Managed Security Services

Survey of Managed Security Service Providers:
Other Services, and Our Conclusion

ISP-Planet's biennial survey of MSSPs finds that service providers are further differentiating their offerings with some unique extras—some of which are free—and a wider variety of options.

by Lisa Phifer VP Core Competence, Inc. [June 6, 2003]

Managed Vulnerability Scanning Services
Managed Vulnerability Scanning Services remotely test a customer's network and Internet-facing systems to identify security weaknesses. Raw test results are analyzed to suggest appropriate remedies, and follow-on professional services may be available to help refine policies and implement recommendations.

Over half of the providers responding to our survey now offer managed scanning services. The majority offer scanning as a standalone service. One company offers scanning to managed firewall customers only, but several others let customers choose whether to purchase this service alone or with another security service.

Our 2001 survey turned up a mixture of proprietary and commercial software scanners. This year, we see some of the same software—Cybercop, ISS, Nessus. But we also see some MSSPs adopting an ASP model, and two vulnerability scanning appliances (SecureWorks, Guardent).

Good providers know that service delivery requires more than off-the-shelf test tools and canned reports. Most deliver results on-line, but several include (human) expert review and trend analysis. SecurePipe makes a point of delivering hand-written reports. Unisys and MCI security engineers review results with customers. Weekly or monthly scans can identify recent changes. But there will always be some trade-off between scan frequency and automation/depth. You may want to run "quick scans" weekly and "deep scans" quarterly or after significant changes. If so, look for an MSSP that can do both, backed by security experts for follow-on consulting.

Other Managed Security Services
Several MSSPs volunteered information about other complementary managed security services. For example:

• AT&T offers a Managed Token Authentication Service that provides two-factor user authentication to complement other security services.
• Bangalore Labs offers a Security Advisory Service that provides daily notifications about new viruses, vulnerabilities and patch recommendations.
• LURHQ offers a Managed Enterprise Security Monitoring Service that gather security events from any application that outputs events via log files, SNMP, SMTP, syslog or OPSEC LEA.
• PresiNET offers additional managed anti-virus and anti-spam services, directly and through its partners.
• Secure Designs offers Firelan Webmail, a virus-scanned POP/Web-based e-mail service.
• TruSecure offers OverWatch, a "monitor only" solution for non-security devices like routers, servers and switches.

Several MSSPs also described complementary security consulting services. For example:

• Bangalore Labs also offers Information Risk Assessment, Security Architecture Design, and Web Application Security Assessment consulting services.
• Cable & Wireless services include Security Assessment & Audit, Security Policy & Procedures design, Application Code Review, Regulatory Compliance Consulting, Security Training, and Security Log Reviews.
• Guardent offers Incident Response and Forensics, Privacy Consulting and Regulatory Compliance, and other Security Consulting services, ranging from policy and assessment to design and implementation.
• ISS X-Force services include Threat Analysis Service, Emergency Response Services, Vulnerability Remediation, Information Security and Wireless Network Security Assessment, and "due diligence" testing.
• PresiNET also offers Security Audits and other consulting services.
• SBC offers Security Policy Development, Vulnerability Assessment, Penetration Testing, Architecture and Process Design, Business Continuity Planning, and Cyber Forensics.
• TruSecure's Investigative Response offering combines traditional incident response with computer forensics, analysis, prosecutorial decision support, network intelligence, IS/Recon and crisis management.
• Unisys offers Business Impact Analysis, Recovery Plan Audit, Biometric Research and Analysis, Smart Card and Token-based Solutions, Permissions Management, and Privacy Policy & Process Audit and Development.
• VeriSign security consulting services include security assessments, "white hat" penetration testing, vulnerability assessments, and VPN and authentication solutions design.

Clearly, these are just a few examples, summarized from MSSP survey responses. Most providers offer at least a few of these additional security services—please visit MSSP websites to learn more.

Conclusion
ISP-Planet's survey is intended to serve as a starting point for anyone thinking about purchasing or providing Managed Security Services. Service attributes such as those examined in this survey are just part of the story. Readers are encouraged to investigate the history, experience, and track record of any prospective MSSP. In the end, select an MSSP that you trust completely and feel comfortable working with. After all, you will be entrusting the safety of your company's network to them.

We would like to thank providers that participated in this year's survey, and ask our readers to contact them directly for further information regarding any of the Managed Security Services mentioned in the five parts of this article.

—End