An Open Relationship: Maximizing Value in Security Operations

Like most third-party services, effectively integrating services from a managed security services provider (MSSP) can enhance the value of your organization’s security program. Conversely, poor integration and/or a lack of effective governance can marginalize the effectiveness of your organization’s security operations.

In a well-executed partnership, an MSSP is simply viewed as an extension of the information security organization. An MSSP’s contribution to a security operation depends upon how effectively the partnership is built and maintained.

If you currently rely on a third-party MSSP or are considering engaging one to enable your security operations capability, consider how responsibility for the following functions is distributed and/or shared between the internal (your organization) and external (MSSP) sources:

• Rule and device administration and management;
• Security intelligence;
• Incident/event hunting;
• Threat monitoring;
• Threat analysis/impact analysis;
• Threat triage/investigations;
• Threat response/incident management; and
• Emergency response (computer security incident response plan).

Often, organizations will mistakenly expect the MSSP to handle all or most of these functions without their staff being directly involved. Unless the MSSP has agreed to a full-labor-based outsourcing model and fully understands your policies, risk tolerance and executive team preferences on incident handling, it is impractical to expect a third-party MSSP to deliver these functions without your involvement.

In order to effectively plan and design a new process, it is advised to do an integrated design with your MSSP at the beginning of the contact period. One approach for up-front design is to charter a security operations optimization initiative to design the new process and approach.

Managing Security Operations

Structured governance is critical for maximizing the MSSP service’s effectiveness. One mechanism for service management governance includes the availability of a named service manager.

MSSP services typically manage and monitor an environment using centralized shared services (often referred to as a centralized security operations center). As such, much of the day-to-day operational interaction occurs via electronic tickets. In many cases, these tickets are handled by shared resources based upon a skill category and time of day and are not based upon extensive familiarity of a specific customer’s environment.

To maximize success in integrating the service and governing delivery elements, organizations will benefit from regularly communicating with a named service manager. Additionally, the organization and the MSSP can work together to structure a governance plan, which may include regularly scheduled service reviews.

Effective results from investing in an MSSP do not occur on autopilot. Results occur from the mutual efforts of your organization and the MSSP. The process and service management governance are two key elements for success, and effectively integrating the MSSP into an operation’s process is imperative to realizing the value from the relationship.

This article is a four-part series that covers various topics around the value of MSSP relationships, such as integration and governance, threat response process, knowledge of environment and tuning and health. The first part of the series discusses integration and governance. The next blog in the series will discuss the threat response process.