Home

Partners

Remote Support Assistance

Management Team

Our History

Employment

Security Strategy, Framework & Policy

Risk Assessment

Control Implementation

Security Education

Maintenance, Monitoring and Support

Managed Services

Information Security Consulting

Security Integration

Licensing and Maintenance

Security Information and Event Management

Identity and Access Management

Remote Access

Data Leakage Prevention

Threat Management and Mitigation

Partner News

RSA

Earth Wave

McAfee

Check Point

Clear Swift

Palo Alto Networks

Blue Coat

Security Capabilities

Approach

Security Strategy, Framework & Policy

Risk Assessment

Control Implementation

Security Education

Maintenance, Monitoring and Support

Services

Managed Services

Information Security Consulting

Security Integration

Licensing and Maintenance

Solutions

Security Information and Event Management

Identity and Access Management

Remote Access

Data Leakage Prevention

Threat Management and Mitigation

Security News

eNEWSLETTER SIGNUP
Sign up here to receive our quarterly newsletter.

Remote Support Assistance
Join a Support Session with a Loop Client Support Services Engineer

HOW TO SELECT A CLOUD SECURITY PROVIDER

Demand for outsourced cloud security services is growing exponentially and organisations are faced with the difficult decision of selecting the right service provider that will best meet their needs.

Loop Technology has asked Carlo Minassian, director of Loop Technology partner earthwave, to share his thoughts on the key issues for selecting a Cloud Security Provider...

There are many reasons why companies look to outsource their security, but some of the more common reasons I hear from customers is that many realise the need for security exceeds their ability to supply it for themselves. During an attack, technology cannot operate unattended. Unless you’re a bank or a large enterprise then it’s highly unlikely that you can justify hiring and operating a 24x7 team of security analysts, operators and forensic experts. Finding and retaining security expertise is difficult, and IT departments are stretched so thin that they often overlook security issues. Security concerns and vulnerabilities are constantly in flux; rapidly changing and becoming more sophisticated as technology becomes increasingly complex. Organisations simply cannot keep up with IT security breaches and cyber-crime on its own 24x7. Companies choose to focus on their core business and partner with security experts to increase their productivity and allocate in-house IT resources to more strategic initiatives. Security requires specialised tasks and dedicated staff.

Organisations that are affected by personnel shortages realise and understand the need for outsourced security services. Businesses that want to reduce costs associated with installing, maintaining and monitoring security hardware recognise the need for cloud security services. In addition, organisations need protection that can be guaranteed without sacrificing service quality, business continuity and return on investment.

A Common Example

Imagine you have just contracted and signed up for a 3-year term with a well known global Cloud security service provider, only to find out that:

• When you tried calling their Security Operation Centre (SOC) you are answered by their junior night shift graduate engineers who are located overseas and inform you that they’re unable to perform your emergency changes as they need to be scheduled for when senior engineers arrive at work the following day.

• When you performed internal and external penetration testing against your own environment, you didn’t hear a peep from them regarding incident notification.

• When you try accessing their portal and realise that some of the interfaces and reports are not functioning, and when you contact their SOC, you are advised that the reports you seek are far too complex and not all the details you have requested are being indexed or correlated.

• You fail your annual security audit when the auditors realise your logs and configurations files are stored offshore and you are unable to demonstrate compliance reporting.

• When you interrogate your security service provider about why they’re not advising you of all the attacks that are clearly visible on the IPS console, you find out that they don’t even have a process for real-time threat analysis or any real correlation capability in their back-end SOC, and instead, have simply developed a glorified reporting portal that simply looks impressive.

Some questions that should be asked ...
All of the above scenarios are just some of the real-life customer stories that I have heard time and again, and so with the growing demand for outsourced security services, it is important for you to know how to select a cloud security provider that is right for your organisation. Use these guidelines and questions as the starting point for evaluating potential providers.

Do you have local presence in Australia with redundant local SOCs?

There are many benefits of having locally staffed SOCs. These include the ability to visit the SOCs at any time and regularly meeting the SOC Manager and team responsible for managing your security. Being able to physically inspect and verify the physical security level of the SOCs is more important than simply taking the providers word for it. Having dedicated, named English-speaking senior security engineers available immediately in case of an emergency change or an attack within your time zone is not a huge ask, but if you’re a cloud security provider operating from overseas then this would be difficult to achieve.

Being able to meet your auditors at the security service providers SOC to verify your compliance requirements and have the provider actively involved in your audit process as well as being able to use their staff for litigation support are some of the reasons a locally staffed redundant SOC is critical to a successful security outsourcing engagement.

