Americas

  • United States

Asia

Oceania

Contributor

The danger of unmanaged security service providers

Opinion
Sep 06, 20165 mins
OutsourcingSecurity

The job of keeping networks safe from attack is growing more complex by the day. At the same time, demand for trained and experienced information security analysts is exceeding the supply. This combination of factors is leading to an almost inevitable result — the outsourcing of day-to-day security operations to outside companies. 

These companies, typically referred to as managed security service providers, or MSSPs, usually handle functions such as network monitoring, firewall management and incident response, freeing the customer from worrying about security so that they can focus on running their business. 

While the theory of security outsourcing is sound in principal, like many other sound principals, it can break down in the execution. As a result, some customers who are sleeping soundly in the knowledge that their MSSP has their back, may be in for an unfortunate awakening when they discover that their outsourcing company is not doing the job they expected. 

Nick Selby, in a blog written this week, reported on a financial institution that hired him to respond to an security incident in progress. He was told on arrival that the institution had signed a contract three years earlier with a well-known MSSP. They would quickly discover that the monitoring appliance installed for the MSSP had been placed on the wrong side of the firewall, meaning it could not see most of the relevant traffic. Once corrected, the process of getting the provider to look at the box and help them determine what was going on was almost comical. 

Initially, the financial institution was told that their contract only covered monthly reporting. When they attempted to look at the appliance themselves, they quickly found that it was not customer-accessible. When they persisted with the provider, they finally found someone who reluctantly agreed to help, but cut the conversation with his desperate customer off because he had to jump on a conference call. 

While there are many MSSPs that do a great job, the increased demand for such providers has brought in some that are not really equipped to do what they say they can. Many of the larger ones with the necessary resources cannot seem to live up to their commitments in some instances. 

I was personally exposed to such an issue in the past few weeks, when a well-known company (a household name in fact) failed to respond to a ransomware attack in accordance with their contract, thus exposing their customer to a greater potential loss of data. 

As they saying goes, I don’t want to throw the baby out with the bath water. An MSSP can provide a tremendous value, providing services that companies often cannot handle themselves. Outsourcing this critical aspect of a company’s operation without the proper due diligence and oversight, however, can result in complete disaster. 

If you are considering an MSSP, I do not mean to discourage you. If you think you can do it easily however, I intend to burst your bubble. It will still take a large amount of time and effort, initially and thereafter, but if done right, can save you from a major security incident. Consider the following points when working with an MSSP: 

Choose carefully

Make sure the provider you consider really has the personnel and experience to do what they say. Review resumes for their key personnel, and talk to references from companies similar to yours. Do a Google search for articles mentioning them. Really get to know your MSSP prospect before you sign anything. 

Understand what the contract requires, and what it doesn’t

Talk is cheap, so understand what your MSSP is committing to in writing, and just as important, what they require from you in return. In the case of Nick Selby’s financial customer mentioned above, a “monitoring” service that providers only a monthly report is close to useless. You will not find much value in knowing what went on in your network three weeks ago. 

Know who to call

Any contract should include provision for an account manager or key contact. If you run into a problem getting the support you need, you will need someone specific you can reach out to for help. Insist on having their cell phone number. 

Monitor their performance

Once you fully understand what the contract requires, you can more easily monitor your provider to ensure that they are doing what they say. Review their reports, and evaluate their response to any suspected incidents. If you go a month without them advising you about suspicious network traffic they discovered, something is likely wrong. 

Test them

Your MSSP strategy must involve some form of regular testing. This testing can take many forms, from a coordinated simulation, to a surprise generation of suspicious network traffic. Make sure your contract provides for such testing. Consider employing a consultant to help generate a realistic test. 

If it is not working, find someone else

If your MSSP is not performing, do not hesitate to dump them and find someone else. Make sure your contract allows you to get out if the provider does not perform. 

Bottom line — MSSPs can provide a valuable service that can be of significant value to your business. You cannot, however, engage a provider and then ignore them and your organization’s security. They can help, but not replace, your own ongoing security program.  

The secret is in seeing them as a partner, not a utility.

Contributor

Robert C. Covington, the "Go To Guy" for small and medium business security and compliance, is the founder and president of togoCIO.com. Mr. Covington has B.S. in Computer Science from the University of Miami, with over 30 years of experience in the technology sector, much of it at the senior management level. His functional experience includes major technology implementations, small and large-scale telecom implementation and support, and operations management, with emphasis on high-volume, mission critical environments. His expertise includes compliance, risk management, disaster recovery, information security and IT governance.

Mr. Covington began his Atlanta career with Digital Communications Associates (DCA), a large hardware/software manufacturer, in 1984. He worked at DCA for over 10 years, rising to the position of Director of MIS Operations. He managed the operation of a large 24x7 production data center, as well as the company’s product development data center and centralized test lab.

Mr. Covington also served as the Director of Information Technology for Innotrac, which was at the time one of the fastest growing companies in Atlanta, specializing in product fulfillment. Mr. Covington managed the IT function during a period when it grew from 5 employees to 55, and oversaw a complete replacement of the company’s systems, and the implementation of a world-class call center operation in less than 60 days.

Later, Mr. Covington was the Vice President of Information Systems for Teletrack, a national credit bureau, where he was responsible for information systems and operations, managing the replacement of the company’s complete software and database platform, and the addition of a redundant data center. Under Mr. Covington, the systems and related operations achieved SAS 70 Type II status, and received a high audit rating from the Federal Deposit Insurance Corporation and the Office of the Comptroller of the Currency.

Mr. Covington also served as Director of Information Technology at PowerPlan, a software company providing software for asset-intensive industries such as utilities and mining concerns, and integrating with ERP systems including SAP, Oracle Financials, and Lawson. During his tenure, he redesigned PowerPlan's IT infrastructure using a local/cloud hybrid model, implemented IT governance based on ITIT and COBIT, and managed the development of a new corporate headquarters.

Most recently, Mr. Covington, concerned about the growing risks facing small and medium business, and their lack of access to an experienced CIO, formed togoCIO, an organization focused on providing simple and affordable risk management and information security services.

Mr. Covington currently serves on the board of Act Together Ministries, a non-profit organization focused on helping disadvantaged children, and helping to strengthen families. He also leads technical ministries at ChristChurch Presbyterian. In his spare time, he enjoys hiking and biking.

The opinions expressed in this blog are those of Robert C. Covington and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.

More from this author