R EL EVA NT . INT EL L I GE N T .

S ECURITY

White Paper

The Business Case for Managed Security Services

Managed Security Service Providers vs. SIEM Product Solutions

www.solutionary.com (866) 333-2133

White Paper: The Business Case for Managed Security Services

The Business Case for Managed Security Services

Contents

Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
The Need for Log Collection and Correlation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Benefits of On-Premise SIEM Solutions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Benefits of MSSP Solutions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Comparing SIEM versus MSSP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Financial, Operational and Organizational Costs of MSSP and SIEM Solutions . . . . . . . 7
Conclusions and Recommendations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

R E L E VA N T . I N T ELLI G EN T . SEC U R IT Y
White Paper: The Business Case for Managed Security Services

Introduction

For consumers and potential buyers the question of whether to have a Managed
Security Service Provider (MSSP) manage your security, or purchase a Security
Information and Event Management (SIEM) product and manage it yourself, can be Regardless of the motivation,
difficult to determine on your own. security buyers are continually
confronted with the decision
The following paper identifies the benefits of on-premise SIEM products and an MSSP of whether to bring event/log
approach, as well as provides an overview of financial, operational and organizational management in-house or employ a
considerations that purchasers of security solutions may wish to consider. managed security service provider.

The Need for Log Collection and Correlation

In the current threat landscape, security buyers are often confronted with the need
to identify an acceptable solution that can collect and correlate log information from
disparate systems in a centralized manner, across the entire enterprise. This solution
might be called upon to collect logs from servers and workstations, firewalls and VPN
gateways, routers and switches, even down to the database and application level.

Often, the requirement for logging may be rooted in a compliance requirement, such
as the Payment Card Industry Data Security Standard (PCI DSS), or it may be driven
organizationally through new people or processes. Other business drivers, such as
mergers and acquisitions, may also play a role. Regardless of the motivation, security
buyers are continually confronted with the decision of whether to bring event/log
management in-house or employ a managed security service provider. Each approach
has its advantages.

Benefits of On-Premise SIEM Solutions

There are numerous product vendors that provide offerings with features ranging from
standard log collection with no analytics or intelligence, to full-blown SIEM solutions
that integrate with disparate systems and provide indexed, comprehensive threat

3 R E L E VA N T . I N T ELLI G EN T . SEC U R IT Y
White Paper: The Business Case for Managed Security Services

measures for every device in the enterprise. SIEM solutions are often scoped, priced
and sold with a great deal of customization, based on the buyer’s specific needs
and devices. This high level of customization makes SIEM solutions effective for
organizations of all types and sizes, regardless of industry or infrastructure.

Certain environments naturally serve as better places to deploy an on-premise, MSSP Options

product-based SIEM solution, as opposed to sending logs and data to an external There are numerous MSSPs, ranging

vendor like a MSSP. If an organization has systems with no Internet connectivity, from niche vendors who focus on only

as is often the case with government facilities and other sites with highly classified certain types of devices or certain

information, it would be an excellent candidate for an on-premise SIEM deployment, types of logs, to more enterprise-scale

as no managed service working over the Internet can bridge the connectivity gap. vendors offering full management of the

Also, if an organization has systems that produce sensitive log data that cannot entire network infrastructure.

leave the network infrastructure (such as government systems with log data requiring
specialized clearance or access) these are also ideally-suited for a product-based
SIEM solution.

Benefits of MSSP Solutions

There are numerous MSSPs, ranging from niche vendors who focus on only certain
types of devices or certain types of logs, to more enterprise-scale vendors offering full
management of the entire network infrastructure. Regardless of the provider’s size or
scale of specific deployment, MSSP solutions can be separated in two ways:

• Monitoring only – In this deployment, an MSSP takes in security logs and other
device logs, only alerting and advising the client about changes they should make
based on some level of service (e.g., 15 minute notice for High Priority Alerts, daily
log reviews to minimally meet compliance, etc.).

