The Four Pillars of Success for Managed Security Services
by Kunjal Trivedi
Malicious traffic is becoming more prevalent because of readily available and ever more sophisticated attack tools. Also, motivations are becoming increasingly varied and malicious. We have witnessed a transformation in the miscreant economy – the community that engages in cyber crime-related activities for financial reward. This transformation and its financial ramifications now require that service providers offer more defined value propositions for protecting networks and services. Service providers must enhance the value perceptions of the general marketplace toward managed security-enabled services and present significant, increasing service and value guarantees to their customers.
While attacks were once primarily the work of hackers who wanted to temporarily take well-known sites offline to get media attention, attacks are now increasingly being used as the foundation of elaborate extortion schemes or are motivated by political or economic objectives, costing businesses and service providers millions of dollars each year.
Figure 1: Miscreant Economy Explained
Understanding the miscreant economy, as described in Figure 1, is very interesting.The first stage is to identify set of vulnerabilities readily posted on the Internet from software, hardware, and application vendors' Websites. The wider the install-base, the more attractive it is for the miscreant to develop malicious code in various forms such as malware, spyware, Trojans, rootkits, etc. Miscreants operating in this area still need to have high technical competency and skills to write working code so that their exploits actually work. This exploit code then makes it to the underground Websites where anyone with bad intentions can get a hold of it and use it. Suddenly the skill and competency required are far lower than the 'Writer' stage. First-stage abusers really create the inventory database of the compromised as well as compromisable endpoints. The 'Brokers' actually build useable exploit networks. These serve as a foundation for monetary abuse. Malicious access to gather information suddenly takes an interesting turn. The 'second-stage abusers' have purpose for which they 'buy' or 'rent' BotNet as well as harvested personal information. It is important to note that there is a miscreant community that operates for indirect gains. Service theft, competitive or government espionage, and locking out other miscreant groups from a set of exploitable endpoints fall in this category.
In the final stage, illegal credit card purchases may end up as printed toll-free telephone cards with pin numbers for a very attractive street value (for example, a $20 telephone charge card for $5). The front-cover Websites may generate money through click-though revenues by hosting advertisements or links of the legit websites paying for the click-through rate. Illegal purchase of goods with 'bought' physical drop off points may result shpping of these goods to non-traceable destinations (i.e. in the customs storage of a country with loose security measures where individuals with false identity can collect and sell expensive smuggled goods). Needless to say corporate or government espionage may result in individual, businesses or even countries ending up in a dire state.
MANAGED SECURITY SERVICES OVERVIEW
Now, it becomes very obvious that protecting the confidentiality, integrity, and availability of corporate information has become more of a challenge than ever. Today, many companies rely heavily on corporate WANs and the Internet to run their businesses – whether to provide e-mail for employees, manage supply chains, research competitors, pay bills, market services, or sell goods. Companies are also collecting vast stores of data, much of which feeds important businesses processes.
While boosting productivity, this reliance on the Internet and corporate data has also exposed companies to damaging security breaches. Consequently, companies must constantly strive to prevent intruders from shutting down corporate networks, retrieving passwords, stealing online corporate assets, intercepting sensitive e-mail, or fraudulently misrepresenting data or users.
Reliable, effective, and affordable managed security solutions delivered by service providers help business customers protect their information and their businesses.
Some of the dynamics driving companies to out-task network security and management functions to service providers are:
- Increased volume and complexity of intrusions
- Unrelenting demand on IT department to manage security policy whilst needing to focus on the core business functions
- Escalating need to meet regulatory compliance such as Sarbanes-Oxley, PCI-DSS, HIPAA and Directive 2002/58/EC-OECD
This paper identifies and discusses the four pillars of success market for managed security services that are essential to enter the competitive landscape to gain market share, explains customer requirements, describes potential services and highlights value propositions and messaging.
SERVICE PROVIDER LANDSCAPE
Generally, there are three types of provider compete for the managed security services business:
- Service Providers (SPs), who already are transport providers and plan to move up the OSI stack striving to provide application security
- System Integrators (Sis), who already are working for large enterprise businesses providing business process-level application integration and customization
- Pure plays, who are security experts and can cater to any business security need due to their expertise
All three, SPs, Sis and Pure plays can be identified as security service providers.
Service Providers have strong automation and scaling expertise resulting in an ability to execute security services on a large-scale drives them to deliver a 'low-touch' model. Meaning, SPs design, test, implement, and operationalize the security services and therefore are able to provide a well defined service to mass of customers with several additional options. The low-touch model is based on security policies providing adequate security to businesses. These businesses do not have continuously changing or strenuous requirements stemming from regulatory bodies. With a set of options, some service customization is available. As a result, such security services are cost-effective for the commercial segment of the market who deploy customizing options for additional fees.
Systems Integrators have user behavior familiarity from their business applications work which allows them to provide highly customizable security services. However, as customer requirements differ from one customer to another in the large enterprise, so does the service offers. The 'high-touch' model generally includes medium to large customers and is what Sis deliver.
Pure plays also deliver a 'high-touch' model to similar customers, but it is based on the resident security skill set. A 'high-touch' model caters to customers with changing security needs based on the nature of their business as well as strenuous security processes due to operational requirements, perhaps even stemming from regulatory bodies or the nature of the business. This is reflectd in higher service costs resulting in more tailored security policies that can be customized on a more regular and frequent basis.
Often, 'low-touch' model equates to 'horizontal' services and 'high-touch' model equates to 'vertical' services. Obviously, more vertical focus allows services to be tightly integrated with vertical business requirements such as finance industry or retail segments.
Even with 'high-touch' and 'low-touch' models of delivery, all businesses provide the same set of compelling reasons of wanting managed security services:
- The need to comply with legislation such as the Payment Card Industry – Data Storage Security (PCI-DSS), Health Insurance Portability and Accountability Act (HIPPA), Gramm-Leach-Bliley Act, the Sarbanes-Oxley Act in the United States, the Data Protection Directive in the European Union, and the APEC-OECD Cooperative Initiative on Regulatory Reform in Asia-Pacific
- Allowing small and medium-size businesses (SMBs) to focus on their core business functions
- Lack of SMB expertise to build and maintain security solutions in house
- High cost of 24-hour in-house security management
- Limitations in both scope and scalability of do-it-yourself security solutions
- Desire to save money by outsourcing security solutions
- Increasing volume and complexity of security threats and rising costs of security breaches
- Deployment of emerging technology and applications such as voice over IP and wireless network architectures, which boosts security concerns
Given the rapid deployment of wireless networks and third Generation smart-phone devices capable of voice, video and data connections, the need to provide security to untethered devices and the mobile environment will be the key area for developing and extending services. Security service providers in this space will offer services that are more robust. But most importantly, winners will have offerings that tie into services not traditionally associated with security:
- Regulatory compliance for maintaining quality of data
- Business intelligence for effectively securing an environment, which requires awareness of the state of the environment
Customer relationship management for securing an environment while allowing customer access, which requires awareness of the customer
In some cases, building the infrastructure (for example, providing the functionality and network-deployed equipment) will require partnering or a large capital investment.
PILLAR ONE – DEFENSE-IN-DEPTH SECURITY PHILOSOPHY
Industry accepted "threat models" allow categorizing managed security offers in protection bundles formed based on the direction in which the threats mitigated are originating. Externally-stemming threat and internally-stemming threat categories actually allow to cater for how industry has implemented the security technology. An early approach to build perimeter security to protect against threats stemming from outside is augmented with deploying guards to strength overall security posture against internally-stemming threats.
Marking an important paradigm shift, the endpoint and the user sitting behind the endpoint are unanimously declared 'the weakest link in the security chain' today.
Figure 2: Defense-in-Depth Security Philosophy
Defense-in-depth security philosophy allows building a multi-layered defense approach, but some of the following are needed as 'spackle' in building this multi-layer protection:
- Vulnerability scanning and assessment covering endpoints including wired and wireless desktops, laptops, printers, IP phones, etc
- Security intelligence covering emerging threats, alerts, and associated rating for manifestation based on the same
- Security monitoring based on intelligent analysis and correlation of data generating actionable events to maintain security posture
Moving a customer from the legacy network to the IP Next Generation Network (NGN), the "Basic Secure Access Bundle" offer would ensure that whilst connecting to the Internet adequate threat protection is provided. Managed router obviously is the table-stake as it is essential to provide managed service of any kind, including security services.
