Can Managing Enterprise Security Be Made Easier? A Symantec Advisory Guide Who should read this guide: CSOs, CISOs, managers, compliance officers, heads of security, CIOs, and project managers faced with the challenge of managing enterprise security Advice offered about: Common hurdles when managing enterprise security in-house Benefits of partnering with a Managed Security Service Provider (MSSP) for security protection Sample expenses and cost comparison scenarios Evaluating potential MSSPs We tried to provide this level of security on our own. We had two full-time employees looking at our own IDS sensors at one point. But trying to maintain signatures and updateswhile continually inspecting and correlating events from the logswas becoming quite a feat. Network engineer Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 Considering the security management options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 Who should read this guide?. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 What you will get from reading this guide. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 60-second insightone minute to see how Symantec Managed Security Services can improve your security posture. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 The threat landscape continues to evolve . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 Cyber-criminals continue to exploit trusted environments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 Rise in site-specific vulnerabilities. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 Common hurdles when managing enterprise security in-house . . . . . . . . . . . . . . . . . . . . . . . . . . 11 Measuring the cost of managing security in-house . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 Equipment. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 Hardware and software costs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 Maintenance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 Certifications and attestations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 Personnel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 Recruiting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 Training and education . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 Security operations center . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 Benefits of managed security services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 Improve information protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 Leverage knowledge and experience of security experts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 Stay abreast of the most recent security threats and attacks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 Share responsibility with a trusted security partner . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 Consistent SLAs across the organization. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 Contents Can Managing Enterprise Security Be Made Easier? Considerations for Partnering with a Managed Security Services Provider for Security Protection 3 Gain reliable 24x7x365 security management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 Concentrate on what you do best. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 Maximize investment on existing security products. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 Make project and running costs more predictable. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 Continuous improvement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 Selecting a managed security services provider. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 Breadth of supported technologies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 Security management processes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 Auditing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 Effectiveness of technology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 Reporting. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 Security operations center capabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 Recommended MSSP checklist . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 Symantec Global Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 Conclusion. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 Symantec Global Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 Symantec Managed Security Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 Symantec Residency Services. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 Symantec Advisory Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 Symantec DeepSight Early Warning Services. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 Free 30-day trial service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 Symantec Managed Solutions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 To find out more. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 Contents, cont'd Effective information security helps maintain the integrity of valuable corporate assets, enables compliance with industry regulations, and helps ensure the integrity of a trusted brand image and sustain business continuity. But providing an effective level of security requires a combination of state-of-the-art technology, experienced personnel, proven processes, and continuous threat intelligence that few organizations possess. Those organizations that choose to tackle these critical issues in-house invariably find themselves struggling to identify security events, provide security event alerts, and respond to the threats. Specifically, the challenge is how to quickly identify which assets are at risk, determine the impact of security breaches, and prioritize incident response within the company. In order to make good decisions and protect information assets, companies must have the resources to understand what is happening both inside and