Do you keep my data onshore or offshore?

Having your critical security data including device configuration files and event logs located in another country outside of the Australian legal enforcement system simply doesn’t make sense. Again, don’t just take the cloud security provider's word for it. Providers will do whatever it takes to reduce their costs and replicating correlation engines and 24x7 security analysts, operators and forensics staff in each country is a very expensive proposition. Far too many security service providers have a deployment and sales front in Australia while most of the processing, correlation and security monitoring is performed offshore, which means your data must also go offshore.

How do you protect my data and what is the level of security at your SOC?

The cloud security service provider cannot be the weakest link in your security chain. What is the point of investing in your security infrastructure when your security service provider hasn’t and they have a clear pipe right into the heart of your network? There are providers that protect their infrastructure with a single firewall and a single physical door – and that’s it. Make sure there is a chain of custody when handling your data and your data is protected both in transit and when in storage. Look for a service provider with SOCs that meet minimal physical security standards such as the Australian ASIO T4 standard. The SOCs should be monitored 24x7 by the team that monitors customer networks; this way customers never suffer the results of a problem within the service providers SOC. Pay attention to how the provider manages network connectivity, bandwidth, carrier relations and device health. If the provider cannot show best practice policies and procedures on its own systems, you cannot be certain that those systems will be able to serve your company.

Do you offer powerful correlation and analysis for identifying real threats?

Make sure the security service provider offers you powerful correlation and analysis and they can articulate how they identify real threats from the millions of events they collect. Look for
security service providers that can offer real-time identity and role correlation, real-time dynamic network correlation, real-time location correlation, multi-stage attack correlation and finally contextual correlation. Make sure you assess the security service provider's back-end tools and technology used at the SOC. In an effort to reduce their overhead, you would be surprised at how many multinational security service providers have simply developed a dazzling reporting interface without any real back-end correlation capability. Make sure to ask for such functionality and have live demonstrations performed to verify the execution capabilities of the cloud provider.

What events sources do you support?

Make sure you don’t get stuck with a security service provider that is unable to support your future security monitoring requirements. Event sources should be both network based as well as physical access control such as those from your door access system. security service providers that have developed in-house tools often only support a handful of event sources, with no or limited correlation capability. Look for security service providers that can support a minimum of 150 vendor device types and they should include most of the event sources in your network from the physical to application levels. Ask them how they keep up with new device versions and associated log formats. Ask them how they keep up with the content or signature updates released by major IPS vendors.

What other security services do you offer?

Look for a security service that offers a broad range of cloud security services beyond your immediate requirements. I have seen customers forced to use multiple service providers to meet their extended security requirements, such as for mail filtering, authentication, wireless security, identity management or patch management. Having multiple security providers adds unnecessary complexity and makes management even
more difficult to control.

What are the local vendors saying about you?

Security vendors know the security service providers in their local region that are trained, certified, have solid references and are capable of managing their devices. Take theiradvice. They only want what’s best for their product. You would be surprised at how many security service providers take on new contracts without having the necessary expertise and scramble to find training for their staff and vendor support during the handover.

Who are your customers?

Ask them for customers in your industry. Contact them for feedback and understand their challenges. Look for security service providers with a high customer retention record and customers that have extended their contracts multiple times. This gives you some level of quality assurance and expectation that the security service provider can deliver.

Do you provide threat intelligence and custom IPS signatures?

Any serious security service provider will subscribe to multiple sources of threat intelligence to help them continually stay on top of the latest attack trends, network threats and vulnerabilities. Look for a cloud provider that can extend threat intelligence service to you so that you may use it for your in-house requirements.

Make sure the cloud provider can demonstrate the capability of developing custom IPS signatures to protect you against new or unknown attacks until your IPS vendor can release their content updates.

Are your SOCs staffed to meet the common federal government and private sector security standards?

People! They are often the weakest link in your security. Through their own frailty and behaviour, they can unwittingly place the entire organisation at risk. Those seeking some advantage will look for the weak links in their organisation, those with hidden pasts
and associations. Knowing that the security service providers staff have relevant security clearances and that this forms part of the security service providers recruitment process is very important. ‘Highly Protected’ clearances should be the minimum level you should accept, which is in the mid-range level of clearances that are commonly referred to in the business and public sectors for those in positions of trust within an organisation.

What can I expect from your portal?

