Zen 3.1

We will be a bit off topic today as I am thinking about a few-parts blog on MSSPs. Today we will discuss the pros and cons of outsourcing to a MSSP.

There are many reasons why outsourcing sometimes is a cheaper and better way to go. Note that I said “sometimes”, because everything depends on your requirement. If your requirement is that every security device must be in house and only 2 Admin will have access to them, then outsourcing is not for you. So first thing you need to do is document your requirements.

Pros

So here are some reasons why I think outsourcing is an option.

1. Cost - MSSPs can get much better deals from vendors than you can on your own. So the cost of hardware and software will be cheaper. Let’s do some simple calculations, if you decide to firewalls inhouse, the cost of a pair of PIX 525 retail + maintenance is about $20k. The cost of a dedicated security engineer + training will cost you atleast $110k (low figure as I have not added corporate overhead, which could be another 30-40%). Take that over 3 years (that’s usually how long the companies will depreciate equipment.) That gives you about $10k/month. You can get it for much cheaper with an MSSP. Generally you can get a decent SLA for $1-2K/month. Over three years, that’s quite a big of savings!
2. Hardware Upgrades - This section maybe different for different MSSPs, so be sure to ask if you are looking to outsource. Basically, hardware gets obsolete very quickly. If you buy your own hardware, in 3 years, you will have to spend money upgrading. The original investment you made is now paper weight. But if you go with an MSSP, you can get the hardware upgrade for free. For example, let’s say Nokia decides to upgrade their IP350 platform from the current processor to a faster one, the MSSP will be able to upgrade you for free where as you would have to spend money on your own.
3. Software Upgrades - Same as hardware here. You can get software upgrades for free with a MSSP where as you might have to pay your own way. For example, from Check Point 4.1 to Check Point NG AI.
4. Vendor Support - Because MSSPs buy so many equipment/software from vendors, they have much better support from them also. They usually have dedicated support from these vendors 24x7. So any problem that arises will get to the right people immediately, instead of having to go through the normal channels. MSSPs can also get patches/fixes/updates much faster as well. If needed, sometimes vendors are willing to cut an engineering release to fix a HOT problem. Now not all MSSPs have the same support contract with vendors, so buyers beware.
5. 24x7 Support - We are not talking about somebody carrying a pager here, we are talking about having trained security engineers awake and doing work any hour of the day. This is one of the biggest advantages for outsourcing. Scale of economy plays a huge role here. The MSSPs can have dedicated engineers working 24x7 whereas you might have your guys waking up in the middle of the night, all grumpy, to fix some problems.
6. Expertise/Experience - Because the MSSPs work with firewalls/VPNs/IDS all the time, it is much more likely that they will have encountered the problem that you are experiencing. In this situations, the MSSP may be able to fix you problem in 30 mins, whereas you may have to spend hours figuring out what happened and try to fix it.
7. Software Patches - This is perhaps one of the biggest issues with security nowadays. Many organizations simply don’t have the resource or time to keep up with all the security patches or updates on their security devices. The MSSPs will HAVE to do that as part of their SLA. Again, this is where scale of economy plays a big part in. The MSSPs can upgrade all of their security devices such as firewall or VPN with the appropriate patches when they receive it from the vendors (usually sooner because of their relationships).
8. Training - Most of the MSSPs require their engineers to be trained on the devices they service, and they are willing to spend the money to get them trained. Training is certainly not cheap, a PIX or Firewall-1 course can cost anywhere from $3k - $5k. Many of the engineers are also experienced in designing complex & secure networks. I for one am not very fond of certifications (even though I carry a couple). I think anyone with half of a brain can pass the certification exams, for example. So when/if you are looking for an outsourcer, beware of anyone telling you that all their engineers are certified. It really doesn’t mean jack. Certifications provide some value, but not a whole lot. It is the hands-on training and experience that count the most.
9. Spare Equipment - This again is another huge value MSSPs can provide at very little or no cost to you. Because MSSPs manage so many equipment, they cannot wait for vendors to ship them spare equipment when something dies, so they have extra equipment ready to deploy. And trust me, equipment do die. :)
10. Security Monitoring - One of the hottest topic in the security space is obviously log analysis and management. Many vendors have some type of event correlation engine or tool they are using to help you monitor your network. For example, NetSec uses the neuSecure product of independent software maker, Guarded.Net; Symantec acquired the correlation engine of Cyberwolf and RipTech; Savvis, Ubizen and others have their own home-grown solutions. Again, depending on the MSSP, you may have to pay extra for this service or you may get it as part of your SLA.