outside the corporate network. Security technologiesincluding firewalls, network and host intrusion detection, and prevention systemshave created a tremendous volume of information, and handling that information only makes a companys security problems more challenging. As a result, many organizations that currently manage security in-house are looking for alternatives. These organizations often find themselves choosing between two options: managing security in-house, or outsourcing either all or some security management to a managed security services provider (MSSP). To ensure rapid response to real threats, MSSPs use high-availability security operations centers (SOCs) to provide outsourced management and monitoring of security devices and events. These centers support 24x7 services designed to reduce the number of operational security personnel an enterprise must hire, train, and retain in order to maintain an acceptable security posture. Considering the security management options It is essential that organizations weigh the risk of sharing their data with third parties against that of losing intellectual property and productivity as a result of malicious activity. Only robust, round-the-clock security management and monitoring can help mitigate the risk of threats against an enterprise network. However, the wide range of MSSPs and their offerings can prove daunting to compare and understand. We commissioned this guide to help organizations weigh their security management options. Grant Geyer Vice President, Symantec Managed Security Services Introduction Can Managing Enterprise Security Be Made Easier? A Symantec Advisory Guide Without a sound security strategy, our organization would likely be out of business. Director of technology 5 Who should read this guide? CSOs, CISOs, managers, compliance officers, heads of security, CIOs, and project managers faced with the challenge of managing enterprise security. This can include mail security; compliance; IT risk; and the monitoring, identification, and remediation of security incidents and events. What you will get from reading this guide An understanding of the changing threat landscape and common hurdles you face when managing enterprise security in-house The benefits of partnering with a MSSP for security protection Sample expenses and cost comparison scenarios to help you produce a financial analysis when considering a MSSP Useful guidance for evaluating potential MSSPs Can Managing Enterprise Security Be Made Easier? A Symantec Advisory Guide 6 60-second insightone minute to see how Symantec Managed Security Services can improve your security posture Benefit from extensive global threat intelligence Symantec Managed Security Services has access to some of the most comprehensive sources of Internet threat data in the world. Leveraging the Symantec Global Intelligence Network, managed services teams are thoroughly informed on world events, which accelerates the decision-making process to protect your critical assets. Avoid the impact of a missed security event. Leverage security expertise for 24x7 monitoring, alerting on suspicious incidents, and delivery of timely, prioritized remediation recommendations. Symantec Managed Security Services security analysts and security operations center (SOC) technology help keep your business assets safe from compromise. Find the needle in the haystack Symantec Managed Security Services technology and security analysts look for small pieces of separate information in gigabytes of log files across multiple devices, and then recognize which pieces, when put together, indicate a threat. Symantec has built in-house technology to filter all customer information and present events to analysts for further investigation. Support for your audit requirements Symantec Managed Security Services globally maintain the stringent audit requirements of the ISO 27001 certification and SAS70 Type II Audit Report, and include certifications for both business continuity planning and disaster recovery. Our mature approach to governance will ensure that an incident or disaster in one region will not affect the support you receive or compromise the integrity of your business. Can Managing Enterprise Security Be Made Easier? A Symantec Advisory Guide 7 On April 8, 2008, Symantec released Volume XIII of the industry-leading Global Internet Security Threat Report (ISTR). In the report, Symantec concludes that cyber-criminals are becoming increasingly professional even commercialin the development, distribution, and use of malicious code and services. While cyber-crime continues to be driven by financial gain, cyber-criminals are now using more professional attack methods, tools, and strategies to conduct malicious activity. Based on the data collected during this timeframe of July 1December 31, 2007, Symantec has observed that the current security threat landscape is predominantly characterized by the following: Malicious activity has become Web-based. Attackers are targeting end users instead of computers. The underground economy is becoming consolidated and mature. Attackers and attack activity are adapting rapidly. Cyber-criminals continue to exploit trusted environments During the reporting period, Symantec has observed that the majority of effective malicious activity has become Web-based: the Web is now the primary conduit for attack activity. This may be driven, in part, by the fact that compromises affecting computers on enterprise networks are likely to be discovered and shut down. On the other hand, activity that takes place on end users computers and/or Web sites is less likely to be detected. Symantec observed that 58% of all vulnerabilities disclosed were in Web applications. Once a trusted Web site has been compromised, cyber-criminals use it as a source for distribution of malicious programs in order to compromise individual computers. This attack method allows cyber-criminals