Let me tell you a secret: MSSP is not a box that you throw your money in, and security comes out screaming! Sadly, many would say that the only reason they went with a Managed Security Service partner is to avoid doing any security on their own. However, if you decided to go with an MSSP and not with an in-house capability (such as internally-staffed SOC with SIEM tool at the center) …
… YOU STILL HAVE RESPONSIBILITIES!
This post is an attempt to outline my thinking about such responsibilities and create a structured approach to analyzing them. Intuitively, there are some things that an enterprise MUST do to allow the MSSP to help them (e.g. deploy their sensors, give them credentials for device management, etc). Still, there are more responsibilities that allow the MSSP to help the client better.
In any case, think of this table NOT as a comprehensive list, but as a framework to organize examples:
|Value | time –>||During on-boarding / before service||During MSSP service consumption|
|To enable service delivery (MUST)||Deploy sensors, share network diagrams and access credentials, provide contacts, etc||Notify on asset and network changes, access changes, contact info, etc|
|To enable maximum value from the MSSP
|Refine & share a security policy, have IR plans, provide detailed asset and context info, etc||Respond to alerts (!), remediate systems, declare incidents and run IR, jointly tune the alerts, communicate changing security priorities, etc|
An expanded version of this type of a visual should become your shared responsibility matrix, that will actually enable you to benefit the most from your MSSP relationship. BTW, one MSSP succinctly states in their policies: “The Customer is responsible for all remediation activities.” What about compliance, you may ask? An excellent question – to be handled in the next post 🙂
P.S. Of course, there will be people who will insist that “if you want it done well, do it yourself” (that may be true, but it does not mean this route is always the most cost-effective). On the other hand, there will be people who will say “… but security is not our core competence” (eh.. as if locking the doors is)
Blog posts related to this research on MSSP usage: