Zen 2.0

We will be a bit off topic today as I am thinking about a few-parts blog on MSSPs. Today we will discuss the pros and cons of outsourcing to a MSSP. Other ideas I have in the pipe for the next few days are:

• Requirements for Choosing a MSSP
• Log Management Requirements for a MSSP

If you have some ideas of what you would like to see, please let me know.

There are many reasons why outsourcing sometimes is a cheaper and better way to go. Note that I said “sometimes”, because everything depends on your requirement. If your requirement is that every security device must be in house and only 2 Admin will have access to them, then outsourcing is not for you. So first thing you need to do is document your requirements.

So here are some reasons why I think outsourcing is an option.

1. Cost - MSSPs can get much better deals from vendors than you can on your own. So the cost of hardware and software will be cheaper. Let’s do some simple calculations, if you decide to firewalls inhouse, the cost of a pair of PIX 525 retail + maintenance is about $20k. The cost of a dedicated security engineer + training will cost you atleast $110k (low figure as I have not added corporate overhead, which could be another 30-40%). Take that over 3 years (that’s usually how long the companies will depreciate equipment.) That gives you about $10k/month. You can get it for much cheaper with an MSSP. Generally you can get a decent SLA for $1-2K/month. Over three years, that’s quite a big of savings!
2. Hardware Upgrades - This section maybe different for different MSSPs, so be sure to ask if you are looking to outsource. Basically, hardware gets obsolete very quickly. If you buy your own hardware, in 3 years, you will have to spend money upgrading. The original investment you made is now paper weight. But if you go with an MSSP, you can get the hardware upgrade for free. For example, let’s say Nokia decides to upgrade their IP350 platform from the current processor to a faster one, the MSSP will be able to upgrade you for free where as you would have to spend money on your own.
3. Software Upgrades - Same as hardware here. You can get software upgrades for free with a MSSP where as you might have to pay your own way. For example, from Check Point 4.1 to Check Point NG AI.
4. Vendor Support - Because MSSPs buy so many equipment/software from vendors, they have much better support from them also. They usually have dedicated support from these vendors 24×7. So any problem that arises will get to the right people immediately, instead of having to go through the normal channels. MSSPs can also get patches/fixes/updates much faster as well. If needed, sometimes vendors are willing to cut an engineering release to fix a HOT problem. Now not all MSSPs have the same support contract with vendors, so buyers beware.
5. 24×7 Support - We are not talking about somebody carrying a pager here, we are talking about having trained security engineers awake and doing work any hour of the day. This is one of the biggest advantages for outsourcing. Scale of economy plays a huge role here. The MSSPs can have dedicated engineers working 24×7 whereas you might have your guys waking up in the middle of the night, all grumpy, to fix some problems.
6. Expertise/Experience - Because the MSSPs work with firewalls/VPNs/IDS all the time, it is much more likely that they will have encountered the problem that you are experiencing. In this situations, the MSSP may be able to fix you problem in 30 mins, whereas you may have to spend hours figuring out what happened and try to fix it.
7. Software Patches - This is perhaps one of the biggest issues with security nowadays. Many organizations simply don’t have the resource or time to keep up with all the security patches or updates on their security devices. The MSSPs will HAVE to do that as part of their SLA. Again, this is where scale of economy plays a big part in. The MSSPs can upgrade all of their security devices such as firewall or VPN with the appropriate patches when they receive it from the vendors (usually sooner because of their relationships).
8. Training - Most of the MSSPs require their engineers to be trained on the devices they service, and they are willing to spend the money to get them trained. Training is certainly not cheap, a PIX or Firewall-1 course can cost anywhere from $3k - $5k. Many of the engineers are also experienced in designing complex & secure networks. I for one am not very fond of certifications (even though I carry a couple). I think anyone with half of a brain can pass the certification exams, for example. So when/if you are looking for an outsourcer, beware of anyone telling you that all their engineers are certified. It really doesn’t mean jack. Certifications provide some value, but not a whole lot. It is the hands-on training and experience that count the most.
9. Spare Equipment - This again is another huge value MSSPs can provide at very little or no cost to you. Because MSSPs manage so many equipment, they cannot wait for vendors to ship them spare equipment when something dies, so they have extra equipment ready to deploy. And trust me, equipment do die.
10. Security Monitoring - One of the hottest topic in the security space is obviously log analysis and management. Many vendors have some type of event correlation engine or tool they are using to help you monitor your network. For example, NetSec uses the neuSecure product of independent software maker, Guarded.Net; Symantec acquired the correlation engine of Cyberwolf and RipTech; Savvis, Ubizen and others have their own home-grown solutions. Again, depending on the MSSP, you may have to pay extra for this service or you may get it as part of your SLA.

However, there are some disadvantages to outsourcing as well.

1. Control. You lose some or all control of the device itself, you still have control of the policy however. If you can’t swallow that, look for a MSSP that will share access with you.
2. Corporate-specific Knowledge. The MSSP will not know everything about your organization as you would, so you have the responsibility to work with the MSSP to make sure that they understand what you need.
3. Security Requirements. Your security requirement may be more strict than that of the MSSPs. For example, your requirement says only 2 people have access to the firewall, but the MSSP may have more engineers working on it.

So definitely find out all the different requirements you have, see if the MSSP can meet them. Make sure you ask all the questions you have, and don’t let the MSSP bs you into something that you are not sure about. In other words, do your research first.

Last Modified: Tuesday, November 23rd, 2004 @ 11:43

This entry was posted on Tuesday, November 23rd, 2004 at 10:42 am and is filed under General. You can follow any responses to this entry through the RSS 2.0 feed. Responses are currently closed, but you can trackback from your own site.