Our courses offer a good compromise between the continuous assessment favoured by some universities and the emphasis placed on final exams by others.

blog-thumb

MSSP-SOC – Security as a Service ( A short guide for Organisations and MSSP )

MSSP-SOC – Security as a Service

A short guide for Organisations and MSSP

 

 

 

 

Prepared BY – Cyber Future Tech

Mail: [email protected]

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

  • Cyber Future Tech

 

Introduction

 

Threat landscape continuous to get progressively worse with sophisticated attacks spotted in the wild; attackers leveraging build-in OS features to live of the land gaining a stronger foothold on target environment

Organisations today face many new types of issues—advanced phishing attacks are proving all too successful, Banking Trojan transforming intoransomware are some forms of malware, that many seem helpless toprevent.

 

This paper is an attempt to share thoughts on helping Small and Medium scaleOrganisations get most value of the partnership with MSSP; and enabling MSSP in Creating,Managing and Offering clients effective Security As A Service.

The paper is divided into two sections, the FIRST focuses on helping Organisations evaluate MSSP, Challenges they may face while in contract and How to ensure a successful partnership.

The SECOND section, looks from a MSSP point-of-view. Pointing out how they should align People, Process and Technology to deliver service.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Chapter 1 – For Organisations

 

Why You Should Use Managed Security Services Provider

 

Before organizations decide to partner with an MSSP, we must first understand organization’s needs. Examples why companies choose to prefer an MSSP as a solution for SOC support include:

 

  • Information security team is understaffed and needs assistance to monitor your network
  • Organization needs a 24X7X365 environment for compliance purposes
  • They can’t afford to build an in-house SOC
  • Past security breaches and/or public scrutiny

 

An MSSP can provide host of security services (like intrusion detection and prevention, incident management, managed vulnerability and identity and access solutions), apart from this they also can provide a level of experience handling those things that an in-house SOC might not have.

An MSSP sees problems like DDoS attacks, malware infestations and phishing scams every day. An in-house SOC staff member might only see something like that every few months. Repetition of tasks lends for a more prepared and experienced team of professionals, one of the key benefits of working with MSSP.

 

Consider these before you start

 

  • Don't look at implementing a Security Information and Event Management (SIEM) solution, if you can’t hire.
  • Don't look at MSSPs, If you cannot move your data outside the organization.
  • Need help manging your SIEM but also with ongoing monitoring, look at a hybrid model

 

 

 

 

 

 

 

Evaluate Managed Security Service Providers

       

The outsourcing of organisations digital security involves an in-depth discovery process. It’s not one of those decisions that depends solely on price & cost. Getting a right outsourcing company with the great reputation is critical to organization's viability. Making a bad decision or deciding on a single provider based only on cost can hurt organisations business. These are the areas that beshould looked at prior to looking at the cost:

 

  • How are they going to help your organization?

 

    • A good MSSP will not only be looking at your anti-virus, firewall etc., but will have holistic outlook on how they can protect their clients. That holistic outlook takes the following into account:
      • Technology - Firewall,UTM, wireless, VPN, best practices.
      • Management - Risk management, Policy , procedure,process , auditing, reporting, training & education
      • Adaptability - Business continuity, Disaster recovery, business resilience, backup, & culture
      • Compliance - Doing the above, makes compliance relatively easy

 

  • Do they have the expertise?

 

    • A good MSSP should have experts in one or more areas of data/infrastructure protection.

 

 

 

 

 

 

 

 

  • Do they have the capability?

 

    • Majority of MSSPs have the capacity to manage clients. They train people at every level of the organization to ensure they are servicing their clients to the best of their capability.

 

  • What benefits will you get out your PARTNER with them?

 

    • The outsourcing of organization security to an MSSP is a partnership. They are there to protect your data, infrastructure, clients, and staff. Make sure that all parties involved understand the requirements by putting a service level agreement (SLA) in place.

 

  • How much will it cost?

