What to look for in an MSSP?
What you’re really looking for is a company that can perform independent audits on all of their devices. An MSSP should be able to say with honesty whether or not they are monitoring each type of device, without trying to downplay any omissions. It’s important that the company doing the monitoring does it efficiently and reliably, because if your device is not being monitored, it does you no good. Spend time with prospective MSSPs to make sure that they are willing to be transparent about their device coverage list.
What to Look for in an MSSP
Most independent researchers agree that the following criteria should be considered when choosing an MSSP:
– Large infrastructure, with NOC/SOCs located in different geographical locations. This reduces risk of downtime or latency issues due to local disasters/strikes/riots, etc.
– Strong relationships with multiple carriers for monitoring cellular devices (e.g., GSM & CDMA).
– Ability to support MCC, MNC and LAC level filtering for location information on cellular devices.
– Network Operations Center or Service Operations Center based in a country outside of your target’s data protection laws . It also helps if the company is not a subsidiary of a public corporation whose primary economic interest is selling security products to your target.
– At least 70% of devices successfully tested for compatibility with their service.
5 best practices on hiring a managed security service provider
– Create a formal agreement that clearly states expected deliverables and timetables before starting the project. Include notification requirements for any significant changes to agreed upon milestones or deliverables. If possible, incorporate audit protocols into the contract to ensure strict enforcement. Do not allow paid services from an MSSP to commence until there is a signed contract in place describing all terms of engagement.
– Define operational guidelines including reporting formats and required frequency of updates during all phases of a relationship with an MSSP – from pre-engagement reviews, through implementation – even after production – as more information becomes known about your organization and the threats it faces.
– The MSSP should establish a formal communications plan to ensure that you are kept apprised of changes made, significant incidents and event handling procedures. Update this as new requirements or concerns arise.
– Prepare an incident response team (IRT) to coordinate incident response with your provider and other affected parties such as legal, public relations and technical teams within your organization. Include third party representatives in this group if necessary – but choose those participants carefully to avoid conflicts of interest between participants’ primary responsibilities and roles during an incident response situation. Define escalation paths for managing issues that cannot be resolved rapidly by the IRT or points of contact at each organization to avoid conflicts due to mis expectations about time frames involved in decision making, incident verification and public disclosure.
– Ensure your MSSP is fully committed to helping your organization when it comes under attack by preparing a plan detailing the roles and responsibilities of each party involved with managing an attack situation. The IRT must be part of this planning process, but so should representatives from the legal, PR and Sales teams in order to ensure that all affected interests are represented during attacks or breach incidents.
5 reasons why hiring an MSSP is not enough
There isn’t always a reliable way for an MSSP to provide proof that they can protect you in real world situations: For example: if they don’t have verifiable logs on file (or the ability/willingness to share them), there’s no way to verify claims of success or failure when testing their technology.
– MSSPs don’t always have the ability to obtain IP address geolocation information from your provider; many service providers use third party billing companies and that data isn’t shared with anyone outside of that company, especially an MSSP that is not a carrier providing the actual cellular network services you subscribe to.
– Although some MSSPs will work with carriers directly, most choose to go through aggregators which may change over time and therefore impact the ability for the MSSP to get accurate location information about devices on file.
– Because there are so many variables involved in how cellular networks operate (radio frequencies used by different carriers, antenna placement, etc) and the way IP addresses work (which can be spoofed), it’s often difficult to accurately represent network location in a test scenario.
– In order to ensure your protection, MSSPs need logs from end user devices showing that their apps are installed and activated i.e. that the user has agreed to pay for the service and download/install the app required for protection. They also require accurate data on device location but this can’t always be determined due to limitations with aggregators and carriers sharing data directly with an MSSP or not at all for certain types of cellular networks used by customers in specific locations around the world.
If you want to be confident your MSSP will protect you in real world situations, it’s critical that they have the logs and geographic data available as necessary so you can verify their performance.
Most organizations understand that hiring an MSSP is just one part of a larger risk management strategy: While many organizations recognize the value of having an MSSP help them monitor and secure network traffic between their endpoints and servers, there isn’t typically buy-in for additional services such as deep packet inspection (DPI) to validate application usage or provide intelligence used to detect advanced threats before they cause damage.