Introduction to Managed Security Services

-





Organizations nowadays use a plethora of solutions like IdM, Access Managers, SSO, Firewalls, Intrusion Detection Systems and Intrusion Prevention Systems. These solutions generate a flood of information in the form of alerts and log messages with disparate context and in no standardized format and it is this very information that needs to be analysed if one is to detect sophisticated modern day cyber threats. Ensuring conformance to compliance regulations brings an additional overhead into the picture.
This is exactly the pain point that the SIEM class of solutions emerged to address. An SIEM aggregates and correlates all the security information being generated across these systems and thus provides capabilities to gain complete visibility into a network.
But not all security incidents can be detected by rule based correlation. SIEM solutions are also limited in their ability to identify and initiate appropriate responses to remediate threats, and until the emergence of an Artificial Intelligence, no amount of automation can replace a seasoned Security Analyst.
What is a Security Operations Center?
A Security Operations Center (SOC) is a dedicated entity responsible for monitoring activities across devices in an organizational network in order to identify threats and incidents and to coordinate responses and remediations in a systematic manner. An SOC leverages SIEMs or SIEM-like data processing engines coupled with the expertise and availability of a team of dedicated Security Engineers and Data Analysts.
Need for Threat Intelligence Sharing
Just setting up an SOC is never enough. It is crucial to network with SOCs of other organizations and government information sharing centers to learn about new attack patterns and threat actors as they surface. Setting up and maintaining such communications adds another layer of complexity. Protocols need to be established to communicate threat information in a way that can be transmitted and collated conveniently and interpreted correctly.
What are Managed Security Services?
SOCs operate 24x7 and need to work in close sync with the IT Operations teams to effectively neutralize threats. Setting up an SOC internally requires high initial investment to procure and deploy various security solutions, and to establish the required processes and protocols. The long term operational cost is even higher and has no immediately visible returns. Talent required to staff such operations is also in short supply.
To put it plainly, Managed Security Services are Outsourced Security Services. They provide an economically feasible alternative to setting up an Internal SOC by reducing the cost of ownership of the required security solutions and expertise. It also facilitates threat intelligence sharing amongst customers of the same Managed Security Services Provider. There is a very little scope for collusion between the SOC staff and attackers. Major players in the Managed Security Services space include trusted names like IBM, Symantec, NTT, AT&T and Dell.
MSS Architectural Patterns
A MSS Architecture can be likened to a large-scale multi-tenant SIEM solution. One size does not fit all and MSS architecture is greatly influenced by the complexity of the customer networks being served, their budgets, risk factors, locations, availability and compliance requirements.
Implementation choices can broadly fall under either of two categories: All security solutions are remotely administered by the MSSP Security Operations teams or All security information is aggregated and evaluated in one central location.
In the first approach, security data does not leave the customer premises. Services may include managing or fully configured SIEM or limited to one area of security monitoring like firewall and VPN activity or tuning and evaluating IDS alerts. SIEM solutions may or may not come into play. Since the infrastructure is exclusive to a customer account, considerable costs may need to be borne.
Figure: Remotely Managed Firewall Service Architecture
In the second approach, all security data is copied to the MSSP location and is thus inherently vulnerable to potential leakage. Centralization of all this information dictates the use of a SIEM or SIEM-like solution and since most of the infrastructure is shared, the costs are much lower.
Some architectures like those outlined by Alienvault USM dictate a certain amount of remote administration.
Figure: Consolidated MSSP Architecture without Remote Administration
  
Figure: Consolidated MSSP Architecture with Remote Administration  (source:Alienvault)
In both approaches, the customer has no direct access to the security information. A dashboard and reporting portal is typically provided for customers to gain summary insights into the state of monitoring and incident resolution. But this will almost always be cryptic to the customer. So Irrespective of the implementation, one metric to easily evaluate an MSSP is the speed with which incidents are detected, evaluated and addressed.
Sources: https://www.linkedin.com/pulse/introduction-managed-security-services-nikhil-salgaonkar


Comments

  1. Robert John9 January 2019 at 22:20

    Thank you for your attractive and easy to understand managed security service introduction article. As i am associated with an IT company which provide managed security servicenetwork security monitoring services in USA
    . Please keep sharing in future.

    ReplyDelete

Post a Comment

Popular posts from this blog

Andriod Cryptocurrency Clipboard Hijacking Crypto Malware Found On Google Play Store

-
Image
A security researcher has discovered yet another cryptocurrency-stealing malware on the official Google Play Store that was designed to secretly steal bitcoin and cryptocurrency from unwitting users. The malware, described as a " Clipper ," masqueraded as a legitimate cryptocurrency app and worked by replacing cryptocurrency wallet addresses copied into the Android clipboard with one belonging to attackers, ESET researcher Lukas Stefanko explained in a  blog post . Since cryptocurrency wallet addresses are made up of long strings of characters for security reasons, users usually prefer copying and pasting the wallet addresses using the clipboard over typing them out. The newly discovered clipper malware, dubbed Android/Clipper.C by ESET, took advantage of this behavior to steal users cryptocurrency. To do this, attackers first tricked users into installing the malicious app that impersonated a legitimate cryptocurrency service called  MetaMask , claiming to let use...
Read more

High-Severity SHAREit App Flaws Open Files for the Taking

-
Image
Security researchers have discovered two high-severity vulnerabilities in the SHAREit Android app that could allow attackers to bypass device authentication mechanism and steal files containing sensitive from a victim's device. With over 1.5 billion users worldwide, SHAREit is a popular file sharing application for Android, iOS, Windows and Mac that has been designed to help people share video, music, files, and apps across various devices. With more than 500 million users, the SHAREit Android app was found vulnerable to a file transfer application's authentication bypass flaw and an arbitrary file download vulnerability, according to a  blog post  RedForce researchers shared with The Hacker News. The vulnerabilities were initially discovered over a year back in December 2017 and fixed in March 2018, but the researchers decided not to disclose their details until Monday "given the impact of the vulnerability, its big attack surface and ease of exploitation." ...
Read more

Hackers Deleted VFEmail Entire Data and Backups

-
Image
What could be more frightening than a service informing you that all your data is gone—every file and every backup servers are entirely wiped out? The worst nightmare of its kind. Right? But that's precisely what just happened this week with VFEmail.net, a US-based secure email provider that lost all data and backup files for its users after unknown hackers destroyed its entire U.S. infrastructure, wiping out almost two decades' worth of data and backups in a matter of few hours for no apparent reason. Started in 2001 by Rick Romero, VFEmail provides secure, private email services to companies and end users, both free and paid-for. Describing the attack as "catastrophic," the privacy-focused email service provider revealed that the attack took place on February 11 and that "all data" on their US servers—both the primary and the backup systems—has been completely wiped out, and it's seemingly beyond recovery. The VFEmail team detected the attack o...
Read more