Another critical analysis component is having technology capable of analyzing all events from monitored devices in real-time. This should seem basic, but unfortunately many providers are not able to perform this function. Usually this is due to their inability to correlate real-time intrusion detection alerts with events generated by the firewall, which are sent to the SOC periodically. Without having all events aggregated in real-time, the correlation capabilities are greatly reduced, resulting in more false-positives and negatives. By finding a provider that is capable of analyzing all events in real-time, an organization will attain a higher level of service.
One of the most important components of a provider's technology is the way they set up their event filters. These filters should be behavior-based to separate known bad, from known benign and keep all anomalous events for further analysis. Again, this sounds basic, but many MSSPs examine only known bad events in real-time and analyze the anomalous events at their leisure. However, typically most new threats are discovered from the unknown events. MSSPs that do not analyze both known and unknown events in real-time will not perform well for their clients.
The last technology consideration is the monitoring platform's architecture. MSSPs that utilize site to SOC VPN connections will not be able to seamlessly failover to redundant facilities when emergencies arise. The reason for this is the configuration changes that must be made to the VPN at a client's site. The result is minutes, if not hours of service unavailability. Organizations concerned with requiring their provider to have robust disaster recovery plans should ensure that the provider they choose does not require VPN connections to the SOC.
With many Managed Security Service Providers to choose from, organizations need to conduct careful evaluations to find the right partner for them. An MSSP should have strong people, processes and technologies in place to ensure that the provider delivers the highest level of service available. This article has highlighted a few key points that organizations should take into consideration when they perform their evaluation. By using them as a guide, they will increase their chances of finding the best Managed Security Service Provider for their needs.
Steven Drew is Chief Operating Officer of LURHQ Corporation, a trusted provider of Managed Security Services. Founded in 1996, LURHQ protects the critical information assets of more than 400 customers by offering integrated Threat Management services. LURHQ's 24X7 Threat Management capabilities enable customers to enhance their security posture while reducing the costs of managing their security environments. LURHQ’s OPEN Service Delivery methodology facilitates a true partnership with customers by providing a real time enterprise security and service delivery vision via the Sherlock Enterprise Security Portal.