to wait for their victims to come to them instead of needing to actively seek out targets. Social networking Web sites are increasingly valuable to attackers because they provide access to a large number of people, many of whom trust the site and its security. These Web sites can also expose a great deal of confidential user information that can then be used in attempts to conduct identity theft or online fraud. An added benefit to attackers who target trusted sites is the ability to steal credentials or launch other attacks en masse because these tactics can allow attacks to propagate quickly through a victims social network. The threat landscape continues to evolve Can Managing Enterprise Security Be Made Easier? A Symantec Advisory Guide 8 It would be cost- prohibitive to try to cover this ground on our own. Director of technology Table 1. Personal information that can be used for financial gain is traded on underground economy servers. This table ranks goods most frequently offered for sale. Rise in site-specific vulnerabilities Site-specific vulnerabilities are perhaps the most telling indication of this trend. These are vulnerabilities that affect custom or proprietary Web-application code for a specific Web site. During the last six months of 2007, 11,253 site-specific cross-site scripting vulnerabilities were documented. This is considerably higher than the 2,134 traditional vulnerabilities documented by Symantec during this same period. These vulnerabilities are a concern because they allow attackers to compromise specific Web sites that they can then use as a means of launching subsequent attacks against userswhich has shown to be an effective strategy for launching multi-stage attacks and exploiting client-side vulnerabilities. Site-specific vulnerabilities are often used in association with browser plug-in vulnerabilities, which are useful for conducting sophisticated Web-based attacks. Another indication of the Webs emergence as an attack vector is the continued growth in browser plug-in vulnerabilities. Browser plug-ins are technologies that run inside the Web browser and extend the browsers features, such as those that allow additional multimedia content from Web pages to be rendered in the browserActiveX, for example. These vulnerabilities have remained popular because they are a very effective means of conducting Web-based attacks. Can Managing Enterprise Security Be Made Easier? A Symantec Advisory Guide In the second half of 2007, 499,811 new malicious code threats were reported to Symanteca 136% increase over the first half of 2007. 9 Rank Item Percentage Range of prices 1 Bank accounts 22% $0.40$20 2 Credit cards 13% $10$1000 3 Full identities 9% $1$15 4 Online auction accounts 7% $1$8 5 Scams 7% $2.50/week$50/week for hosting. $25 for design 6 Mailers 6% $1$10 7 Email addresses 5% $0.83/MB$10/MB 8 Email passwords 5% $4$30 9 Drop (requests or offers) 5% 10%50% of total drop amount 10 Proxies 5% $1.50$30 Table 2. Symantec Internet Security Threat Reportdata sources Figure 1. This chart shows malicious code trends. In the second half of 2007, 499,811 new malicious code threats were reported to Symantec. This is a 136% increase over the first half of 2007. Can Managing Enterprise Security Be Made Easier? A Symantec Advisory Guide 10 Symantec uses multiple data sources to compile the Internet Security Threat Report, including: More than 40,000 sensors that monitor network activity in more than 180 countries Reports on malicious code, spyware, and adware from more than 120 million systems that have deployed Symantec virus protection products A security vulnerability database spanning more than a decade that covers more than 25,000 vulnerabilities from more than 8,000 vendors BugTraq; a forum for the disclosure and discussion of vulnerabilities, with approximately 50,000 direct subscribers The Symantec Probe Network: a system of more than two million decoy accounts that attracts email messages from 30 different countries around the world, allowing Symantec to gauge global spam and phishing activity 550,000 500,000 450,000 400,000 350,000 300,000 250,000 200,000 150,000 100,000 50,000 0 N u m b e r
o f
n e w
t h r e a t s Period JulDec 2002 JanJun 2003 JanJun 2004 JanJun 2005 JanJun 2006 JanJun 2007 JulDec 2003 JulDec 2004 JulDec 2005 JulDec 2006 JulDec 2007 499,811 212,101 74,482 50,761 53,410 48,226 42,523 20,451 8,475 9,138 6,260 With customers and business partners dependent on accessing critical product and service data via open networks such as the Internet, organizations must ensure the integrity of this information or risk jeopardizing their reputation and their brand equity. In short, they need to protect the bottom line, the corporate image, and the brand. Organizations face a number of barriers to achieving and maintaining effective security programs, including those listed in table 3. Table 3. Barriers to achieving and maintaining effective security programs Common hurdles when managing enterprise security in-house Can Managing Enterprise Security Be Made Easier? A Symantec Advisory Guide Hiring more staff for a 24x7 immediate response team would have greatly increased our staffing costs. Group leader 11 Security a core requirement, but not a core competence Companies focusing on eCommerce and eBusiness must ensure that their information assets are properly protected. Managing information security requires constant vigilance and strict accountability for every change in the state of the network and systems connected to it. Organizations often find they lack the necessary in-house skills to manage this challenging task. Need to find, hire, and retain security staff Because of the strong market demand for skilled information security talent, organizations are finding it expensive to recruitand extremely difficult to retainthese professionals. A large amount of time can be absorbed by the constant juggling of resources, resume