Rothman has a great post about why someone may choose a managed security services provider (MSSP), and the comments are excellent. I’d certainly read more about people’s experiences with an MSSP both from the vendor but also the customers.
I’m pretty skeptical of the value, but totally agree with Rothman’s bullet points on why you’d go with one. Really, I think there are good reasons, and the best might be offloading the lower hanging alerts and events to someone else, and then blending what’s left into internal staff (the hybrid approach). But I just have a lot of skepticism of the value that could be provided to anything but the smallest businesses and largest enterprises…or those that have an extremely big interest in being solid with security (e.g. banks).
My skepticism comes from the convergence of operations and security, where changes may influence security events and visibility. For instance, when IPS visibility is minimized because operations needed a SPAN port for a while. Or when the SoC team can’t investigate an incident properly because they’re an outside entity without any real access to the customer devices. Or when a network layout is changed which creates gaps that the SoC team has no chance to anticipate.
Part of my skepticism is also my distance from the tasks at hand as well. I often imagine an MSSP SOC as little more than a smarter, more efficient, but less powerful automated alerting mechanism. Sure my IPS and AV and SIEM can log and interpret and send me alerts on important issues, but what is my MSSP going to give me beyond that stuff in the first place? Are they going to decide that all that ARP crap on my network isn’t worth 10k false alarms a day? Are they going to know that all those UDP connections opening at 9pm every night are tied to a single automated SQL job? Are they going to know that a Slapper alert on my firewall is useless because I don’t run Apache, or vice versa?
It just seems tough to me to think an MSSP SoC is going to be very effective except against the most obvious stuff, and even then with lots of luck.
It sort of sounds like a DLP solution. 🙂