Blog post

MSSP Client Responsibilities – What Are They?

By Anton Chuvakin | October 09, 2014 | 0 Comments

securityMSSPmonitoring

Let me tell you a secret: MSSP is not a box that you throw your money in, and security comes out screaming! Sadly, many would say that the only reason they went with a Managed Security Service partner is to avoid doing any security on their own. However, if you decided to go with an MSSP and not with an in-house capability (such as internally-staffed SOC with SIEM tool at the center) …


… YOU STILL HAVE RESPONSIBILITIES!

This post is an attempt to outline my thinking about such responsibilities and create a structured approach to analyzing them. Intuitively, there are some things that an enterprise MUST do to allow the MSSP to help them (e.g. deploy their sensors, give them credentials for device management, etc). Still, there are more responsibilities that allow the MSSP to help the client better.

In any case, think of this table NOT as a comprehensive list, but as a framework to organize examples:

Value | time –> During on-boarding / before service During MSSP service consumption
To enable service delivery (MUST) Deploy sensors, share network diagrams and access credentials, provide contacts, etc Notify on asset and network changes, access changes, contact info, etc
To enable maximum value from the MSSP
(SHOULD)
Refine & share a security policy, have IR plans, provide detailed asset and context info, etc Respond to alerts (!), remediate systems, declare incidents and run IR, jointly tune the alerts, communicate changing security priorities, etc

An expanded version of this type of a visual should become your shared responsibility matrix, that will actually enable you to benefit the most from your MSSP relationship. BTW, one MSSP succinctly states in their policies: “The Customer is responsible for all remediation activities.” What about compliance, you may ask? An excellent question – to be handled in the next post 🙂

P.S. Of course, there will be people who will insist that “if you want it done well, do it yourself” (that may be true, but it does not mean this route is always the most cost-effective). On the other hand, there will be people who will say “… but security is not our core competence” (eh.. as if locking the doors is)

Blog posts related to this research on MSSP usage:

Comments are closed