Beruflich Dokumente
Kultur Dokumente
S ECURITY
White Paper
Contents
Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
The Need for Log Collection and Correlation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Benefits of On-Premise SIEM Solutions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Benefits of MSSP Solutions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Comparing SIEM versus MSSP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Financial, Operational and Organizational Costs of MSSP and SIEM Solutions . . . . . . . 7
Conclusions and Recommendations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
R E L E VA N T . I N T ELLI G EN T . SEC U R IT Y
White Paper: The Business Case for Managed Security Services
Introduction
For consumers and potential buyers the question of whether to have a Managed
Security Service Provider (MSSP) manage your security, or purchase a Security
Information and Event Management (SIEM) product and manage it yourself, can be Regardless of the motivation,
difficult to determine on your own. security buyers are continually
confronted with the decision
The following paper identifies the benefits of on-premise SIEM products and an MSSP of whether to bring event/log
approach, as well as provides an overview of financial, operational and organizational management in-house or employ a
considerations that purchasers of security solutions may wish to consider. managed security service provider.
In the current threat landscape, security buyers are often confronted with the need
to identify an acceptable solution that can collect and correlate log information from
disparate systems in a centralized manner, across the entire enterprise. This solution
might be called upon to collect logs from servers and workstations, firewalls and VPN
gateways, routers and switches, even down to the database and application level.
Often, the requirement for logging may be rooted in a compliance requirement, such
as the Payment Card Industry Data Security Standard (PCI DSS), or it may be driven
organizationally through new people or processes. Other business drivers, such as
mergers and acquisitions, may also play a role. Regardless of the motivation, security
buyers are continually confronted with the decision of whether to bring event/log
management in-house or employ a managed security service provider. Each approach
has its advantages.
There are numerous product vendors that provide offerings with features ranging from
standard log collection with no analytics or intelligence, to full-blown SIEM solutions
that integrate with disparate systems and provide indexed, comprehensive threat
3 R E L E VA N T . I N T ELLI G EN T . SEC U R IT Y
White Paper: The Business Case for Managed Security Services
measures for every device in the enterprise. SIEM solutions are often scoped, priced
and sold with a great deal of customization, based on the buyer’s specific needs
and devices. This high level of customization makes SIEM solutions effective for
organizations of all types and sizes, regardless of industry or infrastructure.
Certain environments naturally serve as better places to deploy an on-premise, MSSP Options
product-based SIEM solution, as opposed to sending logs and data to an external There are numerous MSSPs, ranging
vendor like a MSSP. If an organization has systems with no Internet connectivity, from niche vendors who focus on only
as is often the case with government facilities and other sites with highly classified certain types of devices or certain
information, it would be an excellent candidate for an on-premise SIEM deployment, types of logs, to more enterprise-scale
as no managed service working over the Internet can bridge the connectivity gap. vendors offering full management of the
Also, if an organization has systems that produce sensitive log data that cannot entire network infrastructure.
leave the network infrastructure (such as government systems with log data requiring
specialized clearance or access) these are also ideally-suited for a product-based
SIEM solution.
There are numerous MSSPs, ranging from niche vendors who focus on only certain
types of devices or certain types of logs, to more enterprise-scale vendors offering full
management of the entire network infrastructure. Regardless of the provider’s size or
scale of specific deployment, MSSP solutions can be separated in two ways:
• Monitoring only – In this deployment, an MSSP takes in security logs and other
device logs, only alerting and advising the client about changes they should make
based on some level of service (e.g., 15 minute notice for High Priority Alerts, daily
log reviews to minimally meet compliance, etc.).
4 R E L E VA N T . I N T ELLI G EN T . SEC U R IT Y
White Paper: The Business Case for Managed Security Services
Similar to on-premise SIEM products, MSSP solutions can also satisfy compliance
requirements and increase security. Depending on the level of service, MSSPs will
alert clients when security incidents occur. MSSPs can also store logs off-site, in a
forensically-sound manner, helping meet regulatory requirements for log storage without
the need for additional on-site hardware and storage.
Organizations may lack security expertise to monitor and/or manage devices from a
wide variety of sources or vendors. Many times, business controls are in place that
do not give the security group access to all of the devices (e.g., firewalls are solely
accessed by a network group, VPN and single sign-on are part of identity management
or user compliance). In addition to roles and responsibilities to monitor and manage
devices effectively, organizations also require a way to input security intelligence into
the organization and produce actionable output that is tailored to the organization’s
specific environment.
Many large enterprises have dedicated security teams (and dedicated security
researchers); however, it may not be cost-effective or aligned with business goals
for organizations in every industry to have their dedicated security teams or even
a dedicated security “person.” This makes MSSP solutions very attractive, as the
highly-qualified security team at an MSSP becomes, in effect, an extension of in-house
resources. Organizations are able to take advantage of the security expertise that the
MSSP has acquired by working with numerous clients across a variety of industries.
Typically, MSSPs will also have a security research function that identifies new security
threats and incorporates the intelligence into the service.
