Best practices in IT security co-management How to leverage a meaningful security partnership to advance business goals Whitepaper Make Security Possible
Table of Contents The rise of co-management...3 In the beginning: the rise of MSSPs...3 Unique solutions for unique organizations...3 The power of partnership...4 Making connections...4 Co-management best practices...4 Technology shouldn t matter...4 The best providers invest in themselves...5 Final notes...5 8 questions for your potential co-management partner...6 When we talk about co-management, it s not just about a technology. It s about enabling organizations to get the maximum return on their existing technology investments, while advancing their security for the future. Brian Murphy President & CEO, ReliaQuest Make Security Possible Page 2 of 76
The rise of co-management When it comes to effective IT security, having the right tools is just the beginning. Regardless of an organization s size or sophistication, security tools can only go so far given the ever-changing nature of IT security. Today s security teams must leverage a fusion of technology, highly skilled experts and adaptable processes. The best way to bring these elements together is through co-management. In the beginning: the rise of MSSPs Recognizing the labor-intensive nature of modern security tools and technology, most organizations know that it is not feasible to have one internal team responsible for managing them. As a result, most organizations have turned to third-party service providers to help with day-to-day alerts and updates. In the early years of IT security, it was assumed that the traditional managed service model used with other corporate tools or technologies could simply be adapted to security. From this assumption emerged an entire industry of Managed Security Service Providers (MSSPs) that promised a one-size-fits-all solution. But security technologies are not your average IT tools. Effective security tools must integrate massive amounts of data with sensitive business nuances. They must be as dynamic as the rapidly shifting IT security landscape, and they require constant, 24/7 monitoring and maintenance. The inflexible nature of most MSSPs means that solutions cannot be tailored to a customer s specific environment or risk profile. MSSPs also require organizations to transfer all their log data offsite to the MSSP, which raises a host of obvious security and visibility issues. Additionally, there is often a lack of clearly defined roles between the MSSP and the in-house security team. All this creates a recipe for inefficiency and conflict. Unique solutions for unique organizations Every organization is unique. Even those in the same industry often operate much differently and have different security goals. Effective IT security should take into account not only basic security needs within one particular industry, but also specific user intent, informed by specific business context. Few traditional third-party service providers have the expertise or bandwidth to address these needs. Imagine if a doctor diagnosed and treated every patient in the same demographic group exactly the same way. How effective could a medical treatment be without factoring in a person s own history, allergies, genetics or lifestyle? It s the same in security. MSSPs treat each company in the same industry the same without taking into consideration the company s distinctive tools, team, threat landscape or goals. What may seem like a security concern in one environment might be a daily operating function in another. And while an understanding of threats common to a particular industry is certainly useful, it is impractical to use this generalized information alone to inform the day-to-day security tactics of complex organizations. The issue is simple: no service provider will ever know the customer s environment as well as the customer does without actively working in that environment day in and day out. No service provider will ever be equipped to effectively guide a customer s security strategy without taking the time to comprehensively review the subtleties of that particular organization s threat landscape. Organizations that still use traditional MSSP partners often spend more time wading through false-positive alerts that are not relevant to their particular organization rather than taking action to proactively protect their organization s most precious assets. While preset alerts trigger over and over again, important information is missed. Over time, the MSSP becomes more of a burden than a benefit. In a best-case scenario, it merely serves the role of the superficial box-check for compliance purposes, rather than providing the meaningful value add that the team may have initially envisioned. Make Security Possible Page 3 of 6
The power of partnership Co-management providers are designed to fully integrate with organizations existing security and IT operations teams. This personalized partnership allows teams to work together to build custom processes and solutions to address specific business nuances. Co-management s role-based model clearly outlines the rules and objectives for each involved party, tailored to each specific customer. This adaptable approach is a more practical way for organizations to continually evolve their security strategies within the rapidly changing security landscape. Rather than removing data logs to perform an external analysis independent of the customer s security team, co-management providers actively monitor the data within the customer s own environment alongside the security team in real-time, using techniques customized to that particular organization. This model removes the black-box nature of outsourced security and creates a sustainable partnership capable of evolving over time. An effective co-management provider will connect directly into the customer s environment using a secure connection from one or more Security Operations Centers (SOCs). A site visit, verification of the connection and verification of compliance audits can provide assurance of this ability. This active connectivity, coupled with participation in team meetings and check-ins around each shift, helps the provider become a true extension of the customer team - a relationship that is only strengthened over time. Making connections How useful are multiple sources of data if they are not sufficiently connected? Data from any one point technology is often interdependent with a number of other tools or functions within an organization s environment. These connections constantly change with the introduction of new technologies, new business functions or new users, which necessitates ongoing updates and troubleshooting. With traditional MSSPs working at arm s length of a customer environment, the customer often becomes a broker between the MSSP, product manufacturers, and even the customer s own IT infrastructure team when trying to resolve