Managed Security Models and How They Work

Managed SecurityModels

and How They Work

By the FST Research & Editorial Group

Fulcrum Technology Solutions, Inc.

July 2016

All Rights Reserved

Table of Contents

Introduction

Task and Purpose

Making Sense of the Security Services Marketplace

The Four Levels of Managed Security Services

Introducing the Four Levels

Systems Integration (SI)

Consulting Services (CS)

Managed Services (MS)

Highly-Managed Services (HMS)

Using the Four Level Model

So, Now What?

Example 1: The Simple Job

Example 2: The Complex Job

Conclusion

About Fulcrum Technology Solutions.

Introduction

Task and Purpose

This white paper establishes an industry-wide convention for describing – at a high level – how cyber security services are delivered. It breaks down the range of services sold into four general categories that are based on the level of effort involved and the duration of the service provider’s relationship with the client, ranging from a brief encounter to a long-term partnership. This conceptual model is provided to help the reader consider what he or she wants to get out of a security service provider through the use of shared terms, common definitions, and an internally-consistent approach to describing service levels.

Making Sense of the Security Services Marketplace

If you’re a line-of-business manager and you need help securing your production network, you have a wealth of options available for getting work done that you can’t (or won’t) do on your own. That’s the good news. The bad news is that it can be amazingly frustrating trying to find the right partner to deliver the service that you want in the way that you want it delivered.

Spend a little time searching for “security services” and you’ll likely get a headache. It seems like every vendor in this sector is offering exactly the same options – which is to say “all of them.” If you believe some vendors’ web pages, they’re capable of doing everything conceivable, from firewall tuning to dusting your office’s plastic ferns. What isn’t said in most sales pages is a clear description of how those services are provided. How long will the provider be around? What’s the split between the provider’s staff and the client’s? Who owns the project risk?

Managed security service offerings are often even squiffier, since they’re often nebulously defined, open to all sorts of interpretation. There’s no industry standard for what exactly constitutes a “managed” service … but there should be. It would make things a lot simpler if we all had the same common terms and functional definitions to work from. Therefore, Fulcrum Technology Solutions’ Research & Editorial group has decided to place a (metaphorical) stake in the ground and create a standard that everyone can use to help clients define what they want, and providers to define what they’re willing to deliver.

The FourLevels of Managed Security Services

Introducing the FourLevels

Realistically, you could argue that there are as many ways to deliver cyber security services as there are needs to be met in the marketplace. Every contract is a unique combination of needs, wants, abilities, and promises. That being said, there’s little value in treating the world of managed security services as if it were an infinite sea of possibilities. For pragmatism’s sake, there are essentially four broad categories of services, and most top-tier consulting houses will offer all four of them – individually, or in combination – to satisfy a client’s unique requirements.

We’re to cover these in order based on levels of effort (and, correspondingly, in terms of cost). For each one, we’ll briefly touch on its value proposition for the notional client. Your (metaphorical) mileage may vary.

Systems Integration (SI)

This is the delivery, integration, and activation of a working security product, component, or capability into a client’s existing production environment. Classic examples include installing a new Security Incident Event Management (SIEM) appliance, replacing an existing firewall with a newer model, and conducting a network penetration test. In each case, the client wants something done and can’t (or won’t) do the work itself, so the third party provider either delivers a thing, or does a thing.

Systems Integration is the least strenuous, least intrusive, and (usually) least expensive of the four managed services. These jobs are often marketed as Firm/Fixed Cost engagements, or else as Time and Materials contracts with not-to-exceed caps on the cost. The client may already have the thing needing installation, or they may buy it separately, or may have the third-party buy it and tack the cost on to the services contract.

Bear in mind, SI jobs aren’t just performed in legacy data centers (e.g., racking a new server). Service providers can deploy Virtual Machines into an existing private, hybrid, or public cloud environment.

Advantages:

• Small, clearly defined jobs are the easiest to play and can almost always be started and finished within a single budget cycle.
• The client gets credit for achieving a milestone on the strategic security plan, often faster and with less drama than if they’d tried to perform the task in-house.
• It’s a great way to “test drive” a new partner. Give the provider a clear task and see how well they carry it out. If they’re great, hire them again; if not, you can lose the unwanted provider and still get to keep the product.

Disadvantages:

• An SI job is almost always a short-term relationship with the services provider. Once the job is done, the integrator goes away unless otherwise contracted.
• The outcome of the job is only as good as your design allows. If you buy the wrong part, want it integrated the wrong way, or don’t listen to the integrator’s advice, then your negative experience may taint your impression of an actually competent service provider.