sifting, interviews, contracts, and attrition. The high attrition rate among security personnel reduces a companys ability to effectively safeguard its valuable information assets. Security staff overloaded with routine daily operations While the security staff commits to the tasks, they often discover that they lack time, expertise, and technical resources to provide effective, enterprise-wide monitoring and management on a 24x7x365 basis. Need to develop a repeatable process for identifying and escalating security incidents Trying to determine what constitutes a security incident can be difficult. Traffic that looks benign to the untrained eye can be highly malicious when correlated with other security information. Understanding how to develop a repeatable process that can be quickly and consistently executed can be daunting for many organizations, especially when there is a low margin for error. Security products generating vast amounts of difficult-to- manage data In order to adequately protect corporate information assets on a 24x7x365 basis, and to identify and counteract security attacks in real time, information security staff must constantly analyze disparate data from various security devices, such as firewalls and intrusion detection systems (IDSs). Security staff can attempt to consolidate this data for viewing purposes, but most consolidation software tools lack the ability to generate meaningful information. Symantec finds that 99.7% of data produced by security devices is of little to no value in finding security incidents; moreover, such data is often laden with false positives. Finding the real security threats in this overwhelming volume of data can be like finding the proverbial needle in a haystack. Table 3, cont'd Can Managing Enterprise Security Be Made Easier? A Symantec Advisory Guide 12 Finding the real security threats in this overwhelming volume of data can be like finding a needle in a haystack. Growing volatility and sophistication of threats The threat landscape has evolved away from large-scale pandemic threats to quieter, more targeted attacks engineered to include multiple exploitation methods. These lower-profile, targeted attacks are engineered by cyber-criminals searching for new ways to steal information for financial gain. The attacks propagate more slowly to avoid detection and to increase the likelihood of successful compromise before security measures can be put in place. The new Internet threat reality is clear: Fraudsters and hackers are working in concert for financial gainand they are relying increasingly on the Internet. Proactive intelligence Setting up a security operations center in-house can be an expensive and cumbersome task, and many organizations that do so still arent aware of emerging Internet threats and vulnerabilities. Organizations that dont stay abreast of new threats are on their own on the Internet. They are left to react to new challenges as opposed to being proactively protected. Cost-effective security protection on a 24x7 basis Increased regulatory demands for business continuity coupled with a thrust for availability of systems to clients and partners is driving a requirement for cost-effective security protection on a 24x7x365 basis. The cost of building and staffing an SOC is daunting; it involves hiring 24x7x365 staff, implementing and tuning security information and event management (SIEM) technology, establishing processes, and managing the function. Furthermore, there is a high cost of entry just to have an in-house security management capability, regardless of the size of the security architecture being managed. To build, upgrade, maintain, operate, and control its security systems, any in-house security management program needs personnel and supporting hardware, software, and equipment. These in-house programs also require outlay for the following variables: All relevant capital and operating costs Costs of supervising the MSSP Likely increases in costs for salaries, benefits and service contracts The cost of money and interest costs Residual value of equipment and facilities Cost of transition, including personnel Cost of changes in direction and level of resources Cost of contract modifications To effectively compute the total cost of ownership of in-house security management, companies need to identify and evaluate both overt and hidden costs over a number of years. The following sections list many of the costs of a security management program. Equipment Hardware and software costs For in-house security management, companies must determine the cost of all hardware and software in addition to associated maintenance and support costs. This includes servers, PCs, and peripheral equipment, as well as all associated operating systems, databases, applications, and security software. Additional hardware and software required to support security operations may include system and network management tools, fault management systems, help desk systems, and correlation technology. While the software alone is expensive, to work effectively, the organization will also need to integrate and customize the software for their environment. These costs may be several times the cost of the software to be effective. Maintenance Maintenance fees for software and equipment must be factored into the total cost of ownership. Software maintenance is typically assessed on an annual basis at a rate of 15 to 25 percent of the cost of the software. Measuring the cost of managing security in-house Can Managing Enterprise Security Be Made Easier? A Symantec Advisory Guide If our network is down because of a security incident, or for any other reason, we calculate that our organization would lose a million dollars of revenue a day. Director of technology 13 Certifications and attestations In order to show the effectiveness of the security program as well as to stay compliant with industry regulations, the