11 Elements of a Successful Managed Security Partnership
by Steven Drew - Monday, 02 February 2003.
The second category is the Managed Security Service Provider's processes. Processes facilitate the effective delivery of the provider's services. An important, but often neglected process is the ability to enable real-time service delivery visibility. An MSSP should adhere to an OPEN Service Delivery methodology. This methodology allows clients to see the status of their security and service delivery every second of every day. By adopting this methodology the MSSP needs to have the proper processes in place to show clients real-time information through a portal. Many providers will only post incidents after they have been analyzed. By not presenting all security events, the client will not gain enterprise-wide security visibility and will never know the true level of threats facing their organization. Companies should seek providers that present them with all the events and their status in real-time via the client portal.

Availability of the monitoring infrastructure is obviously of critical importance. However, it is surprising how many providers do not have processes in place to detect failures in their own monitoring systems. Even fewer providers conduct trending and behavioral analyses to detect abnormal traffic patterns. Without conducting these types of analyses, a provider will not be able to catch a sudden drop-off in their security monitoring visibility. A typical example of this is when a client makes an improper switch configuration change on a network where an intrusion detection system resides. Most providers will not be alerted to a sudden reduction in visibility. To them it would look like a mere slow-down in events. Only providers that conduct continuous analysis on behavioral patterns will realize that something is not right with the monitoring infrastructure. It is obviously very important to seek out providers who conduct this type of analysis to ensure service availability.

The MSSP should have processes in place to feed information from one service to the next, in order to accurately identify threats and respond to them immediately. With an integrated delivery platform, the MSSP's services will work together to protect client organizations. With integrated services, threat research teams are able to supply intrusion analysts with emerging threat information. Analysts can then proactively update signatures and increase vigilance over vulnerable client networks. Without integrated services each team would operate as a silo of information, which causes service latency and increases the potential for threats to cause damage.


Technology is the foundation of a Managed Security Service Provider's ability to deliver quality service. Without the right technology solutions, it is difficult for the provider's analysts to properly investigate and respond to threats. One example is whether the MSSP decides to outsource core competencies by buying off-the-shelf solutions or to build these competencies in-house. Of particular importance is the security event monitoring platform and threat intelligence they use to deliver their services. If the platform they use was not developed in-house, then the provider is at the mercy of the software company they bought it from. Over time, this will inhibit their ability to improve analysis and response times since they will not be able to make the changes necessary to manage the ever-increasing amounts of security events. The bottom line is that by using off-the-shelf solutions for their underlying platform, a provider's ability to innovate, scale and deliver an exceptional service will be outside of their control. Organizations should consider using providers that have developed their core service foundations in-house to ensure they receive a high level of service over time.

Having an in-house team of researchers delivering threat intelligence is important because it improves the time it takes to deliver advanced warnings to emerging threats. Additionally, having an in-house team further protects an organization by enabling the intrusion analysts to use this valuable information to proactively update signatures and take other measures against the impending threat. Organizations will attain a higher-level of service from a provider that focuses on MSS and has developed the necessary infrastructure in-house.


Critical bug found in Cisco ASA products, attackers are scanning for affected devices

Several Cisco ASA products - appliances, firewalls, switches, routers, and security modules - have been found sporting a flaw that can ultimately lead to remote code execution by attackers.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Fri, Feb 12th