02:53 AM
Connect Directly

How To Pick The Best MSSP For Your SMB

Understand your risk environment, look closely at SLAs, and verify performance through audits and reporting

SMBs tend to suffer from the "How do you know what you don't know?" syndrome when it comes to figuring out what exactly they need from managed security service providers (MSSPs). But as tempting as it would be to simply throw a vague RFP out to the winds and hope for the best vendor, that type of approach opens up the business to a world of hurt.

"[SMBs] -- not providers -- are ultimately responsible for the security and integrity of their own data, even when it is held by a service provider," warns Dwayne Me, CTO of Tripwire.

That is why it is so important for an SMB to really understand what it needs an MSSP for, to thoroughly investigate and evaluate potential service providers and to set up rules of engagement that will give the organization the best risk mitigation for its MSSP spend.

Understanding Needs
SMBs engaging with potential security service providers before they even really understand where their biggest risks are puts them in a tricky spot.

"Due to lack of internal resources, they let the MSSP or security service guide tell them what they need," says Andrew McAllister, managing director of Resolute IT Services. "It should be the other way around."

[What kind of security services will suit your SMB? See Six Security Services Every Small Business Must Have.]

If the SMB lacks the internal resources to evaluate needs, then it could pay dividends to hire two firms: an independent third party to evaluate your needs and another vendor to fill them.

"If you're getting your needs evaluated from the person selling you the service, you are in serious trouble," says Matt Malone, consultant for Assero Security. "Never have the fox build the hen house, then guard it. Often a third-party evaluator will end up saving you money."

Regardless of whether you have someone in-house or outsourced to do the risk assessment, the idea is to develop a basic security plan that's lined up with the way the business works.

"Map out business processes that the company uses. Then the technology can be mapped against the business processes," McAllister says. "The company should then analyze based on company policies, government regulations, resources, budget, risk appetite what their security needs are, what is currently covered in-house, and what needs to be shored up."

Evaluating Offerings
First thing's first: It might be tempting to just hire your normal managed service provider to handle the security work, too, but don't do it reflexively, warns Dominique Karg, co-founder of AlienVault.

"You can have someone who's good at setting up your network, upgrading your windows machines, and configuring your printer, and they might see security as a good way to increase market presence," Karg says, "but not be skilled in it."

Often one of the big mistakes SMBs make when going after an MSSP is not really understanding what's managed in the bargain, says Brian Herman, vice president of managed security sales at StillSecure.

"MSSP offerings can vary from basic management -- handling updates and requested changes -- to much more advanced management with active security event monitoring and response by security professionals," Herman says.

At the most basic level, a prospective service provider should be able to capably explain to an SMB executive the whys and hows of its offerings in plain English.

"If I were an SMB looking at a prospective MSSP, I would ask them why they are securing the things they are securing," says Justin Strong, senior global product marketing manager for Novell. "If an MSSP cannot explain in terms that matter to me, they don't know my business well enough to secure it."

But looking under the covers, the service provider needs a service-level agreement (SLA) that backs up its claims. Security experts across the board say that reading through an MSSP's SLA terms with a fine-toothed comb is one of the most essential parts of evaluating prospective service providers.

"Read the SLA. Check with existing customers [to see] if they're meeting the SLA conditions," says Pierluigi Stella, chief technology officer of Network Box USA. "Ensure the SLA has acceptable terms. And read it, really! You have no idea what you may find hidden within the fine print!"

Performance language is a dead giveaway to potential gotchas.

"Many MSSPs have loosely defined performance clauses that easily get them off the hook in the event of a security breach," says Greg Grant of ControlScan Managed Security Services. "Not only should the MSSP's SLA include language around 'uptime,' it should also be very clear on what security duties the company will perform and in what time frames."

Grant warns SMBs to look for SLAs that focus on detection rather than prevention. These types of services may be better suited for larger companies that have trained in-house staff ready to deal with the threat, he says.

"SMBs typically don't fall into this category and need preventative services," he says. "In other words, if the MSSP requires participation on the part of the client and they don't have resources to assist, it's not a good fit."

As important as SLAs are, though, it is important not to lose track of a forest for the trees. A big part of working with an MSSP is finding one that understands the organization's business and can tailor its services accordingly. This means evaluating the service provider's business as a whole and doing the necessary reference legwork to make sure it keeps its customers satisfied.

"Some people treat the SMB space as its own vertical or industry segment -- it is not. A retailer with 100 employees is not the same as an intellectual property legal practice with 100 employees," Strong says. "While there is enormous overlap on what things are being secured and how, what I would want to have is an MSSP that knows what keeps me up at night and makes it as easy as possible to implement the right security policies for me."

As a company evaluates service providers, reference calls are crucial. As an added twist, dig deep into a company's references.

"Ask for MSSP clients that have left, not current ones," says Ken Stasiak, CEO of SecureState.

Setting Rules Of Engagement
Once an organization finds the right service provider, it is crucial to set the right rules of engagement -- and get those rules in writing. In addition to having solid SLA terms, contract language that allows for an easy exit will ensure you're not on the hook if things go south -- and it offers a bit more negotiation leverage if the provider knows it doesn't have you on the hook.

"Have a contract that allows you to exit if the deliverables that you are getting are not what you expected or don't match what was promised," says Jeremy Littlejohn, chief analyst and co-founder of MyITAssessment. "Of course, this means you needed to clearly define the deliverables ahead of time. 'Keeping you secure' is not a deliverable."

One of those deliverables should be regular, detailed reporting, Grant says, a requirement that grows in importance if the SMB is under any kind of compliance scrutiny by regulators or customers that have to answer to regulators.

"The business owner should receive reports that contain actionable information, not a bunch of technical data that means nothing to them," he says. "Reporting should provide clear steps and processes to help ensure tight security and, if possible, provide information relative to physical security as well."

Finally, SMBs would do well to build a right-to-audit clause into the contract, Stasiak suggests.

"[Perform] blind tests to determine if the service provider is performing as intended, especially if the MSSP is monitoring systems and/or processes," he says.

If the service provider insists that it has internal audits to prove its controls, press hard for third-party inspection and make that investment regularly, says Stella, who suggests quarterly audits. It may be easier to have the MSSP do scans or pen tests themselves, but this is not the most secure route.

"SMBs are notorious for using one vendor for all services. They trust the MSSP, and it is easy. However, many times the MSSP is auditing or testing themselves," Stasiak says. "If they are performing external monitoring, do not have them do external scans or penetration testing."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2014-10-19
The sahab-alkher.com (aka com.tapatalk.sahabalkhercomvb) application for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

Published: 2014-10-19
The Yeast Infection (aka com.wyeastinfectionapp) application 0.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

Published: 2014-10-19
The Air War Hero (aka com.dev.airwar) application 3.0 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

Published: 2014-10-19
The HAPPY (aka com.tw.knowhowdesign.sinfonghuei) application 2.0 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

Published: 2014-10-19
The Romeo and Juliet (aka jp.co.cybird.appli.android.rjs) application 1.0.6 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.