environment will need to be audited. While many SOCs are becoming compliant with the ISO17799 or ISO27001 standard, they will also need to be included in Sarbanes Oxley, MiFID, or Basel II audits. While these certifications themselves are quite difficult to obtain and ongoing maintenance is required, the real challenge is to develop all of the processes needed to run the operation on a day-to-day basisand to ensure that it is effective and integrated within the overall information security and information technology program. Personnel Staffing for information security professionals is perhaps the most crucial, difficult, and costly component of an effective security management program. While the salary of individual contributors may vary from $60,000 to $140,000 (averaging $85,000 to $90,000) based upon experience and skill, this is only a small part of their compensation. After bonuses and stock incentives, space and equipment costs, and the cost of ongoing education and training benefits are added in, these numbers may be over 50 percent higher. The following scenario can aid in calculating the costs to expand security operations from standard 8am-to-5pm to full 24x7 coverage. To provide coverage 365 days per year, a company must consider staffing multiple shifts of workers: Three sets of staff to cover three eight-hour shifts One backup for time-off coverage for shifts 1, 2, and 3 One manager Based on these assumptions, a company would need a minimum of five people to cover one seat in a 24x7 security operationand these five would need to possess expertise or specialization in a range of security issues. Recruiting Given the high turnover rate in the IT field, organizations may also need to consider the cost of recruiting. Whether internal HR staff or external recruiters are used, the cost of recruiting may average 20 to 30 percent of total annual compensation costs for the position being recruited. Can Managing Enterprise Security Be Made Easier? A Symantec Advisory Guide 14 In each country where we have deployed managed security services, our company is saving on employing full time equivalent (FTE) staff. Altogether, we have been able to re- allocate roles for 10 staff in EMEA, which is equivalent to a savings of almost $1.2 million every year. European IT security head Training and education Security professionals require continuous training and education to hone their skills and, more importantly, to stay aware of the latest updates in an ever-changing, fast-paced technology environment. Ongoing education should encompass the latest security tools and technologies, threat techniques, and best-practice protection strategies. Costs in this area may include: Product or technology training Training in general security awareness Certification preparation classes Certification costs Attendance at major security conferences or shows Books, magazine subscriptions, journals, or eLearning courses to help security professionals stay abreast of the latest technologies, tips, techniques, threats, and safeguards in the industry Many organizations provide their personnel with two weeks of employee training each year, though more is often necessary. Most security courses are one week in duration; therefore, each security employee would be eligible to attend two security courses per year. Because course expenditures may range from $1000 to $3000, an average cost per headcount for annual training would be $5000. Security operations center An SOC provides a secure work environment. Typically this area needs to be physically separated from the rest of the facility, requiring strong authentication to enter. Most companies find it cost-prohibitive to build or lease an SOC because the cost can exceed $10 million (USD) in capital expenditures. Organizations also need to consider the need for power, HVAC, and fire suppression systems for their SOC. In addition, a disaster recovery plan that would likely involve the build-out of a failover facility should be taken into account. However, to build a full end-to-end SOC as a business, MSSPs invest between $25 million and $40 million (USD) for the required robust infrastructure, tools, and redundancy. Companies that choose to work with a MSSP benefit from these significant investments as well as the expertise of trusting their business to security experts. Can Managing Enterprise Security Be Made Easier? A Symantec Advisory Guide 15 Beyond pure cost, there are a number of advantages an organization receives from a professionally managed service contract with a team of dedicated, experienced security professionals. Partnering with an experienced, well-established, and professional MSSP offers enhanced levels of protection, 24x7x365 vigilance, a strengthened security posture, and a potential decrease in the risk of cyber-threats. Improve information protection Providing security for todays networks and information systems is an increasingly complex and critical endeavor, especially as hackers are using increasingly sophisticated methods and technologies. Organizations whose core focus is not security are at a disadvantage in providing a comprehensive, 24x7 security management program. The training, expertise, and diligence required to stay abreast of the latest protection strategies is time-consuming for in-house staff and distracts from other mission-critical activities. Additionally, the vast amounts of data produced by firewalls and intrusion detection system devices can quickly overwhelm an organization that lacks the sophisticated technology to help its security staff with the daunting task of filtering through the data to find the real threats and eliminate the false positives. Leverage knowledge and experience of security experts According to Gartners April 2007 report MarketScope for Managed Security Services in Europe, client discussions consistently say that the skilled resources of providers are one of the major