I had a good conversation this morning with a friend going over what to look for in picking a Manages Security Service Provider.  Since I have this wonderful relationship with our SOC (I’m both their customer and their LANLord), he wanted to know how, what, and where.

Over a year ago when I started getting involved in the managed service business,  I found Carnegie Mellon’s “Outsourcing Managed Security Services” (.pdf caveat).  I recommended that my friend go check it out, and on a lark I had a look at it.  It’s still relevant today.

And yes, Hoff, the report is from the “Networked Systems Survivability Program”.  Stuff that in your pipe and smoke it. =)

The one thing that keeps sticking in the back of my mind is MSSP service offerings.  So let me pick up the torch for Richard Bejtlich a little bit because deep down inside I like his Network Security Monitoring ideas.

Well, let’s say I’m a MSSP.  Not much of a stretch, really.  Now the problem with being a managed services provider is that I’m only as smart as my customers will let me be.  Some things sell themselves:  firewall monitoring and management; anti-virus deployment, monitoring, and management; and log monitoring and management.  Yes, it’s the same-old, tried-and-true security operations.  Some would say “tired”, and I would probably agree with that, too.

But when it comes to selling NSM (or any other new concept) as a service, it’s hard for me to sell.  The reason is that my customers don’t have a NSM problem, they have security, risk management, compliance, and auditor problems and the way that they understand to fix those problems is to outsource them.  Yes, that’s the the customer defining the solution space, but that’s the realpolitik of the market.

For a MSSP offering ala-carte service offerings, I have to frame NSM in a way that does the following:

• The customer can understand what they are getting
• The customer realizes a need for that service
• I’m not beaten on price by my competitors
• The customer’s auditors can understand how we are helping and that we have value

Basically, that’s just sound business, only my problem space is defined as providing an complex solution (security) on top of an already-esoteric solution (IT in general).

• Categories of Security Controls in Outsourcing
• Cloud Computing and the Government
• Lines of Business, Relationships, and Trustability
• Compensating Controls
• Security Assessment Economics