I had a good conversation this morning with a friend going over what to look for in picking a Manages Security Service Provider.  Since I have this wonderful relationship with our SOC (I’m both their customer and their LANLord), he wanted to know how, what, and where.

Over a year ago when I started getting involved in the managed service business,  I found Carnegie Mellon’s “Outsourcing Managed Security Services” (.pdf caveat).  I recommended that my friend go check it out, and on a lark I had a look at it.  It’s still relevant today.

And yes, Hoff, the report is from the “Networked Systems Survivability Program”.  Stuff that in your pipe and smoke it. =)

The one thing that keeps sticking in the back of my mind is MSSP service offerings.  So let me pick up the torch for Richard Bejtlich a little bit because deep down inside I like his Network Security Monitoring ideas.

Well, let’s say I’m a MSSP.  Not much of a stretch, really.  Now the problem with being a managed services provider is that I’m only as smart as my customers will let me be.  Some things sell themselves:  firewall monitoring and management; anti-virus deployment, monitoring, and management; and log monitoring and management.  Yes, it’s the same-old, tried-and-true security operations.  Some would say “tired”, and I would probably agree with that, too.

But when it comes to selling NSM (or any other new concept) as a service, it’s hard for me to sell.  The reason is that my customers don’t have a NSM problem, they have security, risk management, compliance, and auditor problems and the way that they understand to fix those problems is to outsource them.  Yes, that’s the the customer defining the solution space, but that’s the realpolitik of the market.

For a MSSP offering ala-carte service offerings, I have to frame NSM in a way that does the following:

• The customer can understand what they are getting
• The customer realizes a need for that service
• I’m not beaten on price by my competitors
• The customer’s auditors can understand how we are helping and that we have value

Basically, that’s just sound business, only my problem space is defined as providing an complex solution (security) on top of an already-esoteric solution (IT in general).

• Categories of Security Controls in Outsourcing
• Cloud Computing and the Government
• Lines of Business, Relationships, and Trustability
• Compensating Controls
• Security Assessment Economics

I’ve been sitting in some vendor presentations lately–I think they invite me along so I can be the resident curmudgeon–and I’m starting to get a good feel for what both the government and myself want in a product.

I want to know how a tool fits into my IA framework. That framework for me is NIST SP 800-53. One side effect of 800-53 is that I can’t justify a product “just because”–I have to state how this tool or service will help me attain “compliance” with the minimum baseline of security controls. It’s not enough anymore to just say “hey, our product helps you with SP 800-53 controls, have some magic FISMA Fairy Dust“.

Advice for vendors: take the day of effort to provide a traceability matrix for me. What I have is a Plan of Actions and Milestones (POA&M) that requires me to implement the following controls:

• AC-11 Session Lock
• AC-12 Session Termination

Now what I want is for your product to say the following:

• AC-11: Our product locks out users after 15 minutes of activity on their Frobulator workstation.
• AC-12: Our product terminates users after 25 minutes of activity on their Frobulator workstation.

If your product doesn’t do a control, don’t mention it. But by all means get somebody who routinely works with the catalog of controls to determine if you meet the control objective: there’s nothing I hate more than trying to understand how somebody stretched their interpretation of control objectives that I now have to turn around and rationalize to an auditor. It’s OK if your product doesn’t do everything as long as it does the right things.

Now the reason I bring all this up is that I, too, am a vendor–a services/outsourcing vendor. I’m taking the time this week to do my own traceability matrix that says something like this:

• For the Basic Hosting Service, these are the controls that you get (mostly Physical and Environmental Protection (PE) and Media Protection (MP) )
• For the IDS Monitoring and Management Service, these are the controls that you get (mostly Audit (AU) controls with a smattering of Incident Response (IR) controls)
• For the Network Monitoring and Management Services, these are the controls that you get (hardly any except for availability monitoring)
• This is what we provide for support when you do a risk assessment or certification and accreditation
• Some controls are Inherent Government Functions (IGF) and cannot be outsourced to us such as FIPS-199 categorization and risk acceptance

The whole idea is to delineate the responsibilities for pre-sales work so that when somebody contracts with us, they know the Government’s responsibilities, our Project Management Office’s (PMO’s) responsibilities, and my operations group’s responsibilities. It’s going back to the nature of outsourcing and the fact that transparency is key.

• Categories of Security Controls in Outsourcing
• How I Do the “FISMA Thang”
• You Didn’t Outsource Your Responsibilities
• Keys to the Outsourcing Kingdom
• Reinventing FedRAMP

Ah, DISA, gotta love it. They give me periodic spam–not as bad as it sounds. =)

This time, I got one that immediately perked my interest:

“DISA FSO is releasing the Best Security Practice Checklist. This checklist was developed to assist during the procurement process for managed services acquisitions. “

What’s interesting to me is that it’s mostly based on web applications service providers. I don’t think most of it applies to what my guys do, or we’re doing something along a different scope.

