20 Questions To Explore With Security-as-a-Service Providers

What is the vendor’s overall philosophy and vision? I don’t think it’s unreasonable for a potential customer to ask for one or two sentences explaining what drives and motivates a Security-as-a-Service vendor to strive for greatness.

What does the vendor offer beyond compliance? It’s easy to collect data required by various regulations but doing something valuable with that data is another matter entirely.

What issues drive the content development process and the day-to-day operational workflow? Please tell me it is driven by understanding the risks and threats my company faces, prioritizing them, and helping me mitigate them.

How is alerting developed, implemented, and maintained? If you’re going to monitor my organization, I deserve to know how exactly you will produce timely, actionable, high-fidelity, low-noise alerting to do so. The last thing I need is for you to deluge my already resource-constrained staff with false positives and busy work.

How will you instrument my network? After all, even the best content development process and alerting logic needs network data to operate on.

How will you instrument my endpoints? This includes traditional endpoints, such as desktops and laptops, as well as newer endpoints, such as smartphones, tablets, and thin clients. Visibility across a wide variety of devices is extremely important to me.

Can you monitor web applications and servers for me? Attackers are opportunistic and won’t merely attack endpoints. If a web application or a server is vulnerable, they will attack it. If this happens, I want to know as soon as possible. Better yet, do you also offer services to help me proactively identify these vulnerable assets before I have an issue?

How will you provide visibility into the infrastructure I have in the cloud, which needs to be monitored just as much as my traditional enterprise does?

How will you provide visibility into my outsourced Software-as-a-Service (SaaS) applications? If there is crime, fraud, data theft, or an insider threat issue, I need that visibility. I can’t be in the dark.

Do you have a centralized portal where I can interact with my own data in an easy-to-use and meaningful manner? Help me see and understand the state of security within my own organization quickly and easily.

What type of data reduction, aggregation, and visualization do you support within this portal? Will you allow me to identify patterns and dig deeper if I want to or need to?

What tools do you provide to allow me to create my own alerting and do my own hunting and investigating if I desire?

What can you offer to help me prevent compromise, in addition to detecting and responding to it?

How can I be sure that you will quickly detect compromise within my organization given the volume and complexity of the data I am providing you?

How do you analyze and investigate alerts? I want to make sure you have good methodologies, firm techniques, and sound expertise.

What process do you have documented around which types of incidents? I want to make sure that if one of many different scenarios were to occur, you are prepared to handle it.

If you do detect a compromise, how will you contain and remediate that compromise? Response procedures are important here, but more than just that, technology to make response as smooth as possible is also important.

What type of reporting do you offer? I need relative metrics that communicate the value you are providing to my leadership. How many tickets you opened and how many AV alerts fired isn’t going to help me here.

How do you provide lessons-learned post-incident to help me learn from my mistakes and continually improve my security posture?

How do you continually iterate, improve, and mature your own capabilities as a provider to ensure that I receive a Security-as-a-Service offering that keeps pace with the changing threat landscape?