Consulting Services (CS)

This is very similar to SI, and for good reason – it’s the logical progression that every service provider takes after completing a one-time job. Consulting can take nearly any form that involves expert personnel, including training, working on existing equipment, analyzing current systems or processes, proposing improved systems or processes, filling vacancies, augmenting staff, etc. The common denominator for all of these services is that the third-party service provider is doing something for the client that it can’t do for itself.

Most of these contracts are delivered under hour rate Time and Materials style contracts. They might have caps on the number of billable hours, but they’re usually structured under a “serve until otherwise directed” model.

Advantages:

• Professional consulting firms are almost infinitely flexible; they can change their timing, their personnel, and their terms to meet really strange job requirements. Professional consultants can change their focus as-needed to accommodate changing business requirements.
• Professional consultants are far less likely to up and leave in the middle of an assignment the way that a contractor can (see “Be warned!’ below). That’s because the consultant is getting paid a salary with benefits, and had a vested interest in the success of his/her firm, even though that firm may be only charging you an hourly rate for the consultant’s contributions.
• You don’t have to worry about managing payroll taxes, benefits, or other administrative overhead for a consultant.

Disadvantages:

• A consultant can be more expensive than the exact same person serving as a permanent employee. The consulting company always adds some management and logistical “overhead” to the consultant’s hourly bill rate.
• Unlike a permanent employee, a consultant may be limited as to what he or she is allowed to do under their contract. If you don’t structure your contract wisely, you may wind up underutilizing your consultants.

Be warned! It’s important to note that consulting is not the same as personnel staffing. A true consulting company delivers expertise to solve a problem – they’re invested in the client’s long-term success. A staffing agency (a.k.a., a contract labor company), on the other hand, is just a body-shopper; they forward qualified candidates’ résumés to the client and take a cut of the worker’s pay, but don’t have any greater commitment to the client’s success. It’s very easy to tell the two types of businesses apart. Call your service provider and declare a critical short-term emergency. A real consulting agency will bring in the extra troops needed to solve the problem; a body shopper will try to sell you another Full-Time Employee, but won’t otherwise do anything to help.

Managed Services (MS)

Managed Services are very different from SI and CS work. In a Managed Services contract, the client pays the service provider to fulfill a certain critical capability. This might supplement the client’s own capability, or it might provide a capability that the client lacks. Classic examples include monitoring the output of a SIEM or an Intrusion Detection System (IDS), performing patch management on the client’s fleet of endpoint devices, or providing 24/7 physical security assets to guard your facilities. MS is a lot more involved than consulting, as decision-making authority for dealing with emergency situations is usually delegated to the service provider’s personnel, who then deal with the emergency either according to contract standards, or according to the client’s regulations.

MS contracts are almost always negotiated as some form of fixed price arrangement, where the provider’s personnel will rotate in and out of the function as-needed to ensure constant coverage. The service provider deals with all of the staffing, shift management, and other arrangements needed to guarantee delivery according to Service Level Agreement (SLA) or other contract terms.

Advantages:

• The MS provider takes responsibility for delivering a consistent, predictable outcome according to contract standards. They often self-manage their own people and tools so that the client needn’t be bothered.
• The MS provider usually sells a service that it’s already an expert in delivering. Outsourcing a function to a seasoned organization leads to greater peace of mind (and possibly even more dependable compliance in the eyes of customers, regulators, and/or auditors).

Disadvantages:

• Any Managed Service has lines of demarcation between the client’s responsibilities and the service provider’sresponsibilities. If the client’s personnel don’t fulfill their half of the relationship, the MS provider often can’t deliver on theirs – and the MS provider often has no authority over the client’s staff to compel compliance.
• The client’s own staff members often feel threatened by an MS provider, especially when it’s clear that the provider’s staff is meeting a company need that the full-time staff cannot. This often leads to parochialism, suspicion, and other counterproductive drama.
• The client is dependent on the MS provider to deliver under the terms of their contract. For mission-critical applications, this could leave the client extremely vulnerable – if the provider fails to deliver, the client gets the blame from the media, from angry customers, from disapproving regulators, et al. This is why it’s critical to thoroughly vet your partners.
• Similarly, the client often has no direct control over the MS provider’s personnel, processes, or performance. If the provider’s team deviates from the client’s expectations, it may take a prolonged (and tense!) contract negotiation to get things resynchronized.
• If the MS provider decides to stop offering a service, the client must to scramble to bring the function back in-house, or else find a different third-party provider to deliver the service.

