Availability of the monitoring infrastructure is obviously of critical importance. However, it is surprising how many providers do not have processes in place to detect failures in their own monitoring systems. Even fewer providers conduct trending and behavioral analyses to detect abnormal traffic patterns. Without conducting these types of analyses, a provider will not be able to catch a sudden drop-off in their security monitoring visibility. A typical example of this is when a client makes an improper switch configuration change on a network where an intrusion detection system resides. Most providers will not be alerted to a sudden reduction in visibility. To them it would look like a mere slow-down in events. Only providers that conduct continuous analysis on behavioral patterns will realize that something is not right with the monitoring infrastructure. It is obviously very important to seek out providers who conduct this type of analysis to ensure service availability.
The MSSP should have processes in place to feed information from one service to the next, in order to accurately identify threats and respond to them immediately. With an integrated delivery platform, the MSSP's services will work together to protect client organizations. With integrated services, threat research teams are able to supply intrusion analysts with emerging threat information. Analysts can then proactively update signatures and increase vigilance over vulnerable client networks. Without integrated services each team would operate as a silo of information, which causes service latency and increases the potential for threats to cause damage.
Technology is the foundation of a Managed Security Service Provider's ability to deliver quality service. Without the right technology solutions, it is difficult for the provider's analysts to properly investigate and respond to threats. One example is whether the MSSP decides to outsource core competencies by buying off-the-shelf solutions or to build these competencies in-house. Of particular importance is the security event monitoring platform and threat intelligence they use to deliver their services. If the platform they use was not developed in-house, then the provider is at the mercy of the software company they bought it from. Over time, this will inhibit their ability to improve analysis and response times since they will not be able to make the changes necessary to manage the ever-increasing amounts of security events. The bottom line is that by using off-the-shelf solutions for their underlying platform, a provider's ability to innovate, scale and deliver an exceptional service will be outside of their control. Organizations should consider using providers that have developed their core service foundations in-house to ensure they receive a high level of service over time.
Having an in-house team of researchers delivering threat intelligence is important because it improves the time it takes to deliver advanced warnings to emerging threats. Additionally, having an in-house team further protects an organization by enabling the intrusion analysts to use this valuable information to proactively update signatures and take other measures against the impending threat. Organizations will attain a higher-level of service from a provider that focuses on MSS and has developed the necessary infrastructure in-house.