• Splunk Goes After the FISMA Lucre, They’re not Alone
• Security Assessment Economics
• Imagine that, System Integrators Doing Security Jointly with DoD
• NIST Cloud Conference Recap
• Categories of Security Controls in Outsourcing

Message to vendors:  If you want to break into the Managed Service Provider market, there is one thing extra that you need to do.

Enterprise-class products are reasonably good at being able to support a 3-tier model.  That way you can abstract out everything into  whatever architectural model you want.  Need more database oomph, add some more power at the database tier.  Need to support a remote site, put a data collector out there on the management LAN and just send events back to the central collectors.  This stuff is great.

But when it comes down to MSPs, there is one thing that we need above and beyond what enterprise-class products have.  We need to be able to flag data as belonging to a certain customer.  That way, once events have trickled up to the Single Pane of Glass (TM) that the NOC operators use, we still can tell which environment the event came from.  That requires tagging and the simple ability to have multiple devices on one IP address when clients have address collisions (everybody using 10.0.0.0 comes to mind).

• In This Corner, the Business Reference Model
• Sprinkling on the Magic FISMA Fairy Dust
• A Little Story About a Tool Named #RefRef
• Compensating Controls
• Database Activity Monitoring for the Government

I ran into an interesting scenario yesterday concerning Lines of Business and security.

In case you’ve never heard about LoB, the short story is that each government agency becomes an expert in one area and then sells their services to other agencies. This is good, it gives the executive branch as a whole some economy of scale and significant cost savings. Over the next year and beyond, the Office of Management and Budget (OMB) will be pushing agencies towards LoB offerings from other agencies.

LoB information from the Office of Management and Budget

The problem is, when it comes to the security side of LoB, I don’t think we’ve figured it out yet, and our current security governance model doesn’t work.

Here’s the typical scenario, and it will get more common: If I am an agency who is getting pushed towards using one of the other agencies as a LoB provider, then effectively I’m outsourcing. The problem comes when the provider does not have any security program at all or they do not value the service at the level that I value it at.

No big surprise, security inside the government varies widely. Love it or hate it, that’s what FISMA (the law itself) is aimed to fix, and the highly-scorned FISMA scorecards provide us with a very, very, very high-level metric on an agency-wide basis.

So how do I help/force/coerce my LoB provider to increase their security? This is where the current IT security governance model fails. There are many reasons, here is a short list:

• Current model is focused around one agency owning a system
• Current model does not consider jointly-owned IT systems
• Government does not fully understand a shared service provider model

Inside the Department of Defense, they have a great way to deal with this. They have a system register and everybody puts their system and its vulnerabilities into it. Then if I want to connect or share data with somebody, I can see what all their warts are. However, the civilian agencies are not at this level of maturity.

In order to make LoB work, what needs to happen is for the agencies to learn how to become contractors. This means that if I am offering up a service under LoB and a client agency wants a higher level of security than the system currently provides, then we need to talk about how the funding works out. It doesn’t make sense for the service provider to absorb the cost of the improvements because they don’t have a need for those improvements, but on the other hand it doesn’t make sense for the client agency to pay for 100% of the improvements when the provider agency can now turn around and sell their services to other agencies at a higher rate. Probably the outcome of this discussion is a Memorandum of Agreement with the client agency funding 50% of the improvements.

Short end of this debate is that we need to start having these conversations now.

• Ack! With the Mandates!
• Feds to Embrace SaaS, End is Nigh for Security!
• Compensating Controls
• Clearances and Economy of Scale
• You Didn’t Outsource Your Responsibilities

We did a very preliminary Pandemic Flu Exercise today.  Normally, I wouldn’t be too much worried about things like this when it comes to IT security during a pandemic–we just close out the lights and if the servers die, we’ll fix them after the dust has cleared.

But my organization has a difference from the average IT service provider:  we support the first responders from the US Government who need their IT systems up and running in order to get the knowledge shared and the cure to the right places when it’s needed.  It’s such a different business driver from normal that I had to pause and think it over the first time I heard it.

So today we did a partial VPN and telework test from another facility.  All told, it involved about 30 people.  In a couple of weeks, it’s “Global Work-From-Home Day”.  One lesson learned:  It’s the little things that will get you, like laptop screen real estate and network cables.

Now those of you who know me realize that I’m not that squeamish.  However, I did have a 30-second bout of panic when I thought about mass death where everyone in my apartment complex dies out in a pandemic flu.  Then I got over it. =)

Like I told my boss, it’s just like the consolidate and reorganize task that the infantryman trains on–restaff key positions and weapons systems, deal with the wounded and dead, communicate to higher, and continue the mission.  Now that I can handle.

• In This Corner, the Business Reference Model
• Lines of Business, Relationships, and Trustability
• Core Belief #3 — Learn Something from the Cavalry
• DDoS Planning: Business Continuity with a Twist
• Some Comments on SP 800-39