 

    • Finally, theirs the cost. You need to aware of how much your monthly digital security cost is going to impact your organization.The cost of a MSSP SLA must be  included in monitoring, management, and reporting.

 

Questions to prospective MSSP

As part of the evaluation process, you may want to pose these question to MSSP vendor to get clear understanding and if this is the right choice

 

  • How will you gain an understanding of my operations, end user behaviours and business requirements?

 

  • Do you have expertise in the specific regulatory and compliance requirements of my business?

 

  • How do you develop a threat profile?

 

  • How do you coordinate security and compliance activities between Information Security and Legal?

 

  • How do you coordinate security and compliance activities between IT and legal teams?

 

  • How do you monitor for and identify known & unknown threats?

 

  • Do you offer any legal services, such as e-discovery and legal staffing, to facilitate a seamless transition from incident response to litigation?

 

 

 

 

Challenges with MSSP

 

There are bound to be challenges in any engagement and when comes to MSSP these challenges pose risk to your business. The following are few challenges an organisation might want to be prepared for

 

  • Local knowledge

 

    • Be it of their clients’ business, IT, users, practices, etc – there is a lot of unwritten knowledge necessary for effective security monitoring and a lot of this is hard to transfer to athird party.

 

  • Delineation of responsibilities

 

    • “who does what?” has led many organizations astray since gaps in the whole chain of monitoring/detection/triage/incident response are, essentially, deadly. Unless security workflows are defined, tested something will break.

 

  • Lack of customization and “one-size-fits-all”

 

    • Most large organizations do not look like “a typical large organization” (ponder this one for a bit…) and so benefiting from “economies of scale” with security monitoring is more difficult than many thinks.

 

  • Inherent “third-partiness”

 

    • What do you lose if you are badly hacked? Everything! What does an MSSP their customer, are badly hacked? A customer, but this is the reality of different position of the service purchaser and provider, and escaping this is hard, even with heavy contract language & SLAs.

 

 

 

 

 

 

 

 

 

 

 

Ensuring a successful partnership with an MSSP

 

The possibility of conflict exists with any partnership, including the hiring of MSSP to augment your IT/InfoSec staff’s capabilities. Partnering with an MSSP is an increasingly popular choice to help manage your information security, however certain steps must be taken to ensure a successful& healthy relationship

 

  • Define the engagement strategy

 

    • This initial step is about more than service-level agreements (SLAs). It requires clearly defining the responsibilities of the managed security service provider and Organisations, respectively.

 

  • Understand the state of your environment

 

    • What technology do you have today? Is it current? If you upgrade, what effect will that have on your daily operation? Will it simplify things or complicate them? The answers to those & similar questions can have a huge effect on the success of the transition.

 

    • Organisations can assess these questions internally or use an MSSP to perform a complete assessment of your current technology, how it matches up to industry standards, and whether it aligns with your business goals.

 

  • Consider the gaps in your personnel resources

 

    • Organisations are probably well aware of any personnel shortages or skills gaps they have within their IT organization. Organisations should consider whether the MSSP has the expertise and bench strength to cover those areas, on a temporary or permanent basis.

 

    • With a managed services provider onboard, there may be some responsibilities organization can hand off for good, allowing them to focus resources on higher-value projects that elevate the IT organization’s visibility and standing within the business.

 

  • Confirm communications procedures

 

    • Come to an agreement on how communications between your organization and the managed services provider will work. Ensure to have a robust feedback mechanism in place to make sure that little issues don’t escalate into serious problems. Be certain that both sides understand format & frequency for status updates and feedback.

 

 

 

  • Keep requirements reasonable and establish expectations

 

    • It is important to set priorities and expectations within the partnership. Give the MSSP guidelines to follow and to ensure what you are asking can be reasonably accomplished in desired timeframe & budget.

 

  • View your provider as a real partner

 

    • Obtaining competitive pricing is an important consideration, the real business value in a partnership comes from being able to achieve things together that you couldn’t have done separately.

