DON’T LEAVE YOUR ORGANIZATION EXPOSED—JOIN

FORCES WITH A TRUSTED SECURITY SERVICES PARTNER

I NT RO D U CT I O N

Is your organization’s network and the information streaming through it really secure? If
your answer is yes, would you bet your salary? Of course not; anyone with even passing
involvement in cyber security recognizes that speaking in absolute terms is
unsupportable. Yet, many organizations place this type of bet daily by choosing to manage
security by themselves—the Do-It-Yourself approach. They do this even though viable
means to elevate their security positions exist by partnering with a managed security
service provider (MSSP).

Consider the many challenges facing organizations that choose to go it alone:

▪ Staying ahead of attackers is a sprint with no end – Advanced Persistent

Threat is the latest popular label assigned to a new variation of cyber warfare. In
a couple of years, there will undoubtedly be another. The reality is that the cyber
underworld is constantly rearming itself to reach its objectives.

▪ Security technologies alone are inadequate – They can be great defensive

weapons but, like their morphing adversaries, they also must be continuously
managed for maximum effectiveness. This requires coordinated and
knowledgeable personnel on duty every minute of every day that your
organization is operating.

▪ Racking and stacking add to a management nightmare – There is no super,

all-encompassing security appliance. Even “best of breed” security appliances
have limitations. Consequently, appliance sprawl is inevitable and most likely
reflects a mix of vendors and technology vintages. Establishing and enforcing a
rudimentary set of uniform security policies in this environment is a challenge for
even the most astute and experienced security departments.

▪ The wave of security information is crushing – Every connected device and

every node in your network spews information that, if it could be systematically
collected, filtered, and analyzed, becomes security intelligence —intelligence
needed to identify and mitigate threats. And this is just your internal information.
External and global information is critical for context and in gaining actionable
early warning alerts. Unless you can tame this information wave, the risk of
security paralysis from too much information is real. Furthermore, what you do
not know, because of an inability to absorb and analyze relevant security data,
could be a bigger risk to your organization than what you do know (or think you
know).
 —

▪ Tolerance for mediocre security is waning – The stakes are too high in a
compute-intensive, always-connected world. A disruption in your network, a
downed server, or an infected PC —each damages your organization’s operational
health. This has a price tag, as does remediation —that is, the time and resources
required to return your compromised systems to normalcy. The direct and
indirect costs of a data breach further add to this price tag. The bottom line:
avoiding sticker shock should be a number one risk management priority.

In this white paper, we provide the rationale as to why your organization should engage
with a managed security services provider; and not just any MSSP, but one that also
supports your global networking needs. What you will find is that the security
management capabilities of MSSPs and Network Services Providers are highly
complementary.

MA NA GED SEC URI T Y SERV I CE S I S A PA RT NER SHI P

Cha nge A b ou n ds

An important aspect of employing an MSSP is that it is an active partnership. Unlike an

outsourcing arrangement where the outsourcer is tasked to achieve an outcome within
established parameters (e.g., manufacture 10,000 widgets for $100,000 in three months),
an MSSP engagement cannot be as tightly and statically defined. The principal reason for
this is that the parameters are constantly shifting —practically all parameters involving
security are in some level of flux. The reality of security is that change reigns supreme.
With a security strategy in place, an organization is prepared to respond to the multiple
types of changes that occur regularly, such as:

▪ Threats – Cyber threats, for example, are constantly changing—in form, volume,
timing, and points of origin—and changing with no forewarning. Speed and
comprehensiveness in identifying, particularly new threats, is critical.
Understanding and sizing potential impacts to your organization is also critical in
prioritizing threat mitigation efforts.

▪ Assets – What requires protection is changing too. At the physical level, data
center and communication network infrastructure and end-user devices are
changing in response to evolving business needs and circumstances. Often, these
changes are known in advance, but not always. Understanding how changes in
infrastructure and connected devices affect an organization’s vulnerability in
relation to threats is vital. For example, the proliferation of Bring -Your-Own-
Device (BYOD) onto the organization’s network —that is, devices that are not
directly managed by IT—adds significantly to risk. Moving up from the physical
layer, operating systems and software applications are frequently changing. Being
aware of these changes and their impact on vulnerability is also essential but, in
practice, challenging. Diversity in operating systems and applications plus
 unsanctioned changes (e.g., downloading a new app) independently initiated by
business units or end users add to the difficulty of being aware.