• Monitoring and Management – In this deployment, an MSSP monitors security

logs, and additionally makes changes to the client’s environment based on
events collected and security intelligence. MSSPs bear the cost of keeping
SOC personnel trained on the latest equipment from multiple vendors, and they
have cross-platform experience, which is key for managing multi-vendor client
environments.

4 R E L E VA N T . I N T ELLI G EN T . SEC U R IT Y
White Paper: The Business Case for Managed Security Services

Similar to on-premise SIEM products, MSSP solutions can also satisfy compliance
requirements and increase security. Depending on the level of service, MSSPs will
alert clients when security incidents occur. MSSPs can also store logs off-site, in a
forensically-sound manner, helping meet regulatory requirements for log storage without
the need for additional on-site hardware and storage.

One of the biggest advantages of an MSSP solution is access to security expertise.

Depending on the level of service chosen by the client, MSSPs will validate security
events in the SOC before notifying the client. This helps to dramatically reduce the
number of false positives to which clients must respond, reducing costs and increasing
efficiency.

Organizations may lack security expertise to monitor and/or manage devices from a
wide variety of sources or vendors. Many times, business controls are in place that
do not give the security group access to all of the devices (e.g., firewalls are solely
accessed by a network group, VPN and single sign-on are part of identity management
or user compliance). In addition to roles and responsibilities to monitor and manage
devices effectively, organizations also require a way to input security intelligence into
the organization and produce actionable output that is tailored to the organization’s
specific environment.

Many large enterprises have dedicated security teams (and dedicated security
researchers); however, it may not be cost-effective or aligned with business goals
for organizations in every industry to have their dedicated security teams or even
a dedicated security “person.” This makes MSSP solutions very attractive, as the
highly-qualified security team at an MSSP becomes, in effect, an extension of in-house
resources. Organizations are able to take advantage of the security expertise that the
MSSP has acquired by working with numerous clients across a variety of industries.
Typically, MSSPs will also have a security research function that identifies new security
threats and incorporates the intelligence into the service.

MSSPs can assist with tasks such as maintaining clear and consistent rule sets for
firewalls and other network security devices. As an external vendor, an MSSP can also
provide independent and over arching change control procedures to how, when and
why the rules on these in-scope devices get addressed and updated.

5 R E L E VA N T . I N T ELLI G EN T . SEC U R IT Y
White Paper: The Business Case for Managed Security Services

Organizations may also seek out MSSP solutions to assist with staffing security teams
on a 24/7 basis. Many companies do not have a dedicated Security Operations Center
(SOC) or the ability to staff three shifts of engineers year-round. While a SIEM solution
requires constant monitoring by in-house staff, MSSP solutions provide 24/7 monitoring
without the need for additional head count. While a SIEM product is always running,
there is always going to be a need for manual review of security events, or manual steps
for event confirmation, correlation with other incidents or tickets and remediation of any
issues identified. MSSPs do this for organizations, identifying the real security incidents
and notifying clients in a timely manner.

MSSP solutions have the advantage of scale. There are many companies that are
already using the MSSP service, so the infrastructure for bringing on new organizations
is already built. The MSSP can work with clients to customize rules and notifications, so
that in-house resources are not over-burdened.

Since MSSPs work with multiple clients and have documented, repeatable processes,
they are able to provide workflow automation, often improving time to remediation,
when issues arise. The lessons-learned from managing hundreds (if not thousands) of
client environments gives MSSPs a much broader view than a single in-house security
organization, allowing the MSSP to leverage that knowledge and experience across
their entire client base.

Many organizations that buy SIEM solutions are unpleasantly surprised by the amount
of data that the solution produces. In-house resources are often overwhelmed by
the number of security events, making it impossible to know which events are actual
security incidents versus false positives. At that point, the SIEM solution becomes less
effective at improving security. MSSPs (given their economies of scale, purpose-built
technology and expertise) are able to filter these events, and then validate the actual
security incidents.