 

  • Get your internal team onboard

 

    • Some people may see the MSSP as a threat to their jobs, while others may wonder if the managed security services provider will now be dictating to them. Be sure that team understands that the purpose in engaging the MSSP is to take tedious work off your team’s hands, so they can focus on work that adds value to the business and enhance their careers.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Chapter 2 – For MSSP – SOC

 

Primary mission for a MSSP is to provide organizations with a highly mature detection and response capability designed to mitigate against threats that put most critical business assets at risk.

With MSSP - SOC as a Service, Organisations enjoy actionable intelligence and complete visibility into their environment, allowing for a dramatically improved security posture.

 

Challenges for MSSP

 

With so many models of service offering MSSP’s face a myriad of technical challenges in the infrastructure they develop, the tools they employ, and the processes adopted to drive services.

Scalability, Automation, Internal Processes and Professional Expertise are often cited as the most significant technical issues, along with following which makes MSSP’s service delivery a challenge

 

  • Limited visibility
    1. A MSSP SOC does not always have information about all Client systems

 

  • White noise
    1. A SOC receives immense volumes of data and much of it is insignificant for security. SIEM and other tools used in SOC are getting better at filtering out the noise

 

  • False positives and alert fatigue
    1. SOC systems generate large quantities of alerts, many of which turn out not to be real security incidents. False positives can consume a big part of analysts’ time,and make it more difficult to notice when real alerts occur.

 

To effectively deal with these, the first thing an MSSP should do is bring all stakeholders to the table to map the regulatory and legal risk at the IT, human and third-party layers.

Make sure your provider is ranking risk by potential legal & business impact & calculating the likelihood of threats associated with that risk. Then the provider can identify security gaps, assess incident readiness and help you develop targeted security and response processes based on those calculations of likelihood and impact potential.

 

How MSSP-SOC can provide best Security Services

 

Managed SOC can ensure maximum value to client’s business by complementing the technical components with consistent approach in managing, organizing and aligning People, Process and Technology ensuring effective service offering.

In addition to establishing (or augmenting) client SOC, MSSP SOC will provide security monitoring and incident response services to you via a managed service 24x7, anywhere in the world. The SOC will also be tightly linked with Security Research team to facilitate the sharing of new and emerging indicators of compromise.

 

STAFFING A SOC: PEOPLE

MSSP SOC team should work closely with Clients in-house information security function to provide skilled on-site/off-site resources throughout the design and build phases of the project. Once normal operations commence, MSSP remote 24x7 security monitoring team will be complemented by advanced monitoring and response services

 

 

         

Client Team

 

 

 

 

 

 

              • Multi-tiered team structure for detection and response
              • Dedicated Service delivery manager
              • Dedicated Research experts

 

 

MSSP SOC Team

 

 
   

 

 

 

 

 

 

 

 

 

Team Structure

 

MSSP SOC should have a hierarchy of roles with a clear escalation path. Day-to-day alerts are received and investigated by the L1(Level 1) Analyst; a real security incident is stepped up to a L2(Level 2) Analyst; and business critical incidents pull in the L3 Analyst & L4 SME and if necessary, the SOC Manager.

An important role in MSSP world would be of “Service Delivery Manager” or can be called as “Cyber Security Advisor” who is primary point of contact for client and is responsible for setting up services and gathering information about client’s environment and pass it on to SOC

  • L1Alert Investigator
    • Monitors SIEM alerts, prioritizes alerts or issues and performs triage to confirm a real security incident is taking place.

 

  • L2 -Incident Responder
    • Receives incidents and performs deep analysis, correlates with threat intelligence to identify the threat actor, nature of the attack and systems or data affected. Escalates to client to investigation, along with possible cause and strategy for containment, remediation and recovery and acts on it.

 

  • L3Dedicated Client Analyst
    • Constantly receives incidents data from L1 and L2; performs deep analysis andensures alerts are finetuned, conduct incident trend analysis for spotting security patterns.