▪ Network Traffic Behaviors – Less predictable are changes in the volume,

pattern, direction and mix of network traffic. Do these changes signal an attack?
Knowing with a high degree of certainty if a change in traffic is suspicious assists
in deciding when to escalate analysis. Furthermore, with the “low and slow”
behaviors of advanced threats (e.g., Trojans such as Madi, Flashfake, Flame, and
Stuxnet) and attacker reconnaissance efforts, the need to analyze traffic in depth
and in appropriate context, and over lengthier periods of time, is paramount.

▪ Regulations – Regulations pertaining to the protection of digital information

represent another area of change. Although changes in published regulations
follow a lengthy cycle, interpretation of regulations in all of the jurisdictions that
apply to your organization, and best practices on how to comply, are more
dynamic. Without knowledge and vigilance, optimizing compliance efforts slides
into the undesirable state of chance. Compliance and building security policies
require a high level of expertise; costly expertise if brought in -house.

▪ Security Policies – Last, security policies are a key component in your game
plan for managing risk. These policies reflect an assessment of risk at a point in
time. As such, security policies must change as risk changes. Instinctively, changes
in the threat environment (if detected) affect the magnitude and nature of risk,
but this is not the only cause. Changes in your business —what it does, where it
operates, and how it operates—also affect risk. Additionally, perceptions
influence an organization’s assessment of risk. Recurring news of data breaches
and network compromises give pause at multiple levels of the organization —
board members, top executives, and, of course, IT and security departments —on
whether the level of risk is higher and more extensive than previously presumed.
Adjusting security policies requires a comprehensive, balanced and recurring
assessment of risk. MSSPs running vulnerability assessments and simulating
attacks assist organizations in meeting this goal.

Ma nagi ng T hr oug h Ch ange

Having established that cyber security risk and the interplay of vulnerabilities and threats
are continuously changing, impacted by numerous variables, and unique to each
organization, the objective of an MSSP is to partner with each of its clients in reducing
risk. As a partnership, the parties combine forces to reach an objective that neither
could accomplish individually.

Each MSSP client has intimate perspective on its operations, business priorities and
tolerable level of risk. The MSSP cannot determine or infer this perspective with equal
precision and depth. Instead, the MSSP will merge the client’s perspective into the
context of what it does best—understanding and mitigating cyber threats. The MSSP
 —

brings in several capabilities to accomplish this on behalf and with its clients:

▪ Threat Intelligence – Among the most valuable assets the MSSP brings into the
partnership is threat intelligence. For this, the MSSP gathers reams of information
on a continuous basis from multiple sources as its raw material in identifying and
cataloging (e.g., stage of development, objective, and source) cyber threats. This
information originates from multiple sources including: client environments
(stripped to be anonymous), third-party sources (e.g., malware signature
libraries), and, for some, honeypots. Honeypots are established and maintained
by MSSPs to trap hackers into revealing their intent and capabilities. Breadth and
depth in threat information is an important measurement of the MSSP’s threat
intelligence capabilities. Equally important is the MSSP’s ability to systematically
filter and analyze this information and transform it into practical intelligence for
threat assessment and mitigation. Experienced and dedicated personnel,
supported by processes and systems that automate portions of the threat
analysis, form the principal building blocks in the MSSP’s information -to-
intelligence transformation.

▪ Vulnerability Assessment Know -How – There are multiple elements to an

MSSP’s vulnerability assessment service. The logical first step is creating a
vulnerability baseline; euphemistically, a heat map on where the client’s
environment is exposed to known threats. The best heat map also includes a
business context overlay of vulnerable hotspots that, if attacked, represent the
greatest risk to the client’s business priorities. Armed with this client -customized
vulnerability assessment and current threat intelligence, the MSSP prepares a risk
management plan. Once defined, the plan and execution of that plan is modified
over time with new MSSP threat intelligence, and changes in the client’s
environment, for example, through periodic vulnerability assessments.

▪ Security Policy Development – Instrumental in the risk management plan are

security policies. These policies define the security rules and procedures that
guide the client and MSSP in reducing risk. Essentially, these are the what, when,
where, and why instructions that advance the risk management plan from
objectives to reality. Examples include rules and security settings for network
firewalls, intrusion prevention systems, and Web filtering platforms. Policies also
define the working partnership between the MSSP and the client. Examples of this
include escalation procedures when a Distributed Denial of Service (DDoS)
attack reaches a pre-set volume threshold, or a new threat is discovered that
requires coordinated actions between client and MSSP to thwart. Like
vulnerability assessment and threat intelligence, MSSP personnel, vetted
procedures and experience pay dividends in creating security policies that strike
a balance among risk management goals, business objectives, and transparency
(i.e., minimizing end-user inconvenience).
▪ Policy Deployment – Security relies on technology in the form of software
applications, security appliances, and feature capabilities in network and
computing infrastructure (e.g., switches, routers, load balancers, and servers).
Understanding how these various forms of technologies operate, and their
administrative interfaces, is invaluable in the nuts-and-bolts deployment of
security policies. What may seem to be a simple step can escalate in complexity
and represent an operational barrier in effective risk management. For example,
administrative interfaces differ across vendor products. Understanding the
nuances of each is critical in ensuring that the policies defined are deployed
uniformly across a heterogeneous vendor environment. Experience and product
training contribute to the MSSP’s capabilities in policy deployment. Additionally,
MSSPs purchase and develop systems that streamline policy deployment, and have
built-in features that detect and warn the MSSP security engineer if his or her
actions could contribute to unanticipated consequences (e.g., counteracting
existing security rules). These systems also allow the MSSP to roll -back rules to a
previous state. Despite scrutinized planning before a new set of policies are
deployed or a rule is changed, the outcomes may not always match expectations.
Having systematized roll-back procedures eliminates the unpredictability of
guesswork when policy version control is rooted in human memories and scraps
of unfiled paper.

▪ Continuous Surveillance and Prioritized Investigations – The same

software and hardware environments where security policies are deployed also
generate a steady stream of activity information, or logs. Security alerts
commonly are part of this stream. However, determining which alerts and what
information is most relevant to the client’s risk management objectives cannot be
fully automated. Again, experienced and trained MSSP personnel, combined with
systems and procedures that streamline routine tasks, ensure that the
completion of these essential operations are conducted in a time -efficient manner
with a high level of confidence (i.e., focused on the alerts that are most relevant).
Furthermore, experience across the MSSP client base allows the MSSP to capture
insights from one client and apply this experience in serving other clients. The
beneficial concept of community interest is a customary practice with MSSPs.

▪ Client Portal – Transparency is a necessary attribute of a healthy MSSP-client

partnership. For its part, the MSSP does not wish to work in isolation from its
clients; but at the same time, the MSSP client has hired the MSSP to follow
through on security operations the client cannot accomplish with similar time
efficiency, effectiveness, and scale. To bridge this gap and facilitate openness and
transparency in its operations, MSSPs have developed client -customizable portals
for their clients to review the MSSP’s activities, view status reports, interact with
the MSSP, and enter help desk requests. Recognizing that the level of desired
information varies based on individual roles within the client organization, role -
 —

based reporting and drill-down capabilities are typically supported in these

portals. Like security policy deployment, normalization across heterogeneous
vendor products is a structural feature of these portals. Correspondingly, the
client does not need to be either a product or vendor expert to interpret
activity reports.

▪ Compliance Consulting and Reporting – Many organizations are subject to

compliance regulations pertaining to the protection of sensitive, private, and
proprietary pieces of digital information stored and used by them and, depending
on the regulation, their business partners that may also be accessing a portion of
this same information. Most MSSPs have staff members dedicated to
understanding these regulations and correlating the security operations
conducted by the MSSP to regulations. In addition, many MSSPs have
incorporated regulatory compliance reporting tools into their client portals.
MSSPs’ dual investments in regulatory-knowledgeable staff members and
regulatory compliance reporting help to reduce similar investments its clients
would otherwise need to make.

▪ Cost Efficiency – Security is an operational element of conducting business;

and, as an operation, scale contributes to cost efficiency. For example, operating
an around-the-clock Security Operations Center (SOC) is cost-prohibitive for
most organizations. Alternatively, MSSP SOCs serve multiple organizations
simultaneously, allowing the MSSP to spread the costs of building and maintaining
SOCs across all of its clients. For MSSP clients, they gain a necessary security
service at a cost that is lower than a DIY approach.

WHY T HE P AIRI N G O F NET WO RK SE RV I CE P RO V ID ER AND MS SP

MA K ES SEN SE

Network Service Providers (NSPs) have been offering MSSP services for several years. As
explained in this section, this not a chance combination but a highly complementary
pairing, as several NSP core competences are directly relevant in managed security
services. Among those core competences are:

▪ Information Intensity – To win the cyber security battle requires an

understanding of the enemy, the malicious underworld; and one of the best
locations to collect predictive clues on the enemy’s activities and intent is where
this malicious underworld operates—the Internet. Correspondingly, Internet
backbone providers occupy a unique vantage point. First, many of these backbone
providers operate on a global basis. With years of collected information and up -
to-the-second visibility into Internet traffic, these providers have a high -
resolution means to detect deviations in traffic patterns at the global, regional,
country, and local level. Based on longitudinal studies, these providers can also
 predict how deviations that originate in one area ripple across the globe. This
allows NSP-MSSPs to help their clients fortify their defenses in advance of an
attack. Second, there are other useful Internet measurements that provide clues
on advancing malicious activities. Domain Name Servers (DNS), the Internet
address translation mechanism (translating language-based URLs to routable
numerical IP addresses), is also a detector of pattern deviations. The same is true
with Content Distribution Networks (CDNs). The aim of a CDN is to deliver
Web site content faster to the end user by replicating content first generated
from the requested Web site to globally distributed content warehouses close to
the end user. Unusual patterns in the flow of traffic within CDNs can also be a
signal of malicious activity. NSP-MSSPs that operate as Internet backbone
providers, are part of the DNS infrastructure, and also offer CDN services, have
three additional layers of predictive information that other MSSPs do not. This
additional information helps the NSP-MSSP detect threats faster than a traditional
MSSP, and react before these threats become service-impacting to their clients.

▪ Scale with Client Isolation – For the MSSP business to be successful, and for
its clients to benefit (i.e., improved risk management services at an economical
price), the MSSP must attain operational scale in order to spread its investments
in service delivery thinly across its client base. The MSSP must also minimize
investments that exclusively serve a single client or a limited number of clients.
Rather, MSSP investments must be concentrated in service delivery
infrastructure, processes and personnel that can scale exponentially to support a
large number of clients simultaneously. At the same time, MSSP clients expect
isolation from the MSSP’s other clients. Each client’s security instances within the
MSSP service delivery environment must be treated with absolute privacy. This
MSSP formula for business success follows the same formula that NSPs honed
decades before the Internet era began. Communication networks are built to
serve millions of customers simultaneously while maintaining customer isolation
and allowing for customization (for example, customer -specific routing tables in
support of private Wide Area Networks). For NSP-MSSPs, they do not need to
learn the business model—they already know it.

▪ Bandwidth Optimization – Whether your organization’s network connections

are to the Internet or among locations in the footprint of a private Wide Area
Network (WAN), the intent is the same—serve legitimate business operations
and activities. The problem is that malicious and unwanted traffic is also vying for
these same pipes. From a bandwidth optimization perspective, this unsolicited
sharing impacts the responsiveness of legitimate traffic flows, and contributes to
the gap between your organization’s perceived bandwidth needs and bandwidth
expenditures; a wasteful outcome. Not just in real estate, location matters. The
NSP-MSSP is strategically placed to intercept malicious and unwanted traffic
before it enters your network locations from the Internet and among WAN
 —

locations. As a result, your connections are better reserved for the traffic that
matters the most. In addition, whether your organization needs uniform security
policies across all your locations or varied policies, the NSP -MSSP’s homogenous
security platforms distributed throughout its network and tied into its customer
portal directly support this. Plus, build-it platform scalability and redundancy by
the NSP-MSSP ensures that these security capabilities are always ready and
always on. For your organization to have this same level of certainty would
indeed be costly.

Choosing an MSSP partner is an important selection and, as with any partnership,

multiple factors should be evaluated. What should not be omitted from your evaluation
are the structural differences between an NSP that has managed security services
expertise and a standalone MSSP, and how those differences align with your current and
future networking and security requirements.

Regarding the future, consider your organization’s adoption of cloud services. These
services are delivered from data centers that are either Internet -connected (e.g.,
Software as a Service), a node on your private network (e.g., a private cloud), or, more
likely, a combination of both. The convergence of networking and security services from
a single source, as outlined above, has attractive properties.
 Stratecast
The Last Word
The task of defending against cyber threats and protecting your operations and the
information entrusted to your organization is a large, complex, and constantly
evolving task. For many organizations, the attention to security, while important, is
distracting their time and attention away from the core strategic elements of their
businesses. There must be another approach.

There is—partnering with a Managed Security Services Provider (MSSP). MSSPs are
singularly dedicated to fighting this fight, and fighting it to win. Their investments in
technologies, systems, processes, and personnel far exceed the investments a single
organization—your firm—can justify. Furthermore, their investments are made not
merely to address the threats of today, but also the threats of tomorrow.

The existence of MSSPs is not new and, therefore, not untested. MSSPs have been in
operation for more than a decade. As a testament to the client value MSSPs deliver,
global expenditures on MSSPs exceed $7 billion annually, and are forecasted to grow
at a pace of nearly 20 percent (source: Analysis of the Global Managed Security Service
Providers Market, May 2012, Frost & Sullivan).

Also, MSSPs are not created as equals. A growing portion of the MSSP market is
being filled by global Network Service Providers (NSPs) that also operate as MSSPs.
Like their standalone counterparts, their investments and dedication to the managed
security discipline are just as strong. This NSP-MSSP combination is a dynamic duo.
The long-held core competencies of NSPs are well placed in the operations
of an MSSP, and NSPs bring client value that standalone MSSPs cannot
duplicate.

One final point in the consideration of a MSSP partnership is that this partnership is
not an all-or-nothing proposition. NSP-MSSPs provide the convenience and flexibility
for organizations to choose the services that best complement or replace their
existing security capabilities. Additionally, NSP -MSSPs can fulfill your security needs
through security platforms located on your premises, in the NSP -MSSP’s network, or
in combination. Service changes and how they are delivered can also be
accommodated in a predictive and controlled manner.
Michael Suby
In a world of uncertainty, there are some unfortunate certainties. One certainty is
VP of Research
cyber threats; they are not going away, and will intensify in sophistication and variety.
Stratecast | Frost & Sullivan
You want your business to have certainty too. A partnership with an MSSP will help
msuby@stratecast.com
you combat one certainty with another.
Silicon Valley San Antonio London
331 E. Evelyn Ave., Suite 100 7550 West Interstate 10, Suite 400 4, Grosvenor Gardens,
Mountain View, CA 94041 San Antonio, Texas 78229-5616 London SWIW ODH,UK
Tel 650.475.4500 Tel 210.348.1000 Tel 44(0)20 7730 3438
Fax 650.475.1570 Fax 210.348.1003 Fax 44(0)20 7730 3343

877.GoFrost • myfrost@frost.com
http://www.frost.com

ABOUT STRATECAST

Stratecast collaborates with our clients to reach smart business decisions in the rapidly evolving and hyper -
competitive Information and Communications Technology markets. Leveraging a mix of action -oriented subscription
research and customized consulting engagements, Stratecast delivers knowledge and perspective that is only
attainable through years of real-world experience in an industry where customers are collaborators; today’s
partners are tomorrow’s competitors; and agility and innovation are essential elements for success. Contact your
Stratecast Account Executive to engage our experience to assist you in attaining your growth objectives.

ABOUT FROST & SULLIVAN

Frost & Sullivan, the Growth Partnership Company, partners with clients to accelerate their growth. The company's
TEAM Research, Growth Consulting, and Growth Team Membership™ empower clients to create a growth -focused
culture that generates, evaluates, and implements effective growth strategies. Frost & Sullivan employs over 50
years of experience in partnering with Global 1000 companies, emerging businesses, and the investment community
from more than 40 offices on six continents. For more information about Frost & Sullivan’s Growth Partnership
Services, visit http://www.frost.com.

Auckland Dubai Mumbai Sophia Antipolis

Bangkok Frankfurt Manhattan Sydney
Beijing Hong Kong Oxford Taipei
Bengaluru Istanbul Paris Tel Aviv
Bogotá Jakarta Rockville Centre Tokyo
Buenos Aires Kolkata San Antonio Toronto
Cape Town Kuala Lumpur São Paulo Warsaw
Chennai London Seoul Washington, DC
Colombo Mexico City Shanghai
Delhi / NCR Milan Silicon Valley
Dhaka Moscow Singapore