Partnering with an MSSP has essentially become a forgone conclusion given today’s advanced cyberthreats and the growing shortage of adequately trained security professionals. Most companies simply cannot keep pace with the sophisticated and complex nature of attacks on their own, and industry analysts agree: Teaming up with an MSSP is now a must-have and a security best practice.
Partnering with an MSSP creates a number of ancillary benefits, including not only expanding security coverage to a full 24x7x365 format, but also removing pressure from your internal IT teams – ensuring that they can concentrate on performing core operations and enabling the business.
So, what key areas should you be thinking about when making this critical decision to ally with an MSSP?
True global MSSPs have unrivaled visibility into advanced threats and continuity of operations that no regional or smaller providers can match.
Global MSSPs have significant advantages over their competition and should be on your short list from an evaluation perspective. Due to sheer volume of customers, global MSSPs see more current, advanced threats on a recurring basis and are in a stronger position to respond quickly when your business in threatened. They are not only tracking the most current attack vectors and methods, but have likely already responded to them on behalf of another customer.
- Typically, global MSSPs have a large number of Security Operations Centers (SOCs) located worldwide and are better positioned to provide continuity of operations wherever and whenever you need them. The more cutting-edge MSSPs also have real-time operations and systems that link their SOCs so that the very latest threat intel which is generated in another part of the world is immediately shared with all of the other SOCs and then rapidly incorporated into monitoring operations at every customer location. These advanced SOC capabilities reduce the latency in both identifying threats and responding to them on the customer’s behalf.
- Global MSSPs are more equipped than other providers at securely integrating the latest and greatest business-enabling technologies. Global MSSPs can support today’s companies that are managing large volumes and diverse businesses including the support of newer cloud-based deployment technologies. Look for MSSPs that not only take care of your security operations, but can assist you in securely rolling out new business-enabling technologies and solutions.
With today’s worldwide shortage of security expertise, there is no substitute for MSSPs that employ the industry’s best and brightest security minds.
One of the key values and benefits to partnering with an MSSP is the round-the-clock access you have to certified, knowledgeable and highly experienced security professionals located throughout the world. When evaluating this area of an MSSP’s capabilities, examine the number of security analysts they employ and ask these questions:
- Do the security analysts hold advanced security certifications beyond the typical industry certifications in applications or networking technologies? (These should include certifications such the CISSP, or SANS credentialing in specialty areas such as incident response handling or business continuity.)
- Does the MSSP have in-house researchers and industry-recognized specialists and teams with presence at the major security shows and competitive events to showcase their advanced expertise and capabilities? Do members of the team blog or publish regularly on security topics, contribute to vulnerability advisory services, and/or explore the latest exploit tools and techniques?
- Does the MSSP’s employees have certifications and/or experience dealing with specific compliance frameworks, such as the PCI DSS, FFIEC, GLBA or HIPAA/HITECH (to provide effective support to you in these important areas)?
Partnering with an MSSP that is effectively a “one-stop shop” for all of your security needs is absolutely critical in the selection process.
Trustwave firmly believes that with few exceptions, partnering with an MSSP that can cover all of your current and future needs is the way to go. With today’s advanced threats, you need a comprehensive, 360-degree view of your security operations, including correlating all of your security sources of information into a single pane of glass. Dividing security across multiple providers does not work here and shatters the single pane of glass you need for complete visibility into your security operations, status and outcomes.
- You do not need two providers pointing fingers over a missed indicator of a potential attack or offering opposing information over what is required to respond and effectively contain a breach. Truly effective security operations are best managed between your staff and one trusted provider with which you work closely when things go wrong and you need to respond quickly to terminate an attack, and contain and forensically investigate a breach.
- A few exceptions to consider beyond the MSSP you put in charge of your day-to-day security operations lies in the areas of penetration testing and compliance. In many cases, a third party may be required from a compliance perspective to ensure effective implementation and monitoring of security controls is being done by your primary provider. The ideal setup is having a single MSSP in charge of your security operations – and with whom you interact regularly – and a specialist for things like penetration testing that also helps keep your MSSP honest.
Actionable Security Portal
Your single pane of glass: A robust security portal for interactions with the MSSP, as well as reporting and compliance support.
Security portals originally emerged as nothing more than glorified security dashboards centered around high-level reporting and status. Today’s security portals, however, are going through a rapid transformation which includes many more robust features, including shared tool sets, detailed status monitoring and alerting functionality, and more flexible reporting capabilities such as enhanced compliance support. Consider these key questions and capabilities in a security portal:
- What is the timeliness of security alerts or status reporting coming from the portal? Is it near real-time or updated only occasionally?
- Are there any shared tool sets which allow you to not only view security configurations and policies, but also potentially modify some of the settings? If modification is not supported, what is the timeliness and support procedure for change requests?
- Does the reporting functionality include enough flexibility to produce custom reports and/or data extracts to be used in other reporting mechanisms? Does the reporting include compliance-specific reports – or at least the capability to export compliance data to be used offline?
