In this four-part series about managing effective security operations, we’ve been discussing ways to enhance your operations’ effectiveness by maximizing value from your managed security services relationship.
In Part 1, I discussed the importance of process integration and delivery governance; in Part 2, I commented on threat response ownership and response process; and in Part 3, I covered knowledge integration and asset accuracy.
These subjects are all frequently misunderstood areas that are key to maximizing value in security operations. In the final part of this blog series, I will cover the importance of healthy security devices and considerations for managing device health.
Managing Security Operations
Enterprises today continually struggle to defend against online attacks that can strike at any moment. Whether the threats are from viruses, denial-of-service (DOS) attacks or unauthorized website access, these offenses can wreak tremendous havoc. It is essential that your organization commit to a regularly scheduled interview of device policy settings and tuning the security devices protecting your network. Tuning is a collaborative activity between you and your managed security services provider (MSSP), not an activity that can be performed in isolation by the MSSP. Tuning is also not a one-time activity — it should occur at regular intervals.
In the case of intrusion detection and prevention system (IDPS) devices, effectively identifying security events depends on eliminating alert noise that should allow key security events to be noticed. Regularly reviewing your organization’s security device policies helps ensure your network is protected, reduces false alarms, optimizes traffic flow and focuses security analysis and incident response activities on real events. In the case of firewalls, proxies and access control lists, your organization will want to consult with its MSSP regarding policy audit, tuning and compliance activities.
In order to maximize the value of consulting with your MSSP, your organization needs to be proactive in scheduling tuning sessions. Do not wait on the MSSP to do the tuning or even to schedule the tuning. Instead, you should be diligent about requesting regular tuning sessions. The minimum recommended interval should be agreed upon between the customer and the MSSP, though the interval typically should not exceed 90 days.
Device License Management
In most MSSP relationships, the organization owns the security devices (such as IDPS devices, host intrusion detection system agents, firewalls, Web gateways and other network security devices). Organizations should work with the MSSP to ensure clarity in tracking and managing licenses. Some MSSPs will provide information regarding device licenses, though the customer should always be equipped to manage asset details and ensure device licenses and support agreements are maintained. Effective device tuning and license management are needed to realize the operational benefit from your security devices. Your attention to these two areas will help ensure your service provider is equipped to effectively monitor threats and alert you. Both of these activities are your responsibility and should not be overlooked.
In summation, it is extremely important to work closely with your service provider. A successful security program requires a strategic and collaborative approach to operations. As your organization focuses on process integration, governance, threat response processes, knowledge integration and/or device tuning and health, you will enhance the effectiveness of your security operations. If you manage your MSSP relationship properly, your provider should be able to function as an extension of your organization’s security program. This can yield several benefits, including reduced costs, the ability to off-load complexity, improved access to security intelligence and improved overall security posture.
In conclusion to this four-part blog series, the recommendations and suggestions I’ve offered come from experience across thousands of client organizations that are based on the most common challenges that prevent the full benefits of the service from being realized.
An integrated security program is better security.