SPAM STOPPERS
Our poll shows that large enterprises tend to consume more specialized MSSP services, such as one-off vulnerability assessments, while day-to-day managed services are more popular with SMEs. As for specific offerings, of respondents who are now employing managed security services, 73% use spam protection, followed by 68% of those using managed firewall services.
Given the widespread threat that e-mail-borne viruses and phishing represent, it's not surprising that spam scrubbing tops the list of sought-after commodity security services. And given the complexity of securing large, highly available networks--and the salaries that top firewall administrators command--it's also not surprising to see a good deal of our respondents looking for help with perimeter protection.
Akibia is one vendor that's parlayed expertise in Check Point firewall sales and services into an MSSP business. "Our managed security customers are Check Point Support customers who came to understand the depth of our expertise and realized we could manage devices more effectively and more efficiently than they could," says Michael Halperin, Akibia's VP of technology. The complexity of managing 30 firewalls distributed across the Boston Public Library locations was the impetus for Henry Bernasconi, CTO of the library system, to seek help from Akibia. "We were initially concerned with how quickly we could get firewall rule changes implemented, but that has proved to be a nonissue," says Bernasconi, "and savings on staff resources are real."
Incident management and forensic log analysis are challenges for all-size organizations, and an increasingly popular offering for MSSPs. Few IT groups regularly inspect firewall and server logs, which unfortunately means forewarning of a disaster may be missed. And if you've been victimized, logs are critical to investigating the source of the attack. LogLogic, a leading enterprise log management vendor, says its product has been integrated into the service offerings of several MSSPs, with others on the way.
WHERE'S THE ROI?
MSSPs often tout savings associated with reduced staffing and less need to purchase expensive systems to secure and monitor network, but all offerings don't make sense for all companies. While the savings in some areas, such as the negation of the need to hire a full-time resource to manage 10 firewalls, are substantial, for others, the monthly service fees required to manage 10 firewalls and 100 server/network devices will add up fast. And if you have an even larger number of devices to monitor, you might find that buying and managing in-house provides a surprisingly quick ROI.
Getting providers to reveal pricing information on the record is a little like extracting a wisdom tooth from a nervous dental patient, but the predominant model used by the MSSPs we spoke with is based on a per-device, per-service, and per-service-level methodology. Verizon Business, for example, is typical in that it prices based on device count and type--say, firewall, IDS, network devices, server--as well as type of service offered (monitor only, co-managed, fully managed, fast SLA, slower SLA) and whether or not the service is offered in the cloud or is managed by an on-premises collection appliance.
Secure Resolutions, an Arizona MSSP, advertises that it will fully monitor, alert, and manage an individual workstation for $99 per month, and an individual server for $249 per month. A small company with 10 servers and 50 workstations would be looking at $4,950 per month to manage its PCs, and $2,500 per month to manage servers, for a total annual cost of $84,400. The prices quoted don't take into account any firewalls or network devices that must be managed. According to Akibia, its managed firewall service ranges from $500 to $1,000 per month, per firewall, depending on the frequency of rule changes and availability levels. The Check Point firewall is owned by the customer; Akibia manages, monitors, and maintains it.
As with any outsourcing engagement, the ROI of adding staff and systems to monitor and manage basic security functions and perform individual device and system management in-house might be much shorter than you'd think. For specialized services, however, like disaster recovery, vulnerability assessments, unified threat management, and comprehensive log analysis, organizations of all sizes might find that MSSPs provide a level of efficiency that can't be matched without significant up-front expense, assuming that the provider meets your criteria--not something that's a given.
"The inability to effectively audit outsourced security providers is one of the key reasons I have chosen to keep our security services in-house," says one poll respondent. "If I can't really measure how effective they are, I cannot justify spending more money for a service that could very well be no better than what I am already doing."
How do you measure how effective your in-house team is? Fact is, very few organizations have dedicated security staffs capable of keeping up with the latest threats. In much the same way that you'd test a failover or disaster recovery plan, consider orchestrating an attack fire drill. Extreme, yes, but if the information is important enough, then it should be considered.
As for qualifications, you can't certify your way to security bliss. That takes analysts with both business and technology acumen, but those people are expensive and scarce, and there's no guarantee an MSSP has many of them on staff, either.
