printer friendly version

Managed security service providers explained

A managed security service provider (MSSP) offers outsourced information security to businesses, small and large. The type of services offered by the MSSPs can be clearly split into managed services and monitoring services.

Managed services

Managed services typically involves the comprehensive management of one or more devices (such as firewalls and intrusion detection) within the customer's network. A strict service level agreement (SLA) will determine the interaction with the customer in terms of change control, recommendations, etc. Typically these services include setting up devices, device configuration, updating software and changing rule sets. What managed services should include:

1) Architecture design.

2) System deployment.

3) Configuration management.

4) Software updates.

5) Notification of EOL products.

6) Health and performance monitoring: These services should be offered for firewall, network/host intrusion detection and anti-virus.

Monitored services

Monitored services are more tailored towards offering as close to realtime monitoring and analysis of events as possible. The events in question are generated by devices and can occur at a number of network access points. It may be helpful to compare the monitoring of a network to the way a physical security company monitors a home, in that an event occurs when one of the sensors is breached, setting off an alarm in the control room to which the company then responds.

The monitoring service is controlled with an SLA, having more emphasis on the intelligent analysis of inputs, alerting and escalation. Analysis refers to the identification of an event, subsequent comparison to a known database of events which make up an incident and then the interpretation or categorisation of security incidents or alerts in a specific environment. Reporting of the correlation and trends is included in the monitoring service.

What monitored services should include:

1) Collection of data - this can be in the form of system logs or agent (device) based collection.

2) Aggregation of data - meaning the aggregation of multiple device data into one database.

3) Secure communication - the data sent from the customer site must be encrypted.

4) Correlation - the ability to correlate information from various devices.

5) Analysis - the ability to analyse the data from events to incidents to alerts.

6) Escalation - an ability to produce a trouble ticket in order to escalate events and track progress.

These services should be offered for firewall, network/host intrusion detection and antivirus.

Chris Davis, executive, NamITrust (Enterprise Security Solutions Provider at NamITech)

Share this article:

Further reading: