Light Dark
August 19, 2014 By Michael Sanders 2 min read
Security Services
Intelligence & Analytics
Data Protection

An Open Relationship: Maximizing Value in Security Operations

Like most third-party services, effectively integrating services from a managed security services provider (MSSP) can enhance the value of your organization’s security program. Conversely, poor integration and/or a lack of effective governance can marginalize the effectiveness of your organization’s security operations.

In a well-executed partnership, an MSSP is simply viewed as an extension of the information security organization. An MSSP’s contribution to a security operation depends upon how effectively the partnership is built and maintained.

If you currently rely on a third-party MSSP or are considering engaging one to enable your security operations capability, consider how responsibility for the following functions is distributed and/or shared between the internal (your organization) and external (MSSP) sources:

  • Rule and device administration and management;
  • Security intelligence;
  • Incident/event hunting;
  • Threat monitoring;
  • Threat analysis/impact analysis;
  • Threat triage/investigations;
  • Threat response/incident management; and
  • Emergency response (computer security incident response plan).

Often, organizations will mistakenly expect the MSSP to handle all or most of these functions without their staff being directly involved. Unless the MSSP has agreed to a full-labor-based outsourcing model and fully understands your policies, risk tolerance and executive team preferences on incident handling, it is impractical to expect a third-party MSSP to deliver these functions without your involvement.

In order to effectively plan and design a new process, it is advised to do an integrated design with your MSSP at the beginning of the contact period. One approach for up-front design is to charter a security operations optimization initiative to design the new process and approach.

Managing Security Operations

Structured governance is critical for maximizing the MSSP service’s effectiveness. One mechanism for service management governance includes the availability of a named service manager.

MSSP services typically manage and monitor an environment using centralized shared services (often referred to as a centralized security operations center). As such, much of the day-to-day operational interaction occurs via electronic tickets. In many cases, these tickets are handled by shared resources based upon a skill category and time of day and are not based upon extensive familiarity of a specific customer’s environment.

To maximize success in integrating the service and governing delivery elements, organizations will benefit from regularly communicating with a named service manager. Additionally, the organization and the MSSP can work together to structure a governance plan, which may include regularly scheduled service reviews.

Effective results from investing in an MSSP do not occur on autopilot. Results occur from the mutual efforts of your organization and the MSSP. The process and service management governance are two key elements for success, and effectively integrating the MSSP into an operation’s process is imperative to realizing the value from the relationship.

This article is a four-part series that covers various topics around the value of MSSP relationships, such as integration and governance, threat response process, knowledge of environment and tuning and health. The first part of the series discusses integration and governance. The next blog in the series will discuss the threat response process.

 |  |  | 
Michael Sanders
Program Director, Strategy, Cloud Security Services, IBM Security

More from Security Services
October 12, 2023

How I got started: Attack surface management

4 min read - As the threat landscape multiplies in sophistication and complexity, new roles in cybersecurity are presenting themselves more frequently than ever before. For example, attack surface management. These cybersecurity professionals are responsible for identifying, mapping and securing all external digital assets an organization owns or is connected to. This includes servers, domains, cloud assets and any other digital points that could be exploited by cyber criminals. Their role involves continuously monitoring these assets for vulnerabilities, misconfigurations or other potential security risks…

October 6, 2023

X-Force uncovers global NetScaler Gateway credential harvesting campaign

6 min read - This post was made possible through the contributions of Bastien Lardy, Sebastiano Marinaccio and Ruben Castillo. In September of 2023, X-Force uncovered a campaign where attackers were exploiting the vulnerability identified in CVE-2023-3519 to attack unpatched NetScaler Gateways to insert a malicious script into the HTML content of the authentication web page to capture user credentials. The campaign is another example of increased interest from cyber criminals in credentials. The 2023 X-Force cloud threat report found that 67% of cloud-related…

October 5, 2023

Does your security program suffer from piecemeal detection and response?

4 min read - Piecemeal Detection and Response (PDR) can manifest in various ways. The most common symptoms of PDR include: Multiple security information and event management (SIEM) tools (e.g., one on-premise and one in the cloud) Spending too much time or energy on integrating detection systems An underperforming security orchestration, automation and response (SOAR) system Only capable of taking automated responses on the endpoint Anomaly detection in silos (e.g., network separate from identity) If any of these symptoms resonate with your organization, it's…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature