By Rishikesh Kamat, Vice President – Products & Services, NTT Com – Netmagic
The explosion of big data technologies, rise of multi-cloud coupled with fast data technologies is fueling significant changes in data infrastructure that powers it. Modern-day infrastructure is required to store petabytes of data each day and make it accessible to a large set of stakeholders in near real time. This magnifies security challenges. One way to mitigate this challenge is to outsource security to a specialist Managed Security Services Provider (MSSP).
MSSPs score over traditional in-house teams as they have the required trained manpower and skillsets to monitor and mitigate threats constantly and ensure regulatory compliance. As most MSSPs serve a large number of clients, they can pass on the savings to the end customer. An MSSP with a global footprint can also give you continued information protection for all your infrastructure assets across the globe. MSSPs are also better equipped to handle the latest threats as they continuously monitor threat vectors, and have people with the required skillsets to mitigate these challenges.
Having said that, selecting an MSSP requires an evaluation process that is not dependent only on cost. Enterprises must look at the value that an MSSP can bring to the table from an overall IT security posture. This must go beyond just patching or putting up a firewall or an IPS.
Let us now take a look at 5 best practices for selecting an effective MSSP:
#1 Technical Capabilities: Before an enterprise decides to hire an MSSP, it must look at documenting the existing requirements and then look at specific skill-based expertise, including specific skills in vendor specific or platform specific expertise. This could also include skills like database security, perimeter firewalls, forensics, SIEM expertise, DLP, IPS, end point security, etc. In some verticals such as healthcare, it may also help to hire an MSSP that has some experience in understanding the unique requirements. Also, look if the MSSP has people with industry standard certifications such as CISSP or CHFI. A service provider also needs to have support for open standards and protocols.
#2 Policies: Documentation is key for evaluating an MSSP. Always check if the MSSP has a well documented policy in place for every process (example, intrusion detection, training, systems integration). For example, the documentation must clearly state the standard incident response process, and the steps that will be taken in case of a breach.
#3 Customer Service Platform: An enterprise must check if the MSSP has a web service portal that can be used by the customer to raise queries. It would also help if the MSSP has an automated ability to issue alerts based on standard deviations or thresholds, and in identifying and analyzing large volumes of data to gauge credible threats from false positives.
#4 Reports: Reports issued by MSSPs must contain enough information that can be used to determine trends and find out the root causes for data breaches or intrusions. Reports are also useful in complying with legislation or laws. MSSPs must also ideally provide an enterprise with a detailed monthly or weekly report with insights gleaned from security logs, bandwidth utilization, anti-virus reports, etc.
#5 Service Level Agreements: SLA with security providers must clearly include the initiatives that will be taken with respect to security or privacy breaches. This must cover monitoring, management and reporting. This must also include the approach taken for bug fixes, patch management and major software updates. Enterprises must also check if there is a penalty clause for breach of specific SLAs. Other factors to check are standard support hours, time to respond to critical incidents, ability to support and supported channels (web, chat, email, phone). SLAs must be well-defined and measurable, and clearly state mutual benefit, deliverables and resolution mechanisms in case of disputes.
In addition to these points, enterprises must also check if the facilities or the processes of the MSSP have been audited by a third-party agency. Client references must also be asked for to understand the strengths or weaknesses of the MSSP.