Managed security services (MSS) is a systematic approach to managing an organization's security needs. The services may be conducted in house or outsourced to a service provider that oversees other companies' network and information system security. Functions of a managed security service include round-the-clock monitoring and management of intrusion detection systems and firewalls, overseeing patch management and upgrades, performing security assessments and security audits, and responding to emergencies. There are products available from a number of vendors to help organize and guide the procedures involved. This diverts the burden of performing the chores manually, which can be considerable, away from administrators.
As computer attack patterns shift and threats to networks change and grow almost daily, it is critical that organizations achieve reliable information security. Investment decisions about information security are best considered in the context of managing business risk.
More and more organizations are turning to MSSPs for a range of security services to reduce costs and to access skilled staff whose full-time job is security.
Such services may include:
Benefits of Engaging an MSS Provider
The results from engaging a reputable, competent MSSP have the potential to be far superior to anything an organization can achieve on its own. Described in this section are reasons for contracting with a MSSP and some of the benefits that may result from the relationship. All of these factors can contribute to reducing the risks faced by the client through a combination of risk mitigation and risk/liability sharing between the client and the MSSP.
The cost of a managed security service is typically less than hiring in-house, full-time security experts. An MSSP is able to spread out the investment in analysts, hardware, software, and facilities over several clients, reducing the per client cost. As one example, an MSSP claims it can set up and monitor security on a 250-user network on a single T1 (1.5 Mbps) Internet gateway for about $75,000 a year, excluding hardware. Replicating these actions within the organization produces similar hardware costs, plus at least $240,000 in annual compensation to hire three full-time specialists, based on data from the magazine InformationWeek's most recent Salary Survey2. A client organization can convert variable costs (when done in-house) to fixed costs (services), realize a tax advantage by deducting MSSP fee expenses from current year earnings versus depreciating internal assets, and experience cash flow improvements resulting from the transfer of software licenses (and possibly personnel) to the MSSP.
It is difficult for an organization to track and address all potential threats and vulnerabilities as well as attack patterns, intruder tools, and current best security practices. An MSSP is often able to obtain advance warning of new vulnerabilities and gain early access to information on countermeasures. An MSSP can advise on how other organizations handle the same types of security problems.
An MSSP is likely to have contact with highly qualified and specialized international security experts as well as other MSSPs. These resources can be brought to bear to diagnose and resolve client issues.
The MSSP are often well connected to law enforcement agencies around the world and understands what forensic analysis and evidence are required to successfully support legal proceedings.
A shortage of qualified information security personnel puts tremendous pressure on IT departments to recruit, train, compensate, and retain critical staff. The cost of in-house network security specialists can be prohibitive. When outsourcing, the costs to hire, trains, and retain highly skilled staff becomes an MSSP responsibility. An MSSP is likely to retain security experts by offering a range of career opportunities and positions from entry level to senior management, all within the information security field [Navarro 01]. In addition, if a client organization can outsource repetitive security monitoring and protection functions, then they can then focus internal resources on more critical business initiatives.
An in-house staff member who only deals with security on a part-time basis or only sees a limited number of security incidents is probably not as competent as someone who is doing the same work full-time, seeing security impacts across several different clients, and crafting security solutions with broader applicability.
MSSPs have insight into security situations based on extensive experience, dealing with hundreds or thousands of potentially threatening situations every day, and are some of the most aggressive and strenuous users of security software.
MSSPs can also enhance security simply because of the facilities they offer. Many MSSPs have special security operations centers (SOCs) located in various parts of the country. These are physically hardened sites with state-of-the-art infrastructure managed by trained personnel.
When an organization contracts for security monitoring services, the service can report near real-time results, 24 hours a day, 7 days a week, and 365 days a year. This is a large contrast with an in-house service that may only operate during normal business hours.
MSSPs can be held accountable for the service standards they provide. They guarantee service levels and assure their availability; failing to do so can have financial repercussions.
Their operational procedures are designed to ensure uninterrupted service availability. Also, if the MSSP is providing service systems, then it is their responsibility to upgrade software and hardware and to maintain a secure network configuration. Because MSSPs have strict contractual obligations to their clients and must maintain their reputation in the marketplace, their control procedures are generally both well documented and carefully enforced. In all instances, the client needs to verify these performance characteristics.
Service Security and Technology
Service security solutions and technologies such as firewalls, intrusion detection systems (IDSs), virtual private networks (VPNs), and vulnerability assessment tools are far more effective because they are managed and monitored by skilled security professionals. For example, when an intrusion is detected, MSSPs can use a remote monitoring connection to determine whether the alarm is justified and block further intruder actions. A managed service can protect the client’s network from unsecured VPN endpoints.
Objectivity and Independence
An organization may have multiple, ad hoc solutions to handle the same types of security problems. There may be no enterprise-wide management of security or of strategy.
Moving security to a capable security service provider may help simplify and strengthen the enterprise's security posture. An MSSP can provide an independent perspective on the security posture of an organization and help maintain a system of checks and balances with in-house personnel. An MSSP can often provide an integrated, more coherent solution, thereby eliminating redundant effort, hardware, and software.
For products developed by the MSSP and used in their services, the client organization receives an enhanced level of product support.
The MSSP may use other third party provider products as the basis for providing service (such as firewalls and IDSs). Based on the size of the MSSP’s client base, the MSSP may be able to influence the product provider to improve the security of their products by, for example, addressing new attacks and vulnerabilities.