Security To Go: Is It Time To Shop MSSPs?

We're still loath to entrust all but the most commoditized security functions to outside providers. Spam filtering, sure. Firewalls, maybe. But forensic analysis or intrusion prevention and detection? Forget it, say the majority of respondents to our InformationWeek survey of 500-plus business technology professionals.

"Security needs today are far too dynamic to outsource," says Gary Osmondson, CIO for Fresno County, Calif. "There's little sympathy for an organization that has lost corporate strategic, customer personal identifier, or even HIPAA-related information because a contractor failed in some manner. We'd much rather be driving than riding the bus if it goes over the cliff."

But staying fully ensconced in the driver's seat is a luxury many CIOs won't be able to afford as budgets tighten and the risk landscape gets more complex thanks to everything from virtualization to an ever-expanding perimeter to new regulations to increasingly sophisticated attackers.

IT groups with limited information security resources that flat-out refuse to seek expert help are doing the business a disservice. While it's true that those with highly specialized security policies likely won't get the customization they need with a managed service security provider (MSSP), far too many organizations have yet to make infosec a core competency. Some have even decided that infosec will never be a fundamental proficiency, and they're just securing to the level required by regs like PCI and calling it a day. That's a problem because, as attackers become more sophisticated, so must the tools we wield to stop them. When you don't have the control, skills, budget, or staffing levels to protect your company's assets, the responsible course is to partner with someone who can.

Many of the 62% of respondents who say they are not using a security service provider--and don't plan to start--challenge the perception that hiring an outside specialist automatically means you're safe. "It has been my observation that when a news story breaks that involves a security breach of proprietary information, more often than not it involves a third-party service provider," says one respondent. "When are we going to realize that payment for such services is not enough to ensure true responsible behavior and accountability?"

This view is absolutely correct. Partnering doesn't mean abdicating responsibility, and we'll discuss how to work with a provider to manage the full spectrum of risk. MSSPs also are well aware of IT's resistance to outsourcing security and have devised strategies to raise the comfort level. Kerry Bailey, VP of security services for Verizon Business Solutions, says he avoids using the word "outsourcing" entirely. "We prefer to think of our service as a co-sourcing or co-managed offering," Bailey says. "Our strategy is to become a strategic partner, an extension of our customer's IT department."

Can this openness, combined with significant shakeups in the MSSP space and a growing comfort level with IT services in the cloud, persuade IT to abandon old prejudices? We hope so, because as staffing levels stagnate, we need to focus on projects that generate revenue for our organizations. That's hard to do amid visions of the CEO delivering mea culpas to Wall Street for a TJX-level data breach.

ON THE EDGE
When it comes to security, high stakes are running smack into increased complexity. Doing business today means building VPNs to suppliers, partners, and other third parties to serve out private Web portals and production applications. Staff and contractors need remote network access. The concept of the "extended enterprise" and the proliferation of software as a service are forcing organizations to put private data out in the wind like never before.

The sad reality is that your firewall is no longer a guardian of sensitive information. It's just another hop along the path of delivering your customers' credit card numbers to a malicious hacker in a faraway land.

Unprecedented risk and complexity may finally break down IT's resistance to MSSPs, and our poll shows smaller companies will be the first to embrace security in the cloud. In fact, of our 125 poll respondents from companies with fewer than 1,000 employees who are using or considering MSSPs, 41% cited a lack of staff or in-house skills as the primary reason. Tied for second, at 17%, was the desire to reallocate talent to projects with greater visibility to senior management.

Does that mean data and network security are taking a back seat in the minds of CEOs and CFOs?

DIG DEEPER

WHODUNNIT

One function you may want to do in-house: forensics.

Download our free
InformationWeek Special Report on building a team and working with law enforcement

>> See all our Reports <<

This certainly appears to be the reality many infosec groups are facing. Some CFOs have always equated dedicating expensive staff, hardware, and software to network security with socking away the full replacement value of your home in case of fire. Conversely, MSSPs offer an insurance policy--a way to pay for a given level of protection without taking on additional salary, and without forking over capital up front.

