02:53 AM

How To Pick The Best MSSP For Your SMB

Understand your risk environment, look closely at SLAs, and verify performance through audits and reporting

SMBs tend to suffer from the "How do you know what you don't know?" syndrome when it comes to figuring out what exactly they need from managed security service providers (MSSPs). But as tempting as it would be to simply throw a vague RFP out to the winds and hope for the best vendor, that type of approach opens up the business to a world of hurt.

"[SMBs] -- not providers -- are ultimately responsible for the security and integrity of their own data, even when it is held by a service provider," warns Dwayne Me, CTO of Tripwire.

That is why it is so important for an SMB to really understand what it needs an MSSP for, to thoroughly investigate and evaluate potential service providers and to set up rules of engagement that will give the organization the best risk mitigation for its MSSP spend.

Understanding Needs
SMBs engaging with potential security service providers before they even really understand where their biggest risks are puts them in a tricky spot.

"Due to lack of internal resources, they let the MSSP or security service guide tell them what they need," says Andrew McAllister, managing director of Resolute IT Services. "It should be the other way around."

[What kind of security services will suit your SMB? See Six Security Services Every Small Business Must Have.]

If the SMB lacks the internal resources to evaluate needs, then it could pay dividends to hire two firms: an independent third party to evaluate your needs and another vendor to fill them.

"If you're getting your needs evaluated from the person selling you the service, you are in serious trouble," says Matt Malone, consultant for Assero Security. "Never have the fox build the hen house, then guard it. Often a third-party evaluator will end up saving you money."

Regardless of whether you have someone in-house or outsourced to do the risk assessment, the idea is to develop a basic security plan that's lined up with the way the business works.

"Map out business processes that the company uses. Then the technology can be mapped against the business processes," McAllister says. "The company should then analyze based on company policies, government regulations, resources, budget, risk appetite what their security needs are, what is currently covered in-house, and what needs to be shored up."

Evaluating Offerings
First thing's first: It might be tempting to just hire your normal managed service provider to handle the security work, too, but don't do it reflexively, warns Dominique Karg, co-founder of AlienVault.

"You can have someone who's good at setting up your network, upgrading your windows machines, and configuring your printer, and they might see security as a good way to increase market presence," Karg says, "but not be skilled in it."

Often one of the big mistakes SMBs make when going after an MSSP is not really understanding what's managed in the bargain, says Brian Herman, vice president of managed security sales at StillSecure.

"MSSP offerings can vary from basic management -- handling updates and requested changes -- to much more advanced management with active security event monitoring and response by security professionals," Herman says.

At the most basic level, a prospective service provider should be able to capably explain to an SMB executive the whys and hows of its offerings in plain English.

"If I were an SMB looking at a prospective MSSP, I would ask them why they are securing the things they are securing," says Justin Strong, senior global product marketing manager for Novell. "If an MSSP cannot explain in terms that matter to me, they don't know my business well enough to secure it."

But looking under the covers, the service provider needs a service-level agreement (SLA) that backs up its claims. Security experts across the board say that reading through an MSSP's SLA terms with a fine-toothed comb is one of the most essential parts of evaluating prospective service providers.

"Read the SLA. Check with existing customers [to see] if they're meeting the SLA conditions," says Pierluigi Stella, chief technology officer of Network Box USA. "Ensure the SLA has acceptable terms. And read it, really! You have no idea what you may find hidden within the fine print!"

Performance language is a dead giveaway to potential gotchas.

"Many MSSPs have loosely defined performance clauses that easily get them off the hook in the event of a security breach," says Greg Grant of ControlScan Managed Security Services. "Not only should the MSSP's SLA include language around 'uptime,' it should also be very clear on what security duties the company will perform and in what time frames."

Grant warns SMBs to look for SLAs that focus on detection rather than prevention. These types of services may be better suited for larger companies that have trained in-house staff ready to deal with the threat, he says.