Highly-Managed Services (HMS)

This is one of those nebulous marketing terms that no one can seem to agree on. To preempt the inevitable arguments, we’ve placed a (notional) stake in the ground and have operationally defined “Highly-Managed Services” as the advanced form of Managed Services, where a client pays a provider to completely handle all aspects of a complicated and/or integrated service. The keyword in this definition is “completely;” unlike regular MS, HMS shifts responsibility for all aspects of the service provided from a joint arrangement between the client and the provider to the provider exclusively.

A practical example of the difference comes from the world of “cloud computing” (a.k.a., Infrastructure-as-a-Service). An MS provider handles all of the “below-the-hypervisor” maintenance for all of the hardware in a data center that’s needed to support the client’s virtual machines and storage. The client, in turn, is responsible for everything “above-the-hypervisor.” That is, the actual configuration, maintenance, monitoring, and troubleshooting of whatever is running on the VMs is the client’s problem; the MS provider just makes sure that the underlying environment is running correctly. In an HMS cloud solution, the provider covers everything. They deliver the output of an application or process to the client and the client has little visibility into (or interest in) how the digital sausage gets made and maintained.

In a security services HMS model, this often takes the form of a provider completely managing all aspects of the client’s security apparatus. The provider owns, operates, and reacts to the monitoring and alerting systems. The provider runs all of the countermeasures on their own initiative, without waiting for permission or assistance from the client. The provider has root access on all devices where administrator rights are required to conduct effective defensive operations.

Most of the time, the HMS security contract is integrated with the HMS operations contract. Cloud providers especially are keen to control all aspects of their solution. The client pays more – and gets more. IT becomes largely outsourced to a technically savvy provider, so that the client can ignore the expense and the headaches that comes with running its own data center.

Advantages:

• The HMS provider has comprehensive knowledge of the complete solution and every aspect of systems lifecycle (i.e., from procurement through disposal). The provider knows the environment better than the client, which makes their defensive tactics muchmore effective.
• An HMS solution effectively alleviates the need to staff and run your own security department. When the highly-managed security offering is coupled with a highly-managed operations contract, the client can do away with in-house IT pretty much altogether.
• The HMS provider has to staff their solution with all of the exotic technology specializations needed to provide a comprehensive package. That means that the provider has to recruit and retain the ultra-rare “left-handed warbled SAN whisperer” (or whatever is in vogue that year) to make the solution run, putting the burden of managing High-Demand/Low-Density specializations entirely on them (thereby freeing up the client’s HR team).

Disadvantages:

• Turning the keys and all of the oversight responsibility to a third-party leaves a client vulnerable to surprises. Although the contract penalties and the courts can make the client “whole” after a breech, compromise, or error, that post facto remedy doesn’t prevent such events from manifesting. If the HMS provider screws up, the client pays for it – and the reputational damage alone may present an existential threat.
• HMS contracts may be cost effective, but they’re never cheap.

Using the Four Level Model

So, Now What?

There’s a classic Peanuts© comic strip where Lucy – upon being told an interesting fact about Shakespeare’s Romeo and Juliet – responds “Now that I know that, what do I do?” That joke is a classic for a reason: it conveys the frustration and confusion that pretty much everyone feels when they’re taught some seemingly-important nugget of wisdom without the operational context required to put it into use. It’s like being told steps for a recipe without being told what the end product is supposed to be. We get that.

We drafted the four levels model specifically to help you – the prospective client – to frame what it that you want out of your security services provider before you start the negotiations. When you have a better lock on what you want, you’re more likely to get what you want in negotiations.

Here are a couple of basic examples of how to apply the model:

Example 1: The Simple Job

Your company already has a SIEM running, and your staff knows how to operate and monitor it. Your regulators told you that you need a duplicate SIEM running at a branch location. You don't need any help configuring or operating the device once it’s in. You just need someone to rack, power, and integrate the new SIEM at the remote location.

Best Model: Systems Integration. Tell your provider that you don’t want or need any ongoing consulting or other long-term support. Get the box installed, declare it operational, and go away.

Example 2: The Complex Job

Your company has both a SIEM and an IDS running to notice possible adversary activity on your network, but no one is reacting to the alerts because you don’t have enough personnel to deal with all of the false alarms. That means that real alerts aren’t getting addressed, and the devices may as well not exist.