 

  • L4Subject Matter Expert / Threat Hunter
    • Day-to-day, reviews alerts, industry news, threat intelligence and security data. Actively looks for threats that have found their way into the network, as well as unknown vulnerabilities and security gaps. When a major incident occurs, joins the L3 Analyst in responding and containing it.

 

  • SOC Manager
    • Like the commander of a military unit, responsible for hiring and training SOC staff, in charge of defensive and offensive strategy, manages resources, priorities and projects, and manages the team directly when responding to business-critical security incidents.

 

 

OPERATIONALIZING SOC - PROCESS

Managing a SOC in a clear and well-defined manner is crucial for its success. Managed SOCshould work closely with Clients to bring proven SOC management processes to client’s environment and tailor them to organization’s needs, where necessary.Following processesshould be in place MSSP

 

  • Understanding CLIENT
    • Client On-boarding& Integration
    • Collection of KYC (Know-your-client) data
    • Understand Client-Side Incident Response process flow
    • UnderstandingClient expectations.
    • Client escalation matrix

 

 

  • Running SOC
  • Employee on-boarding &Training process
  • Documentation – SOP’s, RunBook’s
  • Defined Roles & Responsibilities
  • Defined Metrics & KPI’s
  • Alert Triage process
  • Incident Categorization &Severity process
  • IR processes
  • Process for new Rule set deployment & refinement
  • Rewards and Recognition
  • Assessing team on Process &Security knowledge

 

 

    • Continuous improvement initiatives that can help SOC
      • IR and Breach Study exercise
      • Alert Bug Bounty – Fixing a poorly written alert
      • Team Presentations on recent breaches

 

 

 

 

 

EQUIPPING A SOC: TECHNOLOGY

A SOC is comprised of a diverse range of advanced tools that monitor the security of an organization’s systems and network infrastructure. The primary technology used in a SOC is a SIEM solution. It collects and correlates log data and network flows from sensors placed throughout the network.

  1. Reporting tools
  2. Threat intelligence feeds
  3. Workflow tools
  4. SOAR(orchestration) integration
  5. LAB setup

 

 

 

 

 

 

CONCLUSION

 

There’s no doubt that cyber attackers have outpaced the security capabilities of most small and medium enterprises. Attackers know how to bypass perimeter controls, and count on their ability to enter the network undetected and stay there as long as it’s financially rewarding to do so. But they won’t stop there. As long as there are monetary gains to be had in cyberspace, attackers will be ready to exploit them.

It’s time for small & medium enterprises to evolve as well, and seize the opportunity provided by MSSP SOC to improve their security strategies and get a step ahead of cyber attackers.

 

 

 

Prepared BY:

CYBER FUTURE TECH

Cyber Security Training Provider

Hyderabad

email: [email protected]

 

 

 

 

 

 

Referenced websites:

https://www.exabeam.com/siem-guide/the-soc-secops-and-siem/

https://www.mitre.org/sites/default/files/publications/pr-13-1028-mitre-10-strategies-cyber-ops-center.pdf

https://www.peerlyst.com/posts/build-a-soc-or-choose-an-mssp-eric-carroll-1

https://www.ey.com/Publication/vwLUAssets/ManagedSOC/$FILE/EY-Managed-SOC.pdf

https://www.nttsecurity.com/docs/librariesprovider3/resources/us_data_sheet_how_to_choose_an_mssp_uea_v1

https://searchitchannel.techtarget.com/feature/How-to-overcome-managed-security-service-provider-challenges

https://blogs.gartner.com/anton-chuvakin/2014/09/10/challenges-with-mssps/

https://blogs.gartner.com/anton-chuvakin/2014/09/03/how-to-work-with-an-mssp-effectively/

https://informationsecurity.report/Resources/Whitepapers/65bb6e93-c8eb-4029-8818-e97f5ef67ab6_A%20New%20Guide%20to%20Evaluating%20Managed%20Security%20Services%20Providers.pdf

https://edge.siriuscom.com/managed-services/7-steps-to-a-successful-partnership-with-a-managed-security-services-provider