"SMBs typically don't fall into this category and need preventative services," he says. "In other words, if the MSSP requires participation on the part of the client and they don't have resources to assist, it's not a good fit."

As important as SLAs are, though, it is important not to lose track of a forest for the trees. A big part of working with an MSSP is finding one that understands the organization's business and can tailor its services accordingly. This means evaluating the service provider's business as a whole and doing the necessary reference legwork to make sure it keeps its customers satisfied.

"Some people treat the SMB space as its own vertical or industry segment -- it is not. A retailer with 100 employees is not the same as an intellectual property legal practice with 100 employees," Strong says. "While there is enormous overlap on what things are being secured and how, what I would want to have is an MSSP that knows what keeps me up at night and makes it as easy as possible to implement the right security policies for me."

As a company evaluates service providers, reference calls are crucial. As an added twist, dig deep into a company's references.

"Ask for MSSP clients that have left, not current ones," says Ken Stasiak, CEO of SecureState.

Setting Rules Of Engagement
Once an organization finds the right service provider, it is crucial to set the right rules of engagement -- and get those rules in writing. In addition to having solid SLA terms, contract language that allows for an easy exit will ensure you're not on the hook if things go south -- and it offers a bit more negotiation leverage if the provider knows it doesn't have you on the hook.

"Have a contract that allows you to exit if the deliverables that you are getting are not what you expected or don't match what was promised," says Jeremy Littlejohn, chief analyst and co-founder of MyITAssessment. "Of course, this means you needed to clearly define the deliverables ahead of time. 'Keeping you secure' is not a deliverable."

One of those deliverables should be regular, detailed reporting, Grant says, a requirement that grows in importance if the SMB is under any kind of compliance scrutiny by regulators or customers that have to answer to regulators.

"The business owner should receive reports that contain actionable information, not a bunch of technical data that means nothing to them," he says. "Reporting should provide clear steps and processes to help ensure tight security and, if possible, provide information relative to physical security as well."

Finally, SMBs would do well to build a right-to-audit clause into the contract, Stasiak suggests.

"[Perform] blind tests to determine if the service provider is performing as intended, especially if the MSSP is monitoring systems and/or processes," he says.

If the service provider insists that it has internal audits to prove its controls, press hard for third-party inspection and make that investment regularly, says Stella, who suggests quarterly audits. It may be easier to have the MSSP do scans or pen tests themselves, but this is not the most secure route.

"SMBs are notorious for using one vendor for all services. They trust the MSSP, and it is easy. However, many times the MSSP is auditing or testing themselves," Stasiak says. "If they are performing external monitoring, do not have them do external scans or penetration testing."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Latest Comment: nice post
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2015-07-01
Open redirect vulnerability in nokia-mapsplaces.php in the Nokia Maps & Places plugin 1.6.6 for WordPress allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the href parameter to page/place.html. NOTE: this was originally reported as cross-sit...

Published: 2015-07-01
Absolute path traversal vulnerability in htdocs/libraries/image-editor/image-edit.php in ImpressCMS before 1.3.6 allows remote attackers to delete arbitrary files via a full pathname in the image_path parameter in a cancel action.

Published: 2015-07-01
Heap-based buffer overflow in libwmf allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted BMP image.

Published: 2015-07-01
unattended-upgrades before 0.86.1 does not properly authenticate packages when the (1) force-confold or (2) force-confnew dpkg options are enabled in the DPkg::Options::* apt configuration, which allows remote man-in-the-middle attackers to upload and execute arbitrary packages via unspecified vecto...

Published: 2015-07-01
IBM PowerVC Standard Edition through does not require authentication for access to the Python interpreter with nova credentials, which allows KVM guest OS users to discover certain PowerVC credentials and bypass intended access restrictions via unspecified Python code.

Dark Reading Radio
Archived Dark Reading Radio
Marc Spitler, co-author of the Verizon DBIR will share some of the lesser-known but most intriguing tidbits from the massive report