Interestingly, the item tied for second is a driver that's sure to be well received by both the business and IT, and possibly worth the MSSP price of admission alone. That is, the benefit of having a partner monitor your environment 24/7/365. If you manage a highly available network with fewer than 1,000 employees, chances are you don't have the resources for a graveyard shift to watch for attacks from the other side of the globe, or to be the one insomniac users call at 5 a.m. about network availability. MSSPs are pitching themselves as saviors for resource-strapped IT managers needing round-the-clock service. Constant monitoring can get pricey as you scale, but companies can get great bang for the buck by strategically monitoring critical systems. What's most critical is selecting the right partner.

STATE OF THE MSSP SPACE
For every CIO who thinks outsourcing core security operations is blasphemous, there's another who's doing it right now, or is on the verge. As a result, the MSSP space is growing rapidly, according to Forrester Research, with sales estimated at $3 billion this year. The dominant players in this market--IBM ISS, Symantec, and VeriSign--have well-developed and mature managed security businesses supported by vast talent pools.

But Tier 1 Internet service providers are vying for a slice of this business, and enterprises are interested. In our poll, when we asked about preferred provider type, nearly 20% of companies with 1,000 or more employees said they'd be open to using an ISP for security, versus 15% for smaller firms. Large companies were most likely to prefer a pure-play security vendor, with 40% going that route. For small and medium-sized enterprises, the No. 1 choice is a provider that offers not only a wide range of services, but also a deep base of expertise. As a result, the top technology companies with MSSP divisions, like IBM with ISS, own the advantage.

The cutthroat competition and tight margins that bedevil ISPs mean they're always on the lookout for growth opportunities, and professional services is a perennial source of high margins. ISPs were largely unsuccessful at growing their MSSP businesses organically, so they shifted to an "if you can't beat em', buy 'em" approach. The ensuing acquisition spree kicked off a large consolidation of pure-play MSSPs, with the largest deal being Verizon Business Solutions' recent acquisition of Cybertrust.

While consolidation isn't generally well-received by IT, in this case, it bodes well because it means that companies like Verizon, AT&T, and Sprint Nextel have the potential to build industry-leading security suites into their network clouds. Assuming these ISPs avoid infecting their pure-play security acquisitions with the poor service and lethargic organizational culture that has kept their other service plays down, in the not-too-distant future, IT will be able to subscribe à la carte to an enterprise-class managed firewall service, intrusion-detection or -prevention system, or managed e-mail with its Internet circuit. This would be a boon for SMEs as well as distributed companies stressed over securing remote offices.

For now, IBM leads in its service suite, while SecureWorks and Solutionary are top pure-play providers. We spoke with Val Rahmani, general manager of IBM's ISS business, at the company's recent security summit in Boston. Rahmani sees ISPs as a key distribution channel for the company's Unified Threat Management offering.

"However good you are, you can't be looking at as much as we are looking at," says Rahmani, adding that the IBM service is popular with ISPs that want to offer security services as an incremental value add for customers without a big investment in infosec experts. "We don't want to get into the telecom business, why should they want to get into the security business?"

FIGHTING THE SKEPTICS
Ten years ago, the majority of CIOs summarily dismissed the idea of outsourcing any security-related function. Two years ago, when we reviewed 24 MSSPs, the idea was gaining traction thanks to an increase in zero-day attacks and media scrutiny of breaches. Today, based on our poll and discussions with IT pros and MSSPs, the predominant feeling is still a level of mistrust, but there's growing acceptance that the threat landscape is complex enough that calling in professionals may be the responsible course.

Still, there are limits to what can be outsourced. Some of the most egregious hacks in recent memory were inside jobs, and considering the difficulty of securing and monitoring access to globally distributed data, no independent, third-party watchdog can ensure that employees or contractors don't walk out the door with the data equivalent of gold bars falling out of their pockets.

When faced with battling back inside and outside threats, IT must take a holistic and comprehensive approach that may include outside vendors, but also takes advantage of the latest content inspection and behavioral technologies, like data-loss prevention and network-behavioral analysis tools. One option for those unsure of outsourcing is to use an MSSP in the same way finance departments use third-party auditors to verify the accuracy of their books--as an independent authority for proving security standards to management. In fact, according to our poll, one of the most popular ways providers are being employed is in a vulnerability-assessment capacity. The best way to discover gaping holes is to hire a professional hacker.