Managed Virtual Private Networks can be Multi Protocol Label Switching (MPLS), IP Security (IPSec), or Secure Socket Layer (SSL). MPLS is commonly and rightfully becoming the IP NGN foundational component that facilitates rapid IP services enablement. Depending on the vertical that is signing up for the security services, VPN may well be private IP MPLS or encrypted VPN such as IPSec or SSL. For example, the retail industry would need to comply to PCI-DSS as it a mandatory operational requirement.
"The firewall is an essential part of the security strategy" is a well accepted industry practice. In fact, businesses ask security service providers to deploy managed firewall offers.
Denial of Service Mitigation is also a part of the Basic Security Access Bundle, mainly because devices are hosting security services deployment. As we discussed earlier, external and internal threats are important to mitigate and as security providers gain operational experience for managing the services, it is imperative that there is a 'clean pipe' between the CPE device and the SP edge. Imagine if the attacks are originating from the Internet and directly targeting high value resources behind the CPE router or the CPE router itself. In this case, security experts from the Security Operations Center (SOC) have to remotely reach the CPE device to manage configuration suiting the security posture define by the security policy. Discussed later here, Service Level Agreements (SLA) are delivered by the services running on that CPE device and if the SLAs are not met, security service providers' revenues are jeopardized. As a result, having a 'clean pipe' becomes a mandatory requirement for security service offered on the CPE device.
Protection against internally-stemming threats is delivered from technologies such as Intrusion Prevention Service (IPS), Anti-X services (secure messaging, anti-virus, anti-malware, anti-spyware, content-filtering and anti-spamming), and, finally, endpoint protection with Network Access Control (NAC) and Host-based Intrusion Prevention Services (HIPS) provided by Cisco Security Agent (CSA). Generally, these technologies are 'chatty' and generate a lot of traffic in terms of alarms, logs, and other threat indicators. In order for the security service providers to scale, analysis and correlation are absolutely 'must have.' Otherwise, valuable SOC resources such as security experts will waste their time sieving data versus deploying actionable events and mitigation steps.
Let us also discuss the two basic approaches to providing managed security services:
- Network-premise Equipment (NPE) - based managed service where the provider hosts the service delivering equipment
- Customer-premises equipment (CPE) - based managed service where the company hosts the service delivering equipment and the provider remotely manages it.
CPE-based security offers are deployed more as security service providers gain operational experience to learn what it takes to deliver fully managed security services. However, when security technologies embrace upcoming technology concepts such as virtualization and multi-tenant, security technology deployment in the cloud (NPE-based) will become more attractive. Currently, given the complexity of NPE based security services, lack of features and tools in available product sets and lack of operational experience from security providers, CPE-based services are where the threats are mitigated the best.
PILLAR TWO – INTEGRATED SERVICES DEVICE
Many business customers currently use multiple security devices, such as a separate firewall, IPS, and anti-x (shown in Figure 3). Historically, the approach of deploying a particular security technology on a standalone appliance has been acceptable because of lack of adequate hardware and ability to manage all the services to meet managed service standards. Additionally, increases in capital and operational expense result in an especially big problem for SMBs. Deploying multiple security devices also increases the risk that security policy will be inconsistently defined or enforced. Managed security services must overcome these problems by using a single, integrated security device. These combine VPN, firewall, and IPS functionality in a single chassis. The integrated approach reduces capital and operational expense and helps to ensure consistent security policy enforcement.
In addition, your customers who starts with just the basic security services can add new ones without waiting for new equipment to be provisioned.
The huge advantage of an integrated services device is that the CPE longevity is increased and avoiding costs such as 'truck-roll' results in making a positive impact on the revenue line.
Figure 3: Defense-in-Depth Delivered on Integrated Service Devices
PILLAR THREE – BUSINESS ALIGNED SERVICE LEVEL AGREEMENTS
SLA forms the life blood of managed services. SLA is the part of a service contract where the level of service is formally defined. In practice, SPs measure what they can, generally Delay, Jitter, and Loss. It is not adequate to determine if SLA compliant security service is being delivered. For example, if you can ping a firewall, it does not mean that it is dropping packets against the defined security policy. Here, pillar three recommends that SLA must be aligned with what businesses really need. Without doing so, even with a security service offer out in the market, security service provider will not be able to attract the customers to sign up for the services. Managed security services revolve around 'response time' for rapid threat detection and mitigation. Therefore, the SLA stipulates response times. The customer is notified when an attack starts, when the attack stops and what can be done to prevent it from happening again.