Comparing SIEM versus MSSP

On-premise SIEM solutions provide some of the same benefits as MSSP services, but

6 R E L E VA N T . I N T ELLI G EN T . SEC U R IT Y
White Paper: The Business Case for Managed Security Services

at a higher cost to the organization. The following table outlines the similarities and
differences between SIEM and MSSP solutions.

Feature SIEM MSSP

Monitors log events ✔ ✔

Helps attain regulatory compliance ✔ ✔
Flexible service delivery ✔
Provides 24/7 analysis by security analysts ✔
Stores logs off-site in forensically-sound facility ✔
Provides security intelligence and expertise as part of solution ✔
Built-in disaster recovery and business continuity planning (DR/BCP) ✔
Predictable, ongoing fixed cost ✔
Requires up front investment in new technology ✔
May demand upgrades and additional infrastructure (server, network devices, storage, etc.) ✔
Must be routinely updated, patches and upgraded ✔
Requires significant on-site, resources and training for management (rule changes, tuning, etc.) ✔
Table 1

Financial, Operational and Organizational Costs of

MSSP and SIEM Solutions

When deciding to purchase a product-based SIEM for internal deployment or using an

external MSSP, there are several factors to consider. From a financial standpoint, it is
important to note that a SIEM product is usually purchased and financed as a capital
expense, where a service is typically purchased and financed as an operating expense.
With an MSSP, the annual cost of maintenance for the next three years (at a minimum)
are defined and known, whereas the maintenance on product purchases can adjust
annually (unless a three-year maintenance term is negotiated at time of purchase).

The initial training and personnel costs will be higher on any product purchase over a
service since the product needs to be installed and configured (usually by a reseller or

7 R E L E VA N T . I N T ELLI G EN T . SEC U R IT Y
White Paper: The Business Case for Managed Security Services

consultant), as well as internal staff needing training and a plan for how to utilize the
tool in the organization’s security operations. Additional costs for consideration for an
on-premise SIEM solution include datacenter costs such as rack space, power, network
connectivity, database configuration and connectivity.

The example below details an actual Solutionary enterprise client that recently
evaluated the cost differences between the purchasing and ongoing maintenance of a
SIEM tool versus adopting an MSSP approach. The cost breakdown is as follows:

SIEM
Cost Breakdown MSSP Savings %
Solution
Tools (Product Cost) SOC Infrastructure (to support product purchase) $400,000
MSSP Fees/Initial Charges $100,000 $30,600

TOTAL - Initial $500,000 $30,600 $469,400 94%

Annual/Ongoing Expenses

Resources (2FTE) $212,500

Management Costs $106,250
Security Engineering Costs $78,750
Training $11,250
Tools | Maintenance $90,000
SOC Operating Expenses $9,200
Depreciation and Amortization $166,667

Consulting Services Ongoing $12,500

Network IDS/IPS $10,000

MSSP Fees/Charges $511,240

TOTAL - Recurring $697,117 $511,240 $185,877 27%
Table 2

As shown above, the customer realized an immediate capital expense savings of

$469,400, a 94% savings over the initial cash outlay required to buy a comparable
SIEM solution. If the recurring costs required to support that same SIEM solution (extra

8 R E L E VA N T . I N T ELLI G EN T . SEC U R IT Y
White Paper: The Business Case for Managed Security Services

head count, training, consulting) are factored in, the client realized a year one savings of
$185,877 (a 27% savings) by following a MSSP approach.

While the numbers for the initial deployment are favorable for an MSSP solution,
the question “does the cost benefit hold up over time?” remains. The table below
shows a five year cost comparison of “hard costs” such as software licenses, SOC
Infrastructure, computing resources, product maintenance fees, and professional
consulting services as compared to MSSP fees:

Time Frame SIEM MSSP Savings %

Solution
Year 1 Cost Comparison $921,250 $541,840 $379,410 41%

3 Year Total Cost Comparison $1,763,750 $1,564,320 $199,430 11%

5 Year Total Cost Comparison $3,106,250 $2,586,800 $519,450 17%

Table 3

As Table 3 above shows, the cost benefit of an MSSP solution begins to decrease in
the year 3-4 time frame, and then begins to favor the SIEM solution. However, another
important factor to consider is that any SIEM product solution will likely have a usable
life for 4-5 years before a SIEM vendor requires customers to purchase new hardware
appliances, update software versions, or repurchase the solution altogether.