benefits of using MSSPs. Organizations can take advantage of the expertise of MSSP security analysts and engineers who manage and monitor security devices on a full-time basis. These analysts identify and respond to thousands of security incidents and attacks every day. This means that, compared to an organizations in-house security staff, they are more aware of potential threats and are more knowledgeable about best practices for protecting critical data. Benefits of managed security services Can Managing Enterprise Security Be Made Easier? A Symantec Advisory Guide 16 The bottom line is that we can react in real-time to any security threats that take place, while keeping our security management costs in check. Head of IT security Stay abreast of the most recent security threats and attacks An experienced MSSP maintains a research capability dedicated to staying abreast of the latest cyber-threats, vulnerabilities, hacker techniques, and security developments. Constant monitoring of security alerts and advisories is essential to providing maximum protection against security threats. Share responsibility with a trusted security partner A MSSP acts as the companys security partner and shares the burden and the responsibility of security management and incident response. Consistent SLAs across the organization MSSPs offer service-level agreements (SLAs) that define a contractual obligation to deliver services in a particular manner and within a specific response-time window. The SLAs determine the services the MSSP will provide and the performance targets they must achieve, and they define exactly what will be delivered and when specific organizational requirements will be met. Gain reliable 24x7x365 security management A thorough MSSP will provide around-the-clock coverage for a clients most critical systems, monitoring networks and infrastructures to ensure protection during the hours most hackers attack. This vigilance, especially important in an always-on, always-connected business environment, ensures that information assets are protected. Concentrate on what you do best Resource-constrained IT departments must support the companys core business and security requirements. In an ideal world, talented in-house IT resources would be leveraged to plan network redesigns and migrations in order to support strategic business initiatives, or to implement new applications that focus on areas of greater return-on-investment (ROI) potential. Many elements of security, such as compliance and antivirus, can be very labor-intensive and subject to human error. Partnering with a MSSP removes the burden of constant device monitoring and management. This enables organizations to direct in-house resources toward only the most pressing security issues and vulnerabilities. Can Managing Enterprise Security Be Made Easier? A Symantec Advisory Guide Partnering with a MSSP removes the burden of constant device monitoring and management, enabling organizations to direct in-house resources toward only the most pressing security issues and vulnerabilities. 17 Maximize investment on existing security products Many organizations purchase security products that, for a variety of reasons, are never fully implemented. A high-quality MSSP ensures that purchased solutions are installed, implemented, and integrated to provide the ongoing value an organization needs and expects. Make project and running costs more predictable By partnering with a MSSP to protect critical information assets, organizations can avoid the extensive personnel costs associated with hiring, training, and retaining security professionals. Managed security services reduce total cost of ownership by delivering predictable monthly costs for security coverage. Because managed services are billed on a monthly basis, organizations are also better able to predict and manage their security-related budgets. Continuous improvement By tapping into the expertise of a company comprised of literally thousands of security experts working in the field every day, you will always be at the forefront of security knowledge and expertise. Can Managing Enterprise Security Be Made Easier? A Symantec Advisory Guide 18 Determining the cost of partnering with a managed security services provider is only one, limited criterion in the overall evaluation of MSSPs. Organizations should also consider the following key factors: LongevityConsider partnering with a stable vendor that has a proven track record of delivering quality services to a large number of clients over a long period of time. These are the MSSPs most likely to weather economic downturns or industry shakeouts. Annual revenuesFor publicly traded companies, according to Gartner, annual run rates of more than $10 million per year in managed security services contracts indicate a sufficient base of revenue to support growth and enhancement of services. Management experienceA successful MSSP selects its security experts from a range of backgrounds, including the military, government, and industrial sectors. Appropriate management experience is usually represented as well, from a variety of related services such as online, financial, and service bureaus. Range and flexibility of the servicesThe range of services offered indicates the MSSPs ability to meet evolving security management needs of a wide variety of organizations. Leading MSSPs will offer a complete set of managed and consulting security services, either organically or through partnerships. Services should include managed mail security; managed firewall; managed intrusion detection system; threat and vulnerability management; security intelligence services; and monitoring, remediation, and reporting tools. Ideally, the MSSP will offer multiple levels and types of services, as well as customized services to meet the unique organizational requirements of each client. Breadth of supported technologies Evaluating a MSSP on its ability to provide broad support for multiple technologies is essential to ensuring a smooth and effective managed security program. Some MSSPs will only manage certain security technologies; others will provide comprehensive multivendor support. Security management processes A MSSP should be able to provide documented standards and policies for handling both typical and atypical operations and threats. It should also offer a variety of attack alert notification methods to give the clients security staff the ability to mitigate risk in real time. A MSSP should facilitate the incident response phase, integrating the capabilities of the client incident response team (IRT) with the MSSP alerting process. This requires a pre-defined and shared incident response roadmap. 