Gartner describes managed security services (MSS) as, “the remote monitoring or management of IT security functions delivered via shared services from remote security operations centres (SOCs), not through personnel on-site."
Although ‘IT security functions' is a broad term, the core functions of a managed security service will include monitored/managed firewall and intrusion detection and prevention capabilities, as well as log analysis and reporting. Beyond this, there are a range of additional functions which help to provide extra protection. Increasingly, the additional functions and services that make up a comprehensive managed security service are based on data. In much the same way that an army will base tactics and the allocation of resources on the intelligence gathered by scouts, managed security services that incorporate various feeds of threat intelligence enable a much more informed, efficient and effective security strategy.
In terms of the marketplace for the delivery of these services, Managed Security Services Providers (MSSPs) range in size and scope. Some of the largest providers are typically Internet Service Providers that have diversified into the space and who compete alongside pure play security vendors and service providers.
Selecting the right provider can be a difficult process. No two managed service offerings will be the same, and some will be a lot more comprehensive than others. There are various components that should be considered when evaluating MSSPs, and certain capabilities that should be looked for in providers.
Security information and event management (SIEM)
SIEM is somewhat of a cornerstone of MSS. SIEM will capture logs across firewalls, Intrusion Prevention Systems (IPS), mail servers, web servers, networking devices and servers. This information is then used to identify attempted security violations and immediately address them.
What's key is the initial configuration and ongoing management. The right log sources must be monitored to avoid any blind spots that could render all security efforts useless, and the correct events must be logged at the appropriate level. Often too much of the wrong log data is collected, creating a lot of ‘noise' that could allow incidents to slip through. In almost all cases, noise equals cost and so it is important that your MSSP can help guide you in logging best practises.
This is an area of growing importance and can prove to be the most critical aspect to ensuring that security efforts are closely aligned to the specific threats that an individual organisation can expect to have to deal with. This can – and should – be a very involved process, incorporating careful scoping of the environment to determine what data needs to be collected and monitored – specific exploits, for example, will only pose a risk if certain hardware exists within the environment, enabling them to be included or ruled out of the scope of ongoing threat intelligence gathering. Threat intelligence data itself will come from a variety of feeds, some will be proprietary to the MSSP, while others will be open source. The most sophisticated providers will work with your organisation to gather both technical and non-technical, threat Intelligence pertinent to your organisation. This should then form the basis of SIEM use cases and Incident readiness.
Honey traps, deployed in the customer's environment, are incredibly useful, as they provide the most relevant and specific insights into incoming threats. Honey traps can be virtual systems, dedicated hardware or even custom-programed tools, such as the Raspberry Pi. Linked directly to a SOC, honey pots will provide early warning of a compromised environment and are a key source of first-hand intelligence and forensic evidence of malicious activity.
Creative integration of honey traps and honey pots can provide a wide array of benefits such as the ability to detect compromised credentials, lateral movement and rogue device detection.
File Integrity Monitoring (FIM)
FIM detects changes to servers and devices in real-time across an organisation's infrastructure.
FIM solutions generate in-depth before-and-after views of file and configuration changes, assuring on-going system integrity, helping to automate the process of detecting, auditing and reconciling changes – including small or obscure changes that could reveal advanced hacks and exploits. Out of the box FIM deployments can be noisy or ineffective. MSSPs with experience in this area should have a wealth of knowledge focussed around known attacker tools, tactics and procedures, this experience should drive the FIM rules and signatures and allow your security provider to identify suspicious endpoint activity in real time.
In addition, FIM solutions can also aid with audit preparation, providing instant visibility into compliance levels in order to satisfy auditors.
The final part of a strong MSS offering will include the deployment of sophisticated network security appliances that are controlled and monitored by the MSSP. These should provide enhanced insight into network activity and will typically be helpful at gathering Data Loss Intelligence (DLI) and detecting the suspicious exfiltration of data from the network.
With a growing pool of MSSPs to choose from, organisations really are in a buyers' market and much of the detail outlined above is becoming the norm in many MSSPs. To help you choose the partner that suits your organisation the most, organisations need to look beyond the typical tick boxes and identify which MSSP will truly align with their own goals.
A critical question any CISO/CTO should be asking is, “what can the MSSP do to help enhance your security posture?”
MSSPs who deliver consultancy around business intelligence, learn about your organisation and invest in new technologies, processes and policies which align with your own goals are the ones to watch. The objective for all providers is to gather data which is useful and enrich that data with threat Intelligence and expertise.
In summary, there is a great deal to consider when evaluating managed security services, but there are some important principals involved. At the core of any effective solution will be accurate, relevant intelligence that relates precisely to your environment – this should be the primary factor when making any assessment.
Contributed by Luke Ager, head of incident response, Nettitude