We're also seeing a rise in customization to battle the perception that IT is losing control. When we last reviewed MSSPs, a sticking point was that providers often forced their policies and procedures onto customers, with few options. Today, long-term success as an MSSP requires close customer collaboration, tailoring of services, and quick reaction to issues. The MSSPs we spoke with are looking to meet the concerns of IT head on by stressing versatility in their deployment scenarios and service models.

"We realized early that customers don't want to lose control, so we've developed all managed service solutions in a collaborative way," says Verizon's Bailey. "The tools and portals that customers see are the same tools that Verizon engineers see."

Still, for organizations with significant intellectual property, the trust issue might be a hurdle too high for MSSPs to leap. Our poll indicates that the No. 1 concern for all organizations considering outsourcing is possible loss or compromise of critical data. IBM ISS's Rahmani says customers are looking for comprehensive coverage while keeping sensitive info in-house. "In most cases, we're not getting their client data," she says. "We're generating alerts against the environment to say, for example, 'It's 2 a.m. on a Saturday and you told us no one should be using Unix on a Saturday.'"

(click image for larger view)SPAM STOPPERS
Our poll shows that large enterprises tend to consume more specialized MSSP services, such as one-off vulnerability assessments, while day-to-day managed services are more popular with SMEs. As for specific offerings, of respondents who are now employing managed security services, 73% use spam protection, followed by 68% of those using managed firewall services.

Given the widespread threat that e-mail-borne viruses and phishing represent, it's not surprising that spam scrubbing tops the list of sought-after commodity security services. And given the complexity of securing large, highly available networks--and the salaries that top firewall administrators command--it's also not surprising to see a good deal of our respondents looking for help with perimeter protection.

Akibia is one vendor that's parlayed expertise in Check Point firewall sales and services into an MSSP business. "Our managed security customers are Check Point Support customers who came to understand the depth of our expertise and realized we could manage devices more effectively and more efficiently than they could," says Michael Halperin, Akibia's VP of technology. The complexity of managing 30 firewalls distributed across the Boston Public Library locations was the impetus for Henry Bernasconi, CTO of the library system, to seek help from Akibia. "We were initially concerned with how quickly we could get firewall rule changes implemented, but that has proved to be a nonissue," says Bernasconi, "and savings on staff resources are real."

Incident management and forensic log analysis are challenges for all-size organizations, and an increasingly popular offering for MSSPs. Few IT groups regularly inspect firewall and server logs, which unfortunately means forewarning of a disaster may be missed. And if you've been victimized, logs are critical to investigating the source of the attack. LogLogic, a leading enterprise log management vendor, says its product has been integrated into the service offerings of several MSSPs, with others on the way.

WHERE'S THE ROI?
MSSPs often tout savings associated with reduced staffing and less need to purchase expensive systems to secure and monitor network, but all offerings don't make sense for all companies. While the savings in some areas, such as the negation of the need to hire a full-time resource to manage 10 firewalls, are substantial, for others, the monthly service fees required to manage 10 firewalls and 100 server/network devices will add up fast. And if you have an even larger number of devices to monitor, you might find that buying and managing in-house provides a surprisingly quick ROI.

Getting providers to reveal pricing information on the record is a little like extracting a wisdom tooth from a nervous dental patient, but the predominant model used by the MSSPs we spoke with is based on a per-device, per-service, and per-service-level methodology. Verizon Business, for example, is typical in that it prices based on device count and type--say, firewall, IDS, network devices, server--as well as type of service offered (monitor only, co-managed, fully managed, fast SLA, slower SLA) and whether or not the service is offered in the cloud or is managed by an on-premises collection appliance.

Secure Resolutions, an Arizona MSSP, advertises that it will fully monitor, alert, and manage an individual workstation for $99 per month, and an individual server for $249 per month. A small company with 10 servers and 50 workstations would be looking at $4,950 per month to manage its PCs, and $2,500 per month to manage servers, for a total annual cost of $84,400. The prices quoted don't take into account any firewalls or network devices that must be managed. According to Akibia, its managed firewall service ranges from $500 to $1,000 per month, per firewall, depending on the frequency of rule changes and availability levels. The Check Point firewall is owned by the customer; Akibia manages, monitors, and maintains it.

As with any outsourcing engagement, the ROI of adding staff and systems to monitor and manage basic security functions and perform individual device and system management in-house might be much shorter than you'd think. For specialized services, however, like disaster recovery, vulnerability assessments, unified threat management, and comprehensive log analysis, organizations of all sizes might find that MSSPs provide a level of efficiency that can't be matched without significant up-front expense, assuming that the provider meets your criteria--not something that's a given.

