While reading his article, I was thinking about the pros and cons of MSSPs and found myself formulating some risk analysis of, specifically, outsourcing SIEM (Security Information and Event Management).
But before I get to that, what exactly is outsourced to MSSPs when it comes to SIEM?
When I think of outsourcing SIEM, I'm envisioning everything logging to the CSP/MSSP and the MSSP analyzing, monitoring and storing the data, and then perhaps supplying the occasional pretty graphs to management. Everything looks peachy and secure right?
This may indeed be sufficient when it comes to raw log data. I mean after all, some of this stuff is just mundane 'log in/log out' or 'port up/port down' data that needs to be stored in case it's needed later for some audit reports or forensic analysis. But what if it's data that could point to fraud, abuse, intrusions or other major security events?
Even if the logs are correlated and events are generated, who's analyzing the data, separating the mundane from the clear indicators of problems or issues? What are the risks of MSSPs managing this kind of detection and analysis for your company - the kind of events that, if detected early, may avert lawsuits, data breaches and other embarrassing or career-ending moments for a company?
The first thing that came to my mind when presented with a CSP/MSSP option was vigilance and I can easily see vigilance as a big risk issue in this case. There is a certain amount of ownership a company IT security person takes in their realm of data security. This is their company, their data, their livelihood, their pride... there's a lot at stake here.
The first person they come looking for when there is a breach or an attack is this person. So you can believe that this person's vigilance is also directly proportional to how badly the want to keep their job, and/or their career.
So vigilance is tied to accountability.
Certainly there might be a bit of vigilance on the part of an MSSP, but that may only be because there could be certain monetary penalties drawn into a contract if something catastrophic were to occur. The degree of vigilance on the MSSPs side is certain to be much lower than it would be on the company side. After all, it's not their company or their data, and their careers at risk. It's just some more of company 'A' data, sitting along-side all their other customers' data.
The second and third risk issues that came to mind were anomaly detection and due diligence. Who knows the inside-out of a secure network more than the IT Security guru? Who else can look at a log and in a split second say, "That's not normal!" or "There are too many events in that area today, something's not right". And then who would actually do some kind of investigation as to why things aren't normal, to take some kind of ownership?
All this is part of being diligent, doing your 'due diligence'. And as far as legal concerns go, how do we know if a company has its due diligence (as in protecting data and keeping it safe) covered by the MSSP? What does it mean if a company can no longer say it was as diligent, or is no longer as confident as it used to be in its diligence now that it has moved part of that responsibility out to a 3rd party provider - who is doing who-knows-what with that data?
I don't know about you, but if I were a customer of a company handling my personal information, I'd feel more secure with the internal vigilant IT Security staff watching and protecting my data, rather than the multi-customer CSP/MSSP.