July 25, 2018

Guide for SMBs – Choosing the Best Managed Security Service Provider

If you’re a small company searching for assistance in securing your business, congratulations. While a large percentage of cyber attacks were directed at small businesses in the last few years[1,2,3], many of these organizations still don’t take cyber threats seriously and the cost of ignoring or delaying proper protection could put them out of business.[3,4,5]

Where do you start though? Due to price, many cybersecurity solutions are out of reach for smaller organizations. A managed security service can lower the overall cost but sorting through all the options can be overwhelming. We recommend starting with a list of what’s important to you; however, as a small business, you probably don’t have an internal team of experts to come up with these! Here are some tips on things to consider and questions to ask.

Cost

Okay, obviously price matters but it’s important to consider all aspects of the service cost. Some providers may seem like a great value but once you add in all the software or equipment they either don’t provide or require you to purchase, you may end up spending more in the long run. Make sure to get the entire picture before you make a decision. Some questions to ask yourself:

  • Will the MSSP require us to purchase or rent any software, systems, or devices?
  • Are there any additional products that will be recommended or required?
  • Are there additional services we may need in the future that the MSSP provides by a separate retainer? (Are there any hidden costs and fees?)

It is also a great idea to get more than one quote (ideally three). This will not only allow you to get the best price but may also highlight features that one company offers and prompt follow-up questions to see if the others include them or not.

Included Features and Technology

(and MDR versus MSSP)

It can be surprising how many different features are offered by security service providers and how many different ways they explain them! Then there’s also the MDR (Managed Detection and Response) versus MSSP (Managed Security Service Provider) confusion. There’s no clearly defined line that makes one provider a MDR and another a MSSP, at least not one that is universally accepted. Unfortunately this has become more of a marketing ploy than a legitimate way to compare services so the best you can do is ask questions about specific features to see what is included.

Here are some common items that may be included, offered as add-on features, or available by separate retainer. When comparing services, it is critical that you first identify the features and technology you need and ask if you will be paying extra for them.

Common Technology

EDR (Endpoint Detection and Response)
With costs ranging dramatically from $15-$100/endpoint, EDR licensing and hosting costs can eat up a significant  portion of a small organization’s cybersecurity budget. Ask what options your provider has for managed EDR (and how much it will cost). Some MDRs/MSSPs will include an EDR option and some will not.

Traditional antivirus
These won’t typically be included with service; however, on your request, a security service provider should be able to work with you to pick (or switch to) a product they recommend or a company they partner with.

Network sensors / IDS / IPS / firewalls
Some providers will have their own equipment that they rent, some will recommend partners they work with (and hopefully get you discounts), some will let you figure it out yourself, and some will help you set up open source systems, if requested. The key here is options. A good MSSP will make recommendations but ultimately work with whatever you decide.

SIEM (Security Information Event Management)
The goal of any SIEM is to gather, display, and analyze events happening on the systems in your network and turn them into actionable items (alerts) that a person can then investigate to see if the event(s) had malicious intentions. Some providers will purchase a license for a pre-made SIEM and others may build one in-house. Both of these are viable options, you will just want to make sure it can handle the amount of alerts being generated from your devices and that you aren’t paying additional fees for the software.

Common Features

Incident Response / Remediation Services
If there is a breach – will the provider help you track down why/how/where? What you’re looking for here is whether they will just alert you to an incident, make recommendations on what to do, or actually take action to eradicate the issue. If you’re a small business without a security team, this is important.

  • Question: What is your escalation policy? (In the event of an intrusion, what will you do from there?)
  • Question: Are all of these services included or do you charge for them?
  • Question: Can you give an example of a remediation you performed? (Can you provide a sample or case study of how you helped a client detect and respond to a security incident?)

Device Management (“Security Administration”)
MSSPs monitor devices; they don’t necessarily manage them for you. If your organization doesn’t have a security team, this can be an important feature to add.

  • Question: Do you include the setup and management of firewalls, routers, intrusion detection and prevention systems, wireless access control, network ports, account control, system hardening, etc. as it pertains to the security of the network?

Utilizing machine learning and big data
While it is extremely important to have the right people protecting your network, humans can only do so much on their own. Automation is key and a good security solution should be powered by big data technologies, machine learning, analytics, and threat intelligence. Pairing this with highly trained and experienced security engineers that can take full advantage of the technology is the best way to find threats as early as possible in the kill chain.

Vulnerability scanning
Your security service provider should be proactively scanning your network to detect system weaknesses and entry points. If they detect a vulnerability, they should be alerting your team and working with you to fix it.

Expertise / Qualified Team

The best security tools in the world won’t do much good without the right people interacting with them. Security providers should be proud of the skills and experience of the people they hire and they should be able to offer details on them. If possible, look for experience supporting both offensive and defensive cybersecurity efforts. The best way to defend against attackers is to understand their mindset and the tools they use so having a team with blended experience is crucial.

Education and certifications are nice but don’t focus on them too much. The cybersecurity landscape changes so quickly that certifications have a hard time keeping up. It’s a good place to start; however, be careful about placing too much emphasis in education and certs because some of the best security engineers are self taught and/or trained by others on the job. Some questions to ask:

  • How many years of experience do the people that will support our network have? (Include leadership and engineers/analysts)
  • How does your team stay up to date on current threats and vulnerabilities?
  • What kind of ongoing training do you offer?

 

Tailored / Customized

A good security service will make recommendations but ultimately figure out a way to work with the tools you’ve chosen and the features you need. That said, it is also possible to be too flexible. They need to be comfortable and knowledgeable in the tools they’re using and the features they’re offering so there may be a good reason if one or two items can’t change. Some good questions to ask:

  • Do you offer discounts if there are features of your service that we don’t need? (This may come in the form of add-on costs for additional features instead of discounts for removed ones.)
  • Can you work/integrate with the ___ software and/or devices on our network or will we need to purchase others?
  • For any software and/or device you’re recommending we add to our network – can we choose our own or will we need to purchase the one you are recommending?

 

Other Things to Ask

  • (If they require a contract) Can we try the service for 30/60/90 days before committing to a contract?
  • How long do you store our data?
  • Where do you store our data? How do we access it? (Can we access it?)
  • What kinds of reports will you provide?
  • How long will it take to get fully up and running? (What is the time frame for on-boarding?)

 

Wrap Up

If you’re a small to medium sized organization currently searching for a security provider, this list is a great place to start; however, each organization’s needs are different and you will likely have additional priorities of your own to evaluate. Just make sure to include the major points such as cost, included features, team expertise, and ability to customize the solution based on your needs and current technology. If you would like to find out how Loki Labs can build a custom solution that meets your organization’s needs, you can reach us at info@lokilabs.io and we’ll be happy to answer any questions or provide a quote.

 

– July 25, 2018

 

1 http://www.verizonenterprise.com/verizon-insights-lab/dbir/2017/
2 https://www.cnbc.com/2017/10/13/local-businesses-a-target-for-next-cyberattacks.html
3 https://www.symantec.com/security-center/threat-report
4 http://mastersinlaw.champlain.edu/internet-privacy-in-the-digital-age/
5 https://www.denverpost.com/2016/10/23/small-companies-cyber-attack-out-of-business/