"The inability to effectively audit outsourced security providers is one of the key reasons I have chosen to keep our security services in-house," says one poll respondent. "If I can't really measure how effective they are, I cannot justify spending more money for a service that could very well be no better than what I am already doing."

How do you measure how effective your in-house team is? Fact is, very few organizations have dedicated security staffs capable of keeping up with the latest threats. In much the same way that you'd test a failover or disaster recovery plan, consider orchestrating an attack fire drill. Extreme, yes, but if the information is important enough, then it should be considered.

As for qualifications, you can't certify your way to security bliss. That takes analysts with both business and technology acumen, but those people are expensive and scarce, and there's no guarantee an MSSP has many of them on staff, either.

(click image for larger view)CHOOSING AN MSSP
Bottom line, this is not an everyday outsourcing decision. Many IT professionals feel strongly that information security is a core function and outsourcing it is abdicating responsibility. Says one poll respondent, "Whether or not security is outsourced, your business is still legally responsible for any consequences that occur. If you have full responsibility, you must also have full control."

This quote reveals a big misperception people have with using an MSSP, and that is that you do in fact lose all control. MSPs with that model failed already. Most offerings today are co-managed and are far from all-or-nothing propositions.

So how do you choose a partner that will take your security as seriously as you do? There's no shortage of fledgling companies entering the MSSP space, many of them rebranding offerings from providers like IBM. But one inescapable fact, discussed at length by many of our respondents, is that your organization's security is only as comprehensive as that of the company to which you're outsourcing it. A provider with high turnover and inexperienced consultants can spell disaster. And when compliance enters the picture, vetting a provider gets even more tricky.

"I assist in performing third-party evaluations for some of our business units," says one poll respondent. "So far, no company has been completely in alignment with our existing policies and standards. If you are in a highly regulated industry, outsourcing does not absolve you from responsibility--as much as management would like to think so."

Outsourcing best practices apply double to MSSP engagements. Thoroughly document your requirements before speaking to potential providers, to aid in setting up SLAs. Have your general counsel draft a contract identifying legal liabilities and ramifications if a breach were to happen.

Once you're in the market, ask about the measures the MSSP takes to control operational and environmental factors, including physical security, access control, and regular audits--both internal and external--of systems and procedures. Investigate the financial health of your MSSP. If a provider meets your SLA and technical requirements but its business road map and financial health are questionable, walk away. Along these same lines, find out the MSSP's main vendor relationships.

Will the MSSP provide security for remote and mobile users? Says one respondent, "If the outsourced security is good within the walls of the office, it has to also be good for mobile users, either those who take notebooks and smartphones outside our office, but also those who log in to our network from home or from the road." Smartphones are difficult to manage, but there are ways to monitor how they are used and to control the damage they could do.

Look for diverse physical locations of security operations centers. Ask about the people who will be working on your equipment. Are background checks required? Evaluate each vendor's account team and problem management processes. When negotiating a service-level agreement, pay close attention to the MSSP's agreed-on time to respond to a request, the timeframe in which the change should be made, and additional fees charged for policy changes. Finally, ask about contract terms and early-termination penalties, if any.

STAY IN CONTROL
Don't let emotion get in the way of making this decision. One in three of our poll respondents admit that they simply have insufficient resources or skills to manage security well in-house, and we were encouraged that only about 1% say they won't consider an MSSP because of a risk of staff backlash.

"Outsourcing may not fit every company, but in my case it's been a blessing. In a very short time we have been able to ramp up our security program to a level we never could have achieved using internal resources," says the VP and chief security officer of a financial services firm with more than $1 billion in revenue. "It does take a dedicated person to closely monitor the vendor relationship and manage vendor-related risk."

That brings us to one last point: Engaging an MSSP is not a "set it and forget it" operation. If you're using an MSSP in a complex and ongoing capacity, internal security needs to manage the vendor as it would internal staff. Require monthly or quarterly meetings to assess the extent of discovered security breaches, analyze reports, and strategize on how to battle back the latest and future security threats.

Photo illustration by Sek Leung

View the image gallery:
Complete Poll Results: Managed Security Service Provider