Conclusion

MSSPs can provide real value to organizations of all sizes, giving them the visibility
they need into their environment and the ability to comply with regulations without
the hassles of managing and maintaining an on-premise solution. Solutionary puts
the service in managed security services, operating as an extension of the client’s
internal security team. At Solutionary, clients come first and each employee, from the
management team to the analysts in the SOC, is dedicated to client satisfaction.

9 R E L E VA N T . I N T ELLI G EN T . SEC U R IT Y
White Paper: The Business Case for Managed Security Services

Flexible Service Delivery

Understanding and addressing these individual client needs is key to the Solutionary
client-first culture. By gaining a detailed understanding of individual client needs,
Solutionary combines deep security expertise and proven operational processes with
the patented ActiveGuard® service platform to enhance security and address regulatory
compliance.

ActiveGuard Service Platform

The cloud-based, patented ActiveGuard service platform provides powerful cross-

correlation and event-handling capabilities to recognize threats and reduce false
positives, making security more operationally efficient. ActiveGuard is able to accurately
collect and correlate vast amounts of data from virtually any device capable of
producing a log file, including applications, databases, endpoints, firewalls and network
devices. Solutionary combines the superior event-handling capabilities of ActiveGuard
with security intelligence from the Security Engineering Research Team (SERT) and
services provided by analysts in its SOCs.

Purpose-Built for Big Data

ActiveGuard was purpose-built to handle large amounts of disparate data. As

the number of devices that require monitoring has increased, so has the ability of
ActiveGuard to scale. The volume of log data produced by enterprises requires more
scale and better analytics in order to provide intelligence about the information being
gathered. The ability to handle big data of this type is a key component of ActiveGuard.
All Solutionary managed security services clients receive Log Management that
provides one year of log retention for all log received.

10 R E L E VA N T . I N T ELLI G EN T . SEC U R IT Y
White Paper: The Business Case for Managed Security Services

About Solutionary

Solutionary is the leading pure-play managed security services provider. Solutionary

reduces the information security and compliance burden, delivering flexible managed
security services that align with client goals, enhancing organizations’ existing
security program, infrastructure and personnel. The company’s services are based
on experienced security professionals, global threat intelligence from the Solutionary
Security Engineering Research Team (SERT) and the patented ActiveGuard service
platform. Solutionary works as an extension of clients’ internal teams, providing
industry-leading customer service, patented technology, thought leadership, years of
innovation and proprietary certifications that exceed industry standards. This client
focus and dedication to customer service has enabled Solutionary to boast a client
retention rate of over 98%. Solutionary provides 24/7 services to mid-market and
global, enterprise clients through two security operations centers (SOCs) in North
America. For more information, visit www.solutionary.com.

R E L E VA N T . I N T E L L I G E N T . S EC U R IT Y

Contact Solutionary at: info@solutionary.com or 866-333-2133 Solutionary.com

ActiveGuard® US Patent Numbers: 7,168,093; 7,424,743; 6,988,208; 7,370,359; 7,673,049. Solutionary, the Solutionary Solutionary, Inc.
logo, ActiveGuard, the ActiveGuard logo, are registered trademarks or service marks of Solutionary, Inc. or its subsidiaries
in the United States. Other marks and brands may be claimed as the property of others. The product plans, specifications, 9420 Underwood Ave., 3rd Floor
and descriptions herein are provided for information only and subject to change without notice, and are provided without
warranty of any kind, express or implied. Copyright ©2012 Solutionary, Inc. Omaha, NE 68114

11 1100WP 04/12