The security service provider should provide secure, real-time, online access to the status of your network, service data and metrics, as well as have the capability to generate reports on demand. Be wary of security service providers who ‘keep the curtains closed’ and hide the details of trouble ticket case logs and notes. Always be sure to ask what information is stored in the ticket that is not visible through the portal. Generally speaking, any cloud security provider should operate in a manner similar to an in-house security team, and the security service provider should be forthcoming with information and necessary details. Look for an security service portal that can provide you access to feature-rich dashboards, real-time access to your high priority events, all your events and correlated events, online ticketing, comprehensive and customisable reports, online access to all your policies and configuration files and finally, access to threat intelligence that provides early warning alerts together with weekly and monthly summaries.

How do you address my insider threats?

Look for a security service provider that can act as an early warning system for your organisation, who is able to detect suspicious activity, such as printing large numbers of files outside of business hours, emailing large attachments to personal email accounts, employee communication with competitors or clearing system audit logs to cover up one’s tracks. In addition to early warning, your security service provider must be able to provide information leak and IT sabotage-specific detection capabilities such as real-time rules designed to identify inappropriate access or transmission of sensitive data, or internal use and presence of hacking tools.

How do you address my log review requirements for compliance and IT governance?

Your security service provider must be able to provide you with a ready-to-use, best practice compliance log review foundation so that you can immediately begin assessing and demonstrating control effectiveness. Look for a security service provider that can clarify confusing compliance log review practices through a comprehensive, best practice approach. Ask your security service provider whether they can alleviate time consuming audit tasks through automatically generated compliance information and can offer regulation-specific solutions such as PCI-DSS, ACSI 33, IT Governance, ISO-27001, Sarbanes-Oxley, HIPAA, FISMA, Gramm-Leach-Bliley, PCI, Basel II and other regulations.

What kind of SLAs do you offer?

Don’t just take their word for it. Make sure SLAs are well defined and it’s clearly stated in your agreement. Make certain it details the processes, as well as time frames, within which you can expect a response. Make sure you are happy with the steps that will be taken in case of a security incident. Are you going to be happy with simply being told that an incident could have taken place or do you expect more from your security service provier? How much do you expect your security service provider to get involved during an incident? Who will own and manage yourinternal incident response plan? Who will ensure the same attack does not happen again? Your SLA should at minimum cover the initial response time in case of a security incident, a fault or performance issue related to the devices under management, loss of management link between the security service provider and your network, content and signature updates, request for security policy and configuration changes and for response to general enquires.Take time to test your security service provider’s response time.

What are your support hours and howdo you staff your SOCs?

Understandingthe security service provider’s hours of operation and how they staff their SOCs will ensure your expectations for service delivery are met. Threats happen from anywhere at anytime, so you need to ensure your security service provider has sufficient head countand necessary experience to cover a 24x7 operation. Keep in mind that it requires a minimum of six people to run a single shift; look for a provider that will dedicate staff to knowing your environment and have the necessary security analysts, security operators and security forensic staff to respond to your needs at any time.

Do you have policies and procedures and an incident response plan and how have you responded to incidents in the past?

Check with their references to ensure that the way they have responded to incidents in the past is in line with your expectations. Ask for specific examples of how the company has handled security threats. Ensure the provider has detailed, well-tested emergency response capabilities, well-defined, specific processes in the eventof a security incident and detailed measures established to ensure that system intrusions do not repeat.

What is your financial position and how much of your profits do you reinvest back into the business?

Finding a profitable security service provider could prove to be a challenge with so many security service providers dependent on constant venture capital. Look for a provider who is profitable, has a sustainable business model, and re-invests much of its profits back into growing its business together with internal research and development capabilities. Choose a provider whose security service business is profitable and not dependent on other lines of business to remain afloat. A number of US-based security service providers with limited local operations have already tried the Australian market on numerous occasions and their current commitment to this region is seriously questionable. I am certain many will not be able to sustain local operations at a loss much longer and will be consequently forced to close shop over the next 24 months, while others will be consolidated.

Are you a pure-play security service provider?

Pure-play security service are far more focused than security service providers that have other streams of revenue such as a telco that offers outsourced services as a value add or a product company that bundles security service around their products. Look for a security service provider that is telco independent and vendor neutral. Focus on the ability of the security service provider to provide comprehensive security management and monitoring backed by best practices processes, procedures, technology and people.

So in summary, select a security service provider that will best meet your business requirements in your part of the world. The above questions give you a good starting point that you can add to and expand. There are considerable benefits to outsourcing security and by selecting the right provider for your business in the outset you will save yourself a lot of pain and money and ensure your organisation has a positive experience with your decision. And remember, don’t fall for the hype, the polished presentations, the marketing glitz and all the analyst reports that are not relevant for your part of the world.