Cons

However, there are some disadvantages to outsourcing as well. Here are the reasons why you should think twice before outsourcing.

1. Device control - Once you outsource your security infrastructure such as firewalls and IDS, you may lose some or all control of the devices. Many MSSPs want to retain full control in order to reduce the finger pointing when catastrophe happens. Also, MSSPs usually have tools and infrastructure that will manage the devices differently than individual administrators, so shared control can create problems when both sides cannot agree on certain things. However, you still have control of the policies of the devices. If you can’t swallow the fact that you will lose control, look for a MSSP that will share access with you.
2. Security policy - Any good security policy requires the knowledge on the company’s corporate culture and business. The MSSP will not know everything about your company. For example, they won’t know that your company’s extranet can only be accessed by specific strategic partners; nor do they know that only specific adminitrators can access security data and these people must have access at anytime. It is your responsibility of working with the MSSP to make sure that they understand and build your security policy. Some MSSPs can provide professional services to help you but the downside is that you will have to pay more.
3. Security environment - Unless the MSSP handles all of your infrastructure, they won’t know all the applications and servers you have. This means that it is difficult for them to accurate determine whether a security event is critical or just a false alarm due to the insufficient information. Most MSSPs can work with you to setup a escalation policy that would include partial knowledge of your environment, including what applications and servers in your infrastructure. However, it is up to you to keep that information current and update the MSSP as necessary.
4. Administrative access - One of the biggest surprises for companies considering outsourcing is that most MSSPs will have a team of engineers who all have administrative access to their devices. The team size can sometimes be as many as 30 engineers! In contrast, most companies probably have only 2 to 3 administrators who are allowed to manage the devices. To mitigate the risk of having too many people who can modify the device, work with the MSSP to make sure they know whom from your company can request changes. Keep the number of people who can request changes to a number you are comfortable with.
5. Response time - Most MSSPs will have a very fast response time when it comes to catastrophes. For example, if the device goes down due to hardware or software failure, the response time to get on the case is usually about 15 minutes. However, if you need a policy change quickly, the response time can be in the order of 6 to 24 business hours depending on the SLA. This generally requires the company to plan ahead when working on projects. It also means don’t send in a change request to open a port on the firewall two hours before you need it.
6. Customization - MSSPs are all about economies of scale. All their operations are based on that concept in order to make a profit. Their preference is to perform any task on a mass scale so nothing needs customization. The downside, of course, is that your devices will be managed just like any other device. If you have specific requirements that need customization by the MSSP, it will be difficult to convince them to do so as it breaks their model. For example, it will be difficult to convince the MSSP to enable SNMP on your firewall if the MSSP’s policy doesn’t allow that.
7. Financial viability - This perhaps is one thing that most companies will ignore or not spend enough time when it comes to due diligence. To identify the MSSP that meets your requirements, not only do you need to spend time on the SLA and technical requirements, it is critical to understand the MSSP’s business and financial viability. Given that many of the MSSPs are there are fairly small and new to the business, any risky business move on the parts of the MSSP can put them out of business. As we have seen over the years, many of them did. Remember Pilot Networks and how much time they gave their customers when they went out of business?

Now that we have gone through the many pros and cons of outsourcing to MSSPs, it is up to you to understand your requirements and figure out whether to outsource or not. Make sure you ask all the questions and spend time on due diligence, and don’t let the MSSP talk you into something that you are not sure about. Make sure you talk to multiple MSSPs and understand how they can meet your requirements. In other words, do your research first.