- Does access to the portal offer options for two-factor authentication, like digital certificates, or is just basic user-id/password sign-on supported?
Advanced Threat Detection
Support for real-time visibility into endpoint operations is an essential given the growing number of devices and workstations, and the attackers’ preference for targeting these assets.
Cybercriminals have become much more effective at bypassing traditional perimeter security controls. As a result, a shift has occurred in security operations which places an increasing emphasis on detection technologies versus prevention technologies – in particular, detection technologies that focus on visibility and control of endpoints under constant attack by today’s modern cybercriminals. Considering this new paradigm, evaluate these questions and capabilities:
- What managed offerings does your MSSP support with regards to endpoints? Is it more traditional technologies like anti-virus, endpoint firewall and IPS solutions?
- How robust is the MSSP’s offering of real-time monitoring of endpoints? Does it detect not only files changes, but registry and memory modifications as well? Does it employ more than just signature-based technologies and also include heuristics- and behavioral-based detection techniques?
- Does the MSSP include managed offerings for newer endpoint detection and response (EDR) solutions? Does support include the ability to terminate bad processes, remove files and/or quarantine infected endpoints?
- Does the MSSP offer technology choices among EDR solutions, or are you required to simply go with the technology choice the MSSP has made?
A top-tier MSSP should be highly qualified in all areas of security, but should also understand your business, your customers, and your business outcomes and concerns.
Good customer service has many definitions, but with managed security services it takes on a whole different meaning due to the importance data security has for all businesses today. The best MSSPs take that into account and offer you services that are structured for effective security, but also incorporate a degree of flexibility to accommodate some variances and the business environment in which your company operates. Some of the key questions to discuss with any MSSP are:
- Does the MSSP offer flexibility in customizing solutions and service-level agreements (SLAs) to your business needs, or are their services more of a one-size-fits-all mentality or approach? (Often MSSPs will have multiple tiers of service that allow you to retain responsibility for some aspects of the service, lessening your costs while possibly increasing some of your control.)
- Does the MSSP offer a detailed deployment plan, including customized notification and escalation procedures to get the right people in your organization involved at the right times?
- Are the SLAs and security policies documented in writing so that you know exactly what to expect from the MSSP under various operational scenarios? Do they closely listen to you and document any actions you want them to take on your behalf during a potential intrusion or breach scenario?
- Is the MSSP simple to do business with through straightforward contracts and service descriptions that include your ability to opt out of the contract early if service levels are not consistently met? Are service credits available as an interim measure if needed to penalize poor performance on their part?
Download this decision guide as a reference for selecting your MSSP partner.
During your selection process, you need to consider the specific security solutions that are must haves in today’s advanced threat environment. Let’s take a deeper dive into some of the key solutions you should consider in discussions with potential MSSPs.
Reducing your attack surface is important to any security program, as is prioritizing those efforts so you truly benefit from the greatest risk reductions.
Most providers offer some form of basic vulnerability management for discovering devices and remediating vulnerabilities. Basic vulnerability scanning and the subsequent remediation and patching cycles can feel endless – and in some ways, they are. When evaluating these services from MSSPs, look for true management systems that generate efficiencies in the scanning process and help you focus your remediation and patching activities in the areas where you have the highest exposure or risk. Consider these questions and capabilities:
- Does the MSSP’s platform perform fully automated scans and alerting, and include centrally managed scanners and agents (for larger, more distributed operations)?
- Are vulnerability severity levels clearly identified in dashboard displays and reports, and does the system allow you to create groups of devices based upon functional categories or criticality levels?
- Does the MSSP include options to scan the network perimeter and internal networks?
- Does the MSSP generate custom reports, including those that meet auditing or compliance requirements?
Email & Web Security
Email and web services continue to be the attack vectors of choice among most cybercriminals, so finding an MSSP with advanced expertise and technology in helping secure these areas is important.
Managed services for secure email and web gateways should include all of the software/hardware required to deploy the solution regardless of the mode – and also should be delivered through an on-premise appliance, software-only or a cloud-based service. The MSSP should provide complete support and software maintenance for the solutions, and account for these considerations:
- Flexible deployment options: on premise, software or cloud
- Protection against blended threats that use multiple vulnerabilities and methods to spread
- Web gateways featuring real-time code analysis with dynamic URL categorization, and the ability to strip out malware and deliver the repaired page to end-users
- Multi-layered anti-spam approach that maximizes effectiveness and minimizes false positives
- Optional data loss prevention protection to help achieve regulatory compliance and protect your sensitive data, including intellectual property
Web Application Security
Considering web application firewalls can be difficult to administer and maintain, leveraging a fully managed solution is often an optimal choice for customers to gain the full benefit of the technology.