Typically, SLAs for basic managed IP services equals to service availability. A sample SLA for managed security service is as follows:
- Response time and alerting mode (e-mail, pager, other)
- Reporting: the higher the SLA , the deeper the reporting
- 24 x 7 365 monitoring and correlation: real-time, almost real-time
- False positive rate
- Roles-based access control
- Number and complexity of configuration requests (4 standard per moth then fees apply)
- Self provisioning, using the online customer portal
SLA defines the maximum acceptable time for responding to and mitigating security incidents to minimize damage. SLA play a very important role in establishing credibility for security service providers' ability to deliver the service. SLAs can do this by providing 'guarantees' such as:
If a clear notification of the attack starting, classification and one workable solution is not provided within 30 minutes, SPs will give 25% of the money back out of the service fees brings immense amount of credibility to the SPs. Continuing the SLA to suggest if the attack notification is not done within two hours, 50% of the services fees will be returned and if four hours pass without such notification, that month's service would be 'free'. This approach helps SPs achieve the status of 'trusted security advisor'.
Competitive value of SLA is considerable as it allows differentiating security service offers to attract more customers in this competitive environment.
The linkage between pillar 3 and pillar 4 is that more comprehensive the SLA , the deeper the reporting requirements become.
PILLAR FOUR – REPORTS VIA SECURE PORTAL
When a security incident occurs, the customer receives an incident report containing the incident time and date, the system that was attacked, how the attack was identified, an evaluation of the success of the attack, and its impact. The report also lists the corrective actions attempted.
Reports are the fourth element of the managed security services, joining Defense in Depth, Integrated Services Device, and Business align SLAs. As a part of an SLA , available reports to the customers are specified. On-demand reports are an important selling point. Increasing more and more businesses need these reports for audits and regulatory compliance relating to how they secure confidential information.
Figure 4: Comprehensive Reports via Secure Portal
It is imperative to provide comprehensive security reporting that includes the managed security service, be it deployed on an integrated router or as an appliance. The majority of SPs today offer syslog reports and logs with some level of filtering and analysis. However, it is extremely difficult to extract meaningful information from logs in the raw format as they are not really useful for the majority of customers. In fact, they can be highly misleading, because customers see many thousands of events without any clear understanding of the severity or applicability of these events to their networks.
A great deal of value can be added to a managed security service by providing comprehensive reports to the customer on a regular basis, such as weekly or monthly. For example, information regarding instant messaging usage and peer-to-peer (P2P) applications – such as application type, video and audio transmission, file sharing, etc. – can be provided by filtering at the port level. For P2P applications, reports can provide clear usage statistics based on the port numbers that these protocols use as well as the application behavior footprint.
Business can use such reports to track the productivity of their users and to monitor their usage practices, as well as to report on compliancy with regulations such as the Sarbanes-Oxley (SOX) Act. SOX section 302 specifies that the information on systems used to produce financial reports should be monitored and preserved. This includes e-mail messages and all instant messages. Because this is not possible for most of the current messaging programs in use today, many companies, particularly in the financial services industry, have now banned their use. These reports can be used to show who is using what messaging protocols, and how they are using them. Are the policies in place, and being effectively enforced?
The real-time report are invaluable for the businesses. These reports should include the following:
- Incident Date/Time (UTC)
- System Information (Location, IP, etc)
- How the Attack was Identified
- Attack Success Evaluation
- Attack Impact
- Corrective Actions Attempted
- Points of Content
Businesses really value SPs' ability to provide per incident reports with deep forensic information allowing which allow them to carry out a comprehensive post-mortem of the security event. This step allows a business to review the security policy and ensure that in the rapidly changing threat environment, the business is still protected inline with the defined security posture.
To summarize, the foundation of the managed security service is lifecycle service management, which spans ordering, installing, and provisioning equipment, maintenance, reporting and billing.
The four components of the managed security service building block are: Defense in depth, an integrated services device rather than multiple separate devices, business-related SLAs that define response times to security incidents, and relevant reports delivered through a secure portal.
The business benefits of the managed security serivce are greater protection for business assets.