problems. Co-management best practices Technology shouldn t matter Security professionals, processes, and technologies don t work in a vacuum. Everything is interconnected and interdependent within an entire organization. In this way, security and IT teams act as service-providers to the business as a whole. Effective co-management must encompass more than solitary technologies or processes. Many software manufacturers offer co-managed and managed services around their own products. The problem with these services is that they only apply to one specific technology. Effective ongoing co-management requires expertise and experience in a wide range of processes and technologies. A prime example is in the security information event management (SIEM) technology space. Many SIEM manufacturers sell the hardware and software and then overlay a service-offering to monitor and manage the technology on an ongoing basis. However, when a customer s environment requires the service provider to oversee another process or technology, it falls outside the provider s scope of services. Co-management is different. Security experts can be immediately available for a customer s needs, regardless of the technology. This concept requires service providers to connect into customer environments through their own Security Operations Center (SOC) and lab environments, where customers can test new products, upgrades, patches, and custom scripts. Make Security Possible Page 4 of 76
The best providers invest in themselves Not all co-management services are created equally. Many companies selling co-management services have very little experience as security service providers and try to cut the costs of around-the-clock management by leveraging third-party workforces. This means the customer has no assurances into the provider team s experience, training or certifications. Those manufacturers and service providers who do not use third parties may still operate in less than stellar security environments. These providers often work out of virtual SOCs, meaning that any engineer can connect to a customer environment from anywhere. While this may sound convenient, there is no way for the customer to ensure that access to their environment is being adequately protected. As a result, these environments often do not meet compliance requirements. True co-management partners invest in and maintain their own proper SOC and lab environments, which ensures effective protections and positions a company to advance its security over time. Additionally, a focus on continuous advancement of individual team members also allows the best security providers to stay ahead and provide continuity of services to their customers. If the provider isn t willing to invest in the development of its own services, infrastructure and people, what does that say about their commitment to the betterment of your organization? Final notes The definition of co-management continues to evolve in the right direction. Service providers and organizations of all sizes are expanding the capability of these offerings in a way that can help advance the overall security of complex organizations. People, processes and technology will always represent the keys to effective security, with partnership models leading the way. Visit www.reliaquest.com to learn more about our collaborative co-management approach. Make Security Possible Page 5 of 76
8 questions for your potential co-management partner STEP 1 Can the provider send you a current SAE 16 SOC 2 Type 2 (continuous) report? In some cases they may have an SAE 16 SOC 2 Type 1 (point-in-time) report, but that is not enough. At the very least, they should have a SOC 2 Type 2 audit scheduled, confirmed by the third-party audit firm performing the assessment. If they aren t investing in their own security how much will they invest in your organization s security? STEP 2 Do they have a state-of-the-art Security Operations Center (SOC) where they perform all shifts of their 24/7/365 co-managed services? Does the SOC facility meet the proper compliance, training, and facility requirements required by U.S.-based auditing and compliance standards? STEP 3 STEP 4 Can they describe in detail the distinctive roles in their security environment and strategies for hiring, retention, training and development? Without a focus on people, organizations are left with inexperienced teams or frequent turnover. A robust training program ensures that security solutions can get smarter over time, even as security challenges change. Do they have a proven engineering infrastructure? Having experienced security engineers on hand is critical to be able to maintain the wide range of technology that exists in the customer environment. This can be verified with targeted reference checks. STEP 5 Are they constantly logged in to their customer environments or do they passively rely on alerts to notify them of potential issues? Having a service provider who is actively engaged will allow your organization s team to focus on other business-critical tasks. STEP 6 Are their capabilities limited to one specific manufacturer or point technology? An effective co-management partner should be able to provide references across multiple technologies and technology categories. For example, if they are offering to co-manage SIEM, they should be able to give references for multiple SIEM technologies they are currently co-managing. The same goes for a service that claims to only manage SIEM. What good does that do if the SIEM isn t the problem? If they only know SIEM, how can they write content and rules you need to import logs from other point products that exist in your environment? They shouldn t just be relying on the out-of-box connectors built by the manufacturer. They should be able to provide examples of customer content and rules built using their own expertise while tying in to technology APIs. STEP 7 A service provider should be able to walk through a library of custom content they have built and should be able to explain how it can be tailored to enhance your specific environment. They should also have a lab environment to test and refine the various technologies with which they ll be working. STEP 8 The easiest way an organization can get to know a service provider is to visit their SOC facilities. Any legitimate provider will pay to fly an organization in for a tour. You should feel comfortable with the ability of the facility and its team to serve as a true extension of your organization. Make Security 2017 ReliaQuest, Possible Inc. All Rights Reserved. ReliaQuest, the ReliaQuest logo, RQ Labs, and RQ University are trademarks or registered trademarks of ReliaQuest, Inc. in the US and/or other countries. All other product names Page 66 of of 76 and/or slogans mentioned herein may be trademarks or registered trademarks of their respective companies. All other information presented here is subject to change and intended for general information.