MSSPs can assist with tasks such as maintaining clear and consistent rule sets for
firewalls and other network security devices. As an external vendor, an MSSP can also
provide independent and over arching change control procedures to how, when and
why the rules on these in-scope devices get addressed and updated.
5 R E L E VA N T . I N T ELLI G EN T . SEC U R IT Y
White Paper: The Business Case for Managed Security Services
Organizations may also seek out MSSP solutions to assist with staffing security teams
on a 24/7 basis. Many companies do not have a dedicated Security Operations Center
(SOC) or the ability to staff three shifts of engineers year-round. While a SIEM solution
requires constant monitoring by in-house staff, MSSP solutions provide 24/7 monitoring
without the need for additional head count. While a SIEM product is always running,
there is always going to be a need for manual review of security events, or manual steps
for event confirmation, correlation with other incidents or tickets and remediation of any
issues identified. MSSPs do this for organizations, identifying the real security incidents
and notifying clients in a timely manner.
MSSP solutions have the advantage of scale. There are many companies that are
already using the MSSP service, so the infrastructure for bringing on new organizations
is already built. The MSSP can work with clients to customize rules and notifications, so
that in-house resources are not over-burdened.
Since MSSPs work with multiple clients and have documented, repeatable processes,
they are able to provide workflow automation, often improving time to remediation,
when issues arise. The lessons-learned from managing hundreds (if not thousands) of
client environments gives MSSPs a much broader view than a single in-house security
organization, allowing the MSSP to leverage that knowledge and experience across
their entire client base.
Many organizations that buy SIEM solutions are unpleasantly surprised by the amount
of data that the solution produces. In-house resources are often overwhelmed by
the number of security events, making it impossible to know which events are actual
security incidents versus false positives. At that point, the SIEM solution becomes less
effective at improving security. MSSPs (given their economies of scale, purpose-built
technology and expertise) are able to filter these events, and then validate the actual
security incidents.
On-premise SIEM solutions provide some of the same benefits as MSSP services, but
6 R E L E VA N T . I N T ELLI G EN T . SEC U R IT Y
White Paper: The Business Case for Managed Security Services
at a higher cost to the organization. The following table outlines the similarities and
differences between SIEM and MSSP solutions.
The initial training and personnel costs will be higher on any product purchase over a
service since the product needs to be installed and configured (usually by a reseller or
7 R E L E VA N T . I N T ELLI G EN T . SEC U R IT Y
White Paper: The Business Case for Managed Security Services
consultant), as well as internal staff needing training and a plan for how to utilize the
tool in the organization’s security operations. Additional costs for consideration for an
on-premise SIEM solution include datacenter costs such as rack space, power, network
connectivity, database configuration and connectivity.
The example below details an actual Solutionary enterprise client that recently
evaluated the cost differences between the purchasing and ongoing maintenance of a
SIEM tool versus adopting an MSSP approach. The cost breakdown is as follows:
SIEM
Cost Breakdown MSSP Savings %
Solution
Tools (Product Cost) SOC Infrastructure (to support product purchase) $400,000
MSSP Fees/Initial Charges $100,000 $30,600
Annual/Ongoing Expenses
8 R E L E VA N T . I N T ELLI G EN T . SEC U R IT Y
White Paper: The Business Case for Managed Security Services
head count, training, consulting) are factored in, the client realized a year one savings of
$185,877 (a 27% savings) by following a MSSP approach.
While the numbers for the initial deployment are favorable for an MSSP solution,
the question “does the cost benefit hold up over time?” remains. The table below
shows a five year cost comparison of “hard costs” such as software licenses, SOC
Infrastructure, computing resources, product maintenance fees, and professional
consulting services as compared to MSSP fees:
Table 3
As Table 3 above shows, the cost benefit of an MSSP solution begins to decrease in
the year 3-4 time frame, and then begins to favor the SIEM solution. However, another
important factor to consider is that any SIEM product solution will likely have a usable
life for 4-5 years before a SIEM vendor requires customers to purchase new hardware
appliances, update software versions, or repurchase the solution altogether.
Conclusion
MSSPs can provide real value to organizations of all sizes, giving them the visibility
they need into their environment and the ability to comply with regulations without
the hassles of managing and maintaining an on-premise solution. Solutionary puts
the service in managed security services, operating as an extension of the client’s
internal security team. At Solutionary, clients come first and each employee, from the
management team to the analysts in the SOC, is dedicated to client satisfaction.
9 R E L E VA N T . I N T ELLI G EN T . SEC U R IT Y
White Paper: The Business Case for Managed Security Services
Understanding and addressing these individual client needs is key to the Solutionary
client-first culture. By gaining a detailed understanding of individual client needs,
Solutionary combines deep security expertise and proven operational processes with
the patented ActiveGuard® service platform to enhance security and address regulatory
compliance.
10 R E L E VA N T . I N T ELLI G EN T . SEC U R IT Y
White Paper: The Business Case for Managed Security Services
About Solutionary
R E L E VA N T . I N T E L L I G E N T . S EC U R IT Y
11 1100WP 04/12