11 Elements of a Successful Managed Security Partnership
by Steven Drew - Monday, 02 February 2003.
A key element of effective security monitoring is the ability to examine the packet decode from a network intrusion detection system. The packet decode provides you with the raw packet information. With this information a skilled analyst will be able to analyze the packet to reduce the likelihood of a false positive. Most MSSPs only look at an event as it is recorded in an SNMP trap or syslog. This hinders their ability for thorough examination and may result in unnecessary calls to their customers. MSSPs that can collect the packet decode with the actual event in real-time and deliver this information to the analysts in one, integrated view will demonstrate a consistently higher level of accuracy in their analysis of a threat. Organizations should seek out providers that form tight relationships with network intrusion detection providers to attain and integrate real-time packet decodes from the events they produce.

Another critical analysis component is having technology capable of analyzing all events from monitored devices in real-time. This should seem basic, but unfortunately many providers are not able to perform this function. Usually this is due to their inability to correlate real-time intrusion detection alerts with events generated by the firewall, which are sent to the SOC periodically. Without having all events aggregated in real-time, the correlation capabilities are greatly reduced, resulting in more false-positives and negatives. By finding a provider that is capable of analyzing all events in real-time, an organization will attain a higher level of service.

One of the most important components of a provider's technology is the way they set up their event filters. These filters should be behavior-based to separate known bad, from known benign and keep all anomalous events for further analysis. Again, this sounds basic, but many MSSPs examine only known bad events in real-time and analyze the anomalous events at their leisure. However, typically most new threats are discovered from the unknown events. MSSPs that do not analyze both known and unknown events in real-time will not perform well for their clients.

The last technology consideration is the monitoring platform's architecture. MSSPs that utilize site to SOC VPN connections will not be able to seamlessly failover to redundant facilities when emergencies arise. The reason for this is the configuration changes that must be made to the VPN at a client's site. The result is minutes, if not hours of service unavailability. Organizations concerned with requiring their provider to have robust disaster recovery plans should ensure that the provider they choose does not require VPN connections to the SOC.


With many Managed Security Service Providers to choose from, organizations need to conduct careful evaluations to find the right partner for them. An MSSP should have strong people, processes and technologies in place to ensure that the provider delivers the highest level of service available. This article has highlighted a few key points that organizations should take into consideration when they perform their evaluation. By using them as a guide, they will increase their chances of finding the best Managed Security Service Provider for their needs.

Steven Drew is Chief Operating Officer of LURHQ Corporation, a trusted provider of Managed Security Services. Founded in 1996, LURHQ protects the critical information assets of more than 400 customers by offering integrated Threat Management services. LURHQ's 24X7 Threat Management capabilities enable customers to enhance their security posture while reducing the costs of managing their security environments. LURHQ’s OPEN Service Delivery methodology facilitates a true partnership with customers by providing a real time enterprise security and service delivery vision via the Sherlock Enterprise Security Portal.


MagSpoof: A device that spoofs credit cards, disables chip-and-PIN protection

The device can wirelessly spoof credit cards/magstripes, disable chip-and-PIN protection, and predict the credit card number and expiration date of Amex cards after they have reported stolen or lost.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Thu, Nov 26th