Web applications are mission critical for most organizations, but in-house teams generally are challenged to manage the security and compliance of these applications. A web application firewall (WAF) helps organizations mitigate risk, as well as assists in meeting certain compliance requirements. Key considerations include:
- Your MSSP should provide full deployment and continuous tuning of the WAF appliance, along with continuous systems health monitoring
- 24x7x365 event monitoring and alerting, and the option for periodic log reviews
- Tuning support for scheduled changes to protected web applications
- Customer access to events and reports through the security portal
- Advanced web application security detection and protection, including coverage of the OWASP Top 10 Web application attacks
Databases house the majority of sensitive and valuable information held by most companies.
The quality of a database security solution directly correlates with the quality of its checks and tests. And, a set of evaluations is only as good as the research team developing it and the services team that keeps it current. Your MSSP should:
- Offer broad support for all of the major database vendors, including Oracle, Microsoft, IBM DB2, Sybase, MySQL and Hadoop
- Provide agentless implementation with no performance impacts to the monitored database
- Include the ability to identify recently added, rogue or missing data store installations
- Provide visibility into not only vulnerabilities, but also misconfigurations, excessive security rights and policies
- Offer detailed reporting with actionable results
Endpoint security has become much more important with today’s advanced threats and the explosion of newly connected devices, and you need real-time visibility and control into endpoint activities to stay ahead of the curve.
Traditional endpoint security solutions still have their place in a preventive security context, but today the emphasis is moving rapidly towards Endpoint Detection and Response (EDR) solutions, which provide detailed visibility and real-time control over compromised endpoints. Key service considerations include:
- Is the MSSP’s offering based upon best-of-breed technologies or some form of homegrown capability? Are technology choices offered as part of the service?
- Does the service provide detailed visibility into not only file operations, but also registry changes and dynamic memory alterations/injection techniques?
- Once an attack is confirmed, does the service offer a wide range of response options, including process termination, file deletions and endpoint quarantine?
- Are there proactive options offered in the service to include scanning for indicators of compromise or threat hunting?
- What capabilities does the service have to access the breadth or lateral movement of a compromise? Can response operations be carried out automatically against all affected endpoints after detection?
Incident Response Services
A quick and efficient response to an attack on your network can save an untold amount of time, money and staff hours during and after a breach. Having an existing relationship with an MSSP who can respond quickly is imperative.
Working with an MSSP to develop an incident response plan before an incident occurs is smart business and a security best practice. But what things do you need to account for as you develop your plan, and how can a knowledgeable MSSP really help? Key questions and considerations include:
- Has the MSSP developed repeatable response methodologies that can deliver consistent results and offer complete deliverables such as a tested computer security incident response plan (CSIRP)?
- Does the MSSP also offer services to help you train an in-house computer incident response team (CIRT) to support your plan?
- Does the MSSP offer services to provide immediate support to you in the event of a breach?
- What forensic capabilities and skills does the MSSP bring to the table? Do they include the ability to assess mobile devices and cloud environments?
Download this decision guide as a reference for selecting your MSSP partner.
To help you evaluate and compare MSSPs, download our MSSP Checklist with questions to pose to potential providers. Make sure you ask the right questions now to ensure your business is secure later.
Trustwave helps businesses fight cybercrime, protect data and reduce security risk. With cloud and managed security services, integrated technologies and a team of security experts, ethical hackers and researchers, we enable businesses to transform the way they manage their information security and compliance programs.
Smart Security On Demand
We deliver automated, sustainable and cost-effective data protection, risk management and threat intelligence to our customers—what we call SMART SECURITY ON DEMAND.
With more than three million enrollees, TrustKeeper, our intuitive and easy-to-use technology portal, is available in the cloud. We also offer industry-leading managed security services, award-winning technology products, as well as consulting, systems integration and other professional services. Many of our solutions are available across multiple delivery mechanisms, giving our customers flexibility as they design and implement their security infrastructure.
WATCH: Trustwave Overview (2:03)
Our qualified security assessors, ethical hackers and other experts are some of the industry’s most trusted sources for risk assessments, threat research, forensic investigations, and security training. There’s no better place to acquire the knowledge needed to cut off criminals before they can commit serious hard than the 2018 Trustwave Global Security Report.
The most recent “Gartner Magic Quadrant for Managed Security Services, Worldwide” evaluates 17 global managed security services providers (MSSPs) on several criteria. Trustwave is now in the Leaders Quadrant, moving higher on the ability to execute and further on the completeness of vision axes in the quadrant.
Threat Intelligence Built-In
Our large, global client footprint gives us visibility into security threats – visibility enhanced by our SpiderLabs® teams' applied research and field testing.
Last year, we conducted more than two million network and vulnerability scans, examined more than five million malicious websites, researched more than nine million web application attacks, and evaluated more than 20 billion emails. Combined, this work fuels the threat intelligence we bake into all of our services and technologies, which help customers prepare proactively for threats, including zero-day attacks, and reduce their overall risk exposure.
WATCH: Intelligence on Demand Overview (1:40)