1 Gartner RAS Core Research Note G00149649, Kelly M. Kavanagh, John Pescatore, 1 August 2007 RA4 8/4/2008. The Magic Quadrant is copyrighted 2006 by Gartner, Inc. and is reused with permission. The Magic Quadrant is a graphical representation of a marketplace at and for a specific time period. It depicts Gartner's analysis of how certain vendors measure against criteria for that marketplace, as defined by Gartner. Gartner does not endorse any vendor, product, or service depicted in the Magic Quadrant, and does not advise technology users to select only those vendors placed in the "Leaders" quadrant. The Magic Quadrant is intended solely as a research tool, and is not meant to be a specific guide to action. Gartner disclaims all warranties, express or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose. Selecting a managed security services provider Can Managing Enterprise Security Be Made Easier? A Symantec Advisory Guide The managed security service (MSS) market in North America generated revenue of approximately $500 million in 2006, and Gartner estimates that revenue will grow about 19% in 2007. Gartner, Magic Quadrant for MSSPs, North America, 1H07 1 19 Auditing Companies are being held to a higher standard of accountability with respect to audit requirements. As an extension of the organization, a MSSP must have facilities, processes, and procedures that are validated and certified by a third-party auditor in the form of an ISO27001 and/or SAS70 Type II audit. Effectiveness of technology The technology used to analyze and correlate data collected from multiple devices should support rapid response while ensuring the scalability to support an ever-increasing number of managed devices. So that clients can focus their security staff on the most critical issues, the technology should be supported by security analysts who can separate real threats from false ones. Reporting Reporting can provide an enterprise-wide, real-time view into the clients security posture and the effectiveness of the managed services. Thorough reports will include detailed information gathered from the managed devices, from the related or recommended responses, from any changes the MSSP has made to the devices, and from information about the latest threats. Ideally, the MSSP will provide options for viewing and managing reports, including access via email, standard desktop programs, and a secure Web portal. Security operations center capabilities A MSSP will need to operate multiple security operations centers from which it can globally monitor and manage security issues across its client base. In todays business environment, these centers must be run 24x7x365. This is not only to remain abreast of the latest threats, but also to ensure business continuity. The centers must follow predictable and proven processes and be staffed with a range of security experts that extend the clients in-house capabilities. Strict hiring guidelines must ensure that hackers are not entrusted with the sensitive security data of an enterprise. Can Managing Enterprise Security Be Made Easier? A Symantec Advisory Guide 20 Determining the cost of partnering with a MSSP is only one, limited criterion in the overall evaluation. Recommended MSSP checklist Real-time monitoring, analysis, and incident response Security is core business Demonstrated long-term financial stability Global online community providing insight and intelligence Uses proven managed security services policies, standards, and procedures Recruited and trained professional security staff Real-time view through flexible client interface Defined staff development and career path Background checks to verify staff trustworthiness 24x7x365 manned global operations Multiple, redundant SOCs with disaster recovery and global coverage In-depth technical and security support skills Dedicated threat and vulnerability research support Dedicated team per client Services support multiple vendors products Can implement security products Security and financial risks accepted under contract Defined metrics and accountability Incident-handling and response capability Can Managing Enterprise Security Be Made Easier? A Symantec Advisory Guide 21 Conclusion Effective security management requires a comprehensive combination of skilled personnel, best practice processes, and state-of-the-art technology. Each organization will come to a different conclusion about whether to manage their security requirements in-house, partner with a MSSP, or decide on a combination of both. A thorough cost analysis is important when evaluating a MSSP, but it comprises only part of the total analysis. Levels of staffing, security expertise, specialized skills that may only exist in-house, and existing security investments are other important considerations. Deciding between leveraging in-house security resources and partnering with a MSSP requires research and budgetary scrutiny. It also requires consideration of both the short- and long-term expenses and benefits. Ultimately, you should choose the option that will allow you to maintain a strong security posture that enables you to pursue your primary