Managed Security Services Provider - How to Prepare
October 26, 2018
In this episode, Jerry Ravi and Kevin Nikkhoo have returned to address how companies should prepare to engage with an MSSP. They will highlight the expectations buyers should have around the provider they use and the services offered.
KC: What should a company do to prepare to engage with an MSSP?
KN: One of the most important tasks for engaging with an MSSP is to first set the benchmark of how you will be working with it. In other words, it's not about just collecting logs and reporting. It's best to understand the assets first, collect the ones that are in the environment, run the vulnerability to understand which ones may be in the environment, and run the penetration tests from the outside to see if there are any ports open or ways that hackers can get in. Clean that up first and then go into a continuous monitoring. If you start without having a security benchmark, knowing where you are, and just say let's go right to monitoring then you haven't achieved anything. Why? Because you still have all these holes that people can take advantage of and the environment can be compromised because hackers know how to get in. It's best to do an assessment, do a first look at everything, and then it's part of the MSSP’s job to help resolve those issues, resolve those vulnerabilities and get the environment to have the latest patches. Get it to what's known to be the latest state of security measures, and then start monitoring so that you know at any point in time the environment is protected. You don’t want to have to go back and say this part is not ready. When you have to go back and do patch management it's too late because now you are monitoring an environment that has a lot of security holes. It's best to start having a conversation with an MSSP, understanding the environment. The customers should help partner with an MSSP to get that environment ready, set, and then do the monitoring.
JR: That's really important to note that when you tend to outsource to a managed service provider, even if it's outside of security, there's an element of a risk posture that you have to bring into the equation and have a baseline. Regulations are changing all the time. Let's face it, IT environments are changing, so there may be an aspect of change management. But the baseline is the most important aspect in getting it right. It is absolutely where companies can have issues when they do outsource security. We have to make sure that we're covering all the assets. We want to make sure we found all elements of data that have a regulatory compliance risk attached to them, whether it be protected health information, personal identifiable information, whatever it may be, because it is changing a lot. Get it right the first time, have a plan and start looking at it after the baseline started. Look at it as a change management function that, in essence, the MSSP will be allowing for the change to occur as you change. It's not like you're going to miss anything. The key is it'll already be in the process when you engage with that MSSP. Also make sure that on a regular basis we're looking at it in terms of dashboards. So when I sit in a Chief Audit Executive role, when I'm working with audit committees, they don't want to see the same report that I essentially showed them last quarter. They want to see what's changed. We can bring that in as soon as you engage with the MSSP. I know that with Cloud Access and working with Kevin and his team, that's extremely important right out of the gate—to make sure that you have that even reporting function ready to go. You can also tweak that along the way because it's never going to be a steady state. It's always going to be changing.
KN: Certain aspects of security monitoring must have a regular vulnerability scan, regular pen testing, and the ability to understand the change of the IT landscape and pick up what has changed. It's really important to have change management because could you imagine having a server that was added that's critical, but you don't detect it? You haven't run asset discovery to figure out if that asset was added, and let's say that it was at a credit card database that was sitting on that server and all of a sudden you are not monitoring that or you are not looking at the vulnerabilities on that particular server. You might have a situation that a particular server could be compromised, not knowing, not having the continuous change management and monitoring. The MSSP should be able to actually detect that, bring it to your attention and be able to also monitor it on a regular basis to detect any threats. For example, if you were seeing a lot of traffic going to that particular server that was just added, you might wonder why I have so many drawers, IPs or devices trying to reach that particular server, which was recently put into the environment. That's what the monitoring will do. But if you detect it and know that asset exists there, then you could do change management on that and correct any vulnerabilities on that particular asset.
JR: You start by closing down all the gaps, making sure that's done right from the beginning and also putting a baseline and change management process in place, along with continuous monitoring. That's really key.
KC: Jerry and Kevin, thanks for your expertise in this great insight. And thank you for listening to the EisnerAmper Cloud Access podcast series. In our next podcast, we'll be addressing what kind of reports a client should expect to receive from their MSSP and what they should do with that information. We hope you'll come back and join us. In the meantime, visit eisneramper.com for more information on this and a host of other topics.