https://www.google.co.in/search?q=questions+to+ask+mssp&rlz=1C1GCEU_enIN822IN823&source=lnms&tbm=isch&sa=X&ved=0ahUKEwjOoNKhmavfAhXKWisKHZ7dB3UQ_AUIDigB&biw=1366&bih=574#imgrc=JMWY80RmKUnQGM:

https://www.google.co.in/url?sa=i&source=images&cd=&ved=2ahUKEwjiot7YmavfAhULU30KHasFBb0QjRx6BAgBEAU&url=https%3A%2F%2Fwww.inbay.co.uk%2Ffrom-msp-to-mssp-have-you-got-what-it-takes%2F&psig=AOvVaw3BtjZuZhMv-DLgSFQSwalY&ust=1545284979921362

https://www.google.co.in/url?sa=i&source=images&cd=&cad=rja&uact=8&ved=2ahUKEwj10aG0mqvfAhWFWisKHZIlDg8QjRx6BAgBEAU&url=https%3A%2F%2Fwww.proficio.com%2Fobjectives%2Fcompare-mssp%2F&psig=AOvVaw0xh6KCivP2fU-xhXZmKmVG&ust=1545285274398773

https://www.google.co.in/url?sa=i&source=images&cd=&cad=rja&uact=8&ved=2ahUKEwiw8cPhmqvfAhVMQH0KHef1DMgQjRx6BAgBEAU&url=https%3A%2F%2Fwww.capgemini.com%2Fservice%2Fnew-ways-to-control-secure-your-assets%2Fcybersecurity-services%2Fsecurity-operations-center%2F&psig=AOvVaw0B6Q0IHXN8mkyYH8vldWJ8&ust=1545285353865554

https://digitalguardian.com/blog/how-hire-evaluate-managed-security-service-providers-mssps

https://www.google.co.in/search?rlz=1C1GCEU_enIN822IN823&biw=1366&bih=525&tbm=isch&sa=1&ei=nYIcXNiyBtTf9QP985XwBw&q=mssp+banner&oq=mssp+banner&gs_l=img.3...66505.68289..68390...1.0..0.184.1029.0j7......1....1..gws-wiz-img.......0j0i30j0i24j0i10i24.u0svvnM7H6w#imgrc=EdumgFn9kel-TM:

https://www.cloudberrylab.com/resources/blog/mssp-managed-security-service-provider-checklist/

Ans. In this series of posts, I’m going to show you step by step method to test a Web Application.

 

Always remember one thing, Every person has its own way to do the work.

 

 

 

Following mentioned things will be discussed.

  • Mapping the Web Application.

  • Preparing the Attack Surface.

  • Testing the Client-Side Controls.

  • Testing the Session Management system.

  • Testing the Auth. Mechanism.

  • Testing the Forget Password Utility.

  • Testing for Input Based Vulnerabilities.

  • Testing for Access Controls.

1. Mapping the Web Application.

 

==> In this phase a penetration tester in simple words, tries to gather information about the target.

 

There are two modes to gather information Active mode and Passive mode.

 

In Passive mode, the tester gathers information without being directly interacting with Web App.

 

In Active mode, the tester uses various utilities in the web application and tries to gather information.

 

 

The tester tries to gather information like :-

  • Purpose for which the web application was made for.

  • Checks for framework like WordPress, Drupal etc.

  • It’s Server information.

  • Programming languages used by Web App.

  • The technologies being used by web application.

  • Checks for Input areas.

  • Checks Output areas.

  • Gathers information about API.

  • Checks for third party files being access by the web app.

  • Port Scanning.

Comments

Search


Latest Post


blog-thumb

MSSP-SOC – Security as a Service ( A short guide for Organisations and MSSP )

Read More

blog-thumb

Your money or your life: Digital extortion scams

Read More

blog-thumb

Firewall Basic Bypassing Techniques With Nmap and Hping3

Read More

blog-thumb

Preventing Cybersecurity Disaster: Learning from the Top Security Breaches in 2018

Read More

blog-thumb

Another Reluctant Hacker

Read More