mission, whether that is a revenue-generating or service opportunity. Symantec Global Services With nearly 4,000 professionals and an extensive partner network, Symantec Global Services offers deep technical knowledge and proven expertise to help you manage IT risk, performance, and cost. Symantec offers several services that help manage and reduce security risks, giving your organization the foundation to protect its systems, data, and applicationsall while providing the reliability, flexibility, and performance needed to rapidly respond to changing business needs. Symantec Managed Security Services Symantec Managed Security Services provides 24x7 remote monitoring and management of labor- intensive security operations under strict SLAs. As a result, you can confidently focus existing resources on strategic projects that drive a competitive advantage for your business. Symantec Global Services Can Managing Enterprise Security Be Made Easier? A Symantec Advisory Guide 22 Thanks to the way that Symantec Managed Security Services filters threats, we only have to respond personally to one or two attacks a month, compared to up to 60 with our previous security vendor. Manager of information technology and security Based on groundbreaking SOC technology from Symantec, Symantec Managed Security Services are delivered through a unique and highly effective combination of skilled personnel, best-practice processes, and state-of-the-art technology. Key offerings include: Security Monitoring Services Global Intelligence Services Security Device (IDP) Management Services Log Management Services Vulnerability Assessment Services Managed Threat Analysis Symantec Intrusion Detection/Protection Solution with Sourcefire Our unique combination of insight, research, and expertise allows us to relieve your organization of the burden of analyzing and correlating critical security intelligence as it provides greater insight into key business information. Symantec Residency Services Symantec Residency Services offers highly trained experts who can augment your existing staff at any level. Residents work onsite as members of your team for an extended period of time, helping with strategy, projects, ongoing operations, and knowledge transfer. Symantec residents can perform services under a statement of work, or they can operate under an arrangement where Symantec takes on responsibility for key IT operations under a strict SLA. Symantec Advisory Services Symantec Advisory Services focuses on helping your organization understand and minimize the security risks associated with your specific information environments. Advisory Services consultants start by assessing your existing security posture, including policies, architecture, infrastructure, and operations. Advisors then work to understand your tolerance for risk based on business goals and strategies. Armed with this information, our team then works with you to develop a plan to reduce and manage security risktaking into account what vulnerabilities need to be addressed immediately, what can wait until the next upgrade or patch cycle, and what can be considered an acceptable risk. The end result is a holistic approach to reducing security risk that is based on your business priorities. Can Managing Enterprise Security Be Made Easier? A Symantec Advisory Guide 23 Symantec gathers data from more than two million decoy email addresses, 120 million desktop antivirus sensors, and 40,000 intrusion-detection and firewall sensors worldwide. Symantec DeepSight Early Warning Services Symantec DeepSight Early Warning Services delivers notification of vulnerabilities and Internet security attacks along with threat analyses and actionable information. Early warning statistics provide insight into real-time incidents collected from more than 40,000 sensors in 180 countries. With these statistics, you can analyze and compare local event data with global threat activity, threats in organizations similar to yours in size, and threats in companies in your geographic proximity. By comparing internal data to the global landscape, your organization can demonstrate security benchmarking for regulatory compliance. Through integrated management and early warning, you can accelerate the decision-making process for protecting critical assets. Free 30-day trial service You can experience the first line of defense for proactive enterprise security by taking advantage of our 30-day free trial of Symantec DeepSight Early Warning Services. Contact your sales representative for more information. Symantec Managed Solutions Symantec Managed Solutions combine onsite Symantec Consulting expertise with standardized managed services delivered from remote locations. Symantec experts take over repetitive, labor- intensive IT operations under strict SLAsso that you can optimize your resource investments and focus on strategic initiatives with confidence. To find out more To find out more about the range of Symantec services available, visit our Web site at www.symantec.com/business/services. Can Managing Enterprise Security Be Made Easier? A Symantec Advisory Guide 24 For specific country offices and contact numbers, please visit our Web site. For product information in the U.S., call toll-free 1 (800) 745 6054. Symantec Corporation World Headquarters 20330 Stevens Creek Boulevard Cupertino, CA 95014 USA +1 (408) 517 8000 1 (800) 721 3934 www.symantec.com Copyright 2008 Symantec Corporation. All rights reserved. Symantec, the Symantec Logo, DeepSight, and Managed Security Services are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. 04/08 13670834-1 About Symantec Symantec is a global leader in providing security, storage, and systems management solutions to help businesses and consumers secure and manage their information. Headquartered in Cupertino, Calif., Symantec has operations in more than 40 countries. More information is available at www.symantec.com.