. Not to mention the financial impact based on your organization’s resources and maturity. This leaves you with several critical decisions your organization should consider when determining an in-house, or outsourced approach to security operations. Building a security operations capability, such as a security operations center (SOC), can provide you with the greatest advantage in ensuring that your IT security execution aligns with your organization’s risk requirements and strategy. However, this can also be very costly and time intensive, especially if your organization lacks the proper tools, appropriately skilled resources, and processes for investigating, containing, and remediating security incidents. Outsourcing your organization’s security operations requirements to a services provider, such as a Managed Security Services Provider (MSSP), may be a viable alternative to building it yourself. An MSSP may be well-suited to supplement your organization with the people, processes, and technology at a much lower total cost and faster time to value than building it yourself, as long as the choice is made with proper care. Bringing on an MSSP that has you replacing your existing technology investments, or completely redesigning your business processes, may have you spending the same amount of time, energy, and cost as if you were to build it yourself – and sometimes with nothing to show for it. In order to ensure that you are making an informed decision when evaluating an MSSP, here are a few things to consider:

  • Does the MSSP fit your environment? – Most MSSP`s have pre-built packages based on devices and/or event counts. Make sure you are buying what makes sense for your environment. Often the service you would build to align with your company’s risk profile is misaligned with a pre-packaged solution. Look for hours of support, technical coverage, and processes for escalation and incident response.
  • What technology does the MSSP bring? – In most cases the industry is well-past utilizing intrusion detection system (IDS) logs to provide threat management. These types of detection and response services no longer offer an enterprise-wide view of threats and vulnerabilities. Look for MSSPs that are utilizing security information and event management (SIEM) technologies, at minimum, for greater threat visibility.
  • How does the MSSP manage escalations? – Having automation is great, when appropriate. However, when dealing with threat data and alerts, use MSSPs that use human interaction along with the tools to provide the level of investigation required for proper threat triage to reduce your organization’s work. This also ensures that the technologies in place are behaving the way they were intended to and the health of the services is also part of the service level.
  • What does investigation mean to the MSSP? –From alert triage, to investigation, to case creation, live escalation, and hand-off to your team for critical incidents, the MSSP should be able to clearly define what is done upon receiving an alert.
  • Does the MSSP consider where your data is stored? – As we all move to adopt cloud services to take advantage of cost savings and flexible infrastructure, make sure the MSSP is clear as to where your data will be stored and backed up. Better yet, if you are not willing to host your security data in the cloud, why should you settle for less than an on-premise solution. Another consideration is how you and your MSSP access your environment and data. Two-factor authentication should be the minimum acceptable standard for access.
  • Does your MSSP offer flexible reporting capabilities? – Standard reports are usually sufficient for looking at past events and incident history. Be sure that the MSSP can address your reporting needs for management, executives, and regulators when necessary. You should be able to time these reports to suit your needs and easily access them from a security portal.

Choosing the proper solution for threat management in your organization goes far beyond choosing the right technology, it requires the integration of your organization with the team and processes of the MSSP. The right MSSP should be an alternative to building the capability in-house and not just a substitution in a vendor evaluation form comparing ‘canned’ service levels and proprietary technologies. At Online our Managed Security Services (MSS) are based on the business strategy, compliance requirements, and risk profile of our clients. Our SOC is staffed by qualified, experienced security professionals who work as an extension of our customer’s existing operations team. We provide mature escalation management processes designed to offer a seamless hand-off to our customers. We use a combination of open-source and industry leading technologies that can integrate seamlessly into our customer’s environment, eliminating the need to replace existing investments. This partnership approach ensures that our customers get just what they need, deployed how they need it, and supported by qualified security professionals.