White Papers
Effective information security helps maintain the integrity of valuable corporate assets, enables compliance with industry regulations, and helps ensure the integrity of a trusted brand image and sustain business continuity. But providing an effective level of security requires a combination of state-of-the-art technology, experienced personnel, proven processes and continuous threat intelligence that few organizations possess.
Those organisations that choose to tackle these critical issues in-house invariably find themselves struggling to identify security events, provide security event alerts, and respond to the threats. Specifically, the challenge is how to quickly identify which assets are at risk, determine the impact of security breaches, and prioritise incident response within the company. In order to make good decisions and protect information assets, companies must have the resources to understand what is happening both inside and outside the corporate network.
Symantec Global ServicesConfidence in a connected world.Can Managing Enterprise Security Be Made Easier?A Symantec Advisory GuideWho should read this guide:CSOs, CISOs, managers, compliance officers, heads of security, CIOs, and project managers faced with the challenge of managing enterprise securityAdvice offered about:" Common hurdles when managing enterprise security in-house" Benefits of partnering with a Managed Security Service Provider (MSSP) for security protection" Sample expenses and cost comparison scenarios" Evaluating potential MSSPsUntitled Document We tried to provide this level of security on our own. We had two full-time employees looking at our own IDS sensors at one point. But trying to maintain signatures and updates while continually inspecting and correlating events from the logs was becoming quite a feat. Network engineerUntitled DocumentIntroduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 Considering the security management options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 Who should read this guide?. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 What you will get from reading this guide. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 60-second insight one minute to see how Symantec Managed Security Services can improve your security posture. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7The threat landscape continues to evolve . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 Cyber-criminals continue to exploit trusted environments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 Rise in site-specific vulnerabilities. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9Common hurdles when managing enterprise security in-house . . . . . . . . . . . . . . . . . . . . . . . . . . 11Measuring the cost of managing security in-house . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 Equipment. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 Hardware and software costs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 Maintenance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 Certifications and attestations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 Personnel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 Recruiting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 Training and education . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 Security operations center . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15Benefits of managed security services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 Improve information protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 Leverage knowledge and experience of security experts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 Stay abreast of the most recent security threats and attacks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 Share responsibility with a trusted security partner . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 Consistent SLAs across the organization. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17ContentsCan Managing Enterprise Security Be Made Easier?Considerations for Partnering with a Managed Security Services Provider for Security Protection3Untitled Document Gain reliable 24x7x365 security management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 Concentrate on what you do best. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 Maximize investment on existing security products. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 Make project and running costs more predictable. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 Continuous improvement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18Selecting a managed security services provider . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 Breadth of supported technologies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 Security management processes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 Auditing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 Effectiveness of technology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 Reporting. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 Security operations center capabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 Recommended MSSP checklist. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21Symantec Global Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 Conclusion. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 Symantec Global Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 Symantec Managed Security Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 Symantec Residency Services. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 Symantec Advisory Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 Symantec DeepSight" Early Warning Services. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 Free 30-day trial service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 Symantec Managed Solutions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 To find out more. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24Contents, cont'dUntitled DocumentEffective information security helps maintain the integrity of valuable corporate assets, enables compliance with industry regulations, and helps ensure the integrity of a trusted brand image and sustain business continuity. But providing an effective level of security requires a combination of state-of-the-art technology, experienced personnel, proven processes, and continuous threat intelligence that few organizations possess.Those organizations that choose to tackle these critical issues in-house invariably find themselves struggling to identify security events, provide security event alerts, and respond to the threats. Specifically, the challenge is how to quickly identify which assets are at risk, determine the impact of security breaches, and prioritize incident response within the company. In order to make good decisions and protect information assets, companies must have the resources to understand what is happening both inside and outside the corporate network.Security technologies including firewalls, network and host intrusion detection, and prevention systems have created a tremendous volume of information, and handling that information only makes a company s security problems more challenging. As a result, many organizations that currently manage security in-house are looking for alternatives. These organizations often find themselves choosing between two options: managing security in-house, or outsourcing either all or some security management to a managed security services provider (MSSP).To ensure rapid response to real threats, MSSPs use high-availability security operations centers (SOCs) to provide outsourced management and monitoring of security devices and events. These centers support 24x7 services designed to reduce the number of operational security personnel an enterprise must hire, train, and retain in order to maintain an acceptable security posture.Considering the security management options It is essential that organizations weigh the risk of sharing their data with third parties against that of losing intellectual property and productivity as a result of malicious activity. Only robust, round-the-clock security management and monitoring can help mitigate the risk of threats against an enterprise network. However, the wide range of MSSPs and their offerings can prove daunting to compare and understand. We commissioned this guide to help organizations weigh their security management options. Grant Geyer Vice President, Symantec Managed Security Services"IntroductionCan Managing Enterprise Security Be Made Easier?A Symantec Advisory Guide Without a sound security strategy, our organization would likely be out of business. Director of technology5Untitled DocumentWho should read this guide?CSOs, CISOs, managers, compliance officers, heads of security, CIOs, and project managers faced with the challenge of managing enterprise security. This can include mail security; compliance; IT risk; and the monitoring, identification, and remediation of security incidents and events.What you will get from reading this guide" An understanding of the changing threat landscape and common hurdles you face when managing enterprise security in-house" The benefits of partnering with a MSSP for security protection" Sample expenses and cost comparison scenarios to help you produce a financial analysis when considering a MSSP" Useful guidance for evaluating potential MSSPsCan Managing Enterprise Security Be Made Easier?A Symantec Advisory Guide6Untitled Document60-second insight one minute to see how Symantec Managed Security Services can improve your security postureBenefit from extensive global threat intelligence Symantec Managed Security Services has access to some of the most comprehensive sources of Internet threat data in the world. Leveraging the Symantec Global Intelligence Network, managed services teams are thoroughly informed on world events, which accelerates the decision-making process to protect your critical assets.Avoid the impact of a missed security event .Leverage security expertise for 24x7 monitoring, alerting on suspicious incidents, and delivery of timely, prioritized remediation recommendations. Symantec Managed Security Services security analysts and security operations center (SOC) technology help keep your business assets safe from compromise.Find the needle in the haystack Symantec Managed Security Services technology and security analysts look for small pieces of separate information in gigabytes of log files across multiple devices, and then recognize which pieces, when put together, indicate a threat. Symantec has built in-house technology to filter all customer information and present events to analysts for further investigation.Support for your audit requirements Symantec Managed Security Services globally maintain the stringent audit requirements of the ISO 27001 certification and SAS70 Type II Audit Report, and include certifications for both business continuity planning and disaster recovery. Our mature approach to governance will ensure that an incident or disaster in one region will not affect the support you receive or compromise the integrity of your business. Can Managing Enterprise Security Be Made Easier?A Symantec Advisory Guide7Untitled DocumentOn April 8, 2008, Symantec released Volume XIII of the industry-leading Global Internet Security Threat Report (ISTR).In the report, Symantec concludes that cyber-criminals are becoming increasingly professional even commercial in the development, distribution, and use of malicious code and services. While cyber-crime continues to be driven by financial gain, cyber-criminals are now using more professional attack methods, tools, and strategies to conduct malicious activity. Based on the data collected during this timeframe of July 1 December 31, 2007, Symantec has observed that the current security threat landscape is predominantly characterized by the following:" Malicious activity has become Web-based. " Attackers are targeting end users instead of computers." The underground economy is becoming consolidated and mature. " Attackers and attack activity are adapting rapidly.Cyber-criminals continue to exploit trusted environmentsDuring the reporting period, Symantec has observed that the majority of effective malicious activity has become Web-based: the Web is now the primary conduit for attack activity. This may be driven, in part, by the fact that compromises affecting computers on enterprise networks are likely to be discovered and shut down. On the other hand, activity that takes place on end users computers and/or Web sites is less likely to be detected.Symantec observed that 58% of all vulnerabilities disclosed were in Web applications. Once a trusted Web site has been compromised, cyber-criminals use it as a source for distribution of malicious programs in order to compromise individual computers. This attack method allows cyber-criminals to wait for their victims to come to them instead of needing to actively seek out targets.Social networking Web sites are increasingly valuable to attackers because they provide access to a large number of people, many of whom trust the site and its security. These Web sites can also expose a great deal of confidential user information that can then be used in attempts to conduct identity theft or online fraud. An added benefit to attackers who target trusted sites is the ability to steal credentials or launch other attacks en masse because these tactics can allow attacks to propagate quickly through a victim s social network. The threat landscape continues to evolveCan Managing Enterprise Security Be Made Easier?A Symantec Advisory Guide8 It would be cost-prohibitive to try to cover this ground on our own. Director of technologyUntitled DocumentTable 1 . Personal information that can be used for financial gain is traded on underground economy servers. This table ranks goods most frequently offered for sale.Rise in site-specific vulnerabilitiesSite-specific vulnerabilities are perhaps the most telling indication of this trend. These are vulnerabilities that affect custom or proprietary Web-application code for a specific Web site. During the last six months of 2007, 11,253 site-specific cross-site scripting vulnerabilities were documented. This is considerably higher than the 2,134 traditional vulnerabilities documented by Symantec during this same period. These vulnerabilities are a concern because they allow attackers to compromise specific Web sites that they can then use as a means of launching subsequent attacks against users which has shown to be an effective strategy for launching multi-stage attacks and exploiting client-side vulnerabilities. Site-specific vulnerabilities are often used in association with browser plug-in vulnerabilities, which are useful for conducting sophisticated Web-based attacks. Another indication of the Web s emergence as an attack vector is the continued growth in browser plug-in vulnerabilities. Browser plug-ins are technologies that run inside the Web browser and extend the browser s features, such as those that allow additional multimedia content from Web pages to be rendered in the browser ActiveX, for example. These vulnerabilities have remained popular because they are a very effective means of conducting Web-based attacks. Can Managing Enterprise Security Be Made Easier?A Symantec Advisory GuideIn the second half of 2007, 499,811 new malicious code threats were reported to Symantec a 136% increase over the first half of 2007.9RankItemPercentageRange of prices1Bank accounts22% 0.40 202Credit cards13% 10 10003Full identities9% 1 154Online auction accounts7% 1 85Scams7% 2.50/week 50/week for hosting. 25 for design6Mailers6% 1 107Email addresses5% 0.83/MB 10/MB8Email passwords5% 4 309Drop (requests or offers)5%10% 50% of total drop amount10Proxies5% 1.50 30Untitled DocumentTable 2 . Symantec Internet Security Threat Report data sourcesFigure 1 . This chart shows malicious code trends. In the second half of 2007, 499,811 new malicious code threats were reported to Symantec. This is a 136% increase over the first half of 2007.Can Managing Enterprise Security Be Made Easier?A Symantec Advisory Guide10Symantec uses multiple data sources to compile the Internet Security Threat Report, including:" More than 40,000 sensors that monitor network activity in more than 180 countries" Reports on malicious code, spyware, and adware from more than 120 million systems that have deployed Symantec virus protection products" A security vulnerability database spanning more than a decade that covers more than 25,000 vulnerabilities from more than 8,000 vendors" BugTraq; a forum for the disclosure and discussion of vulnerabilities, with approximately 50,000 direct subscribers" The Symantec Probe Network: a system of more than two million decoy accounts that attracts email messages from 30 different countries around the world, allowing Symantec to gauge global spam and phishing activity550,000500,000450,000400,000350,000300,000250,000200,000150,000100,00050,0000PeriodJul Dec2002Jan Jun2003Jan Jun2004Jan Jun2005Jan Jun2006Jan Jun2007Jul Dec2003Jul Dec2004Jul Dec2005Jul Dec2006Jul Dec2007499,811212,10174,48250,76153,41048,22642,52320,4518,4759,1386,260Untitled DocumentWith customers and business partners dependent on accessing critical product and service data via open networks such as the Internet, organizations must ensure the integrity of this information or risk jeopardizing their reputation and their brand equity. In short, they need to protect the bottom line, the corporate image, and the brand.Organizations face a number of barriers to achieving and maintaining effective security programs, including those listed in table 3.Table 3 . Barriers to achieving and maintaining effective security programsCommon hurdles when managing enterprise security in-houseCan Managing Enterprise Security Be Made Easier?A Symantec Advisory Guide Hiring more staff for a 24x7 immediate response team would have greatly increased our staffing costs. Group leader11Security a core requirement, but not a core competenceCompanies focusing on eCommerce and eBusiness must ensure that their information assets are properly protected. Managing information security requires constant vigilance and strict accountability for every change in the state of the network and systems connected to it. Organizations often find they lack the necessary in-house skills to manage this challenging task.Need to find, hire, and retain security staffBecause of the strong market demand for skilled information security talent, organizations are finding it expensive to recruit and extremely difficult to retain these professionals. A large amount of time can be absorbed by the constant juggling of resources, resume sifting, interviews, contracts, and attrition.The high attrition rate among security personnel reduces a company s ability to effectively safeguard its valuable information assets.Security staff overloaded with routine daily operationsWhile the security staff commits to the tasks, they often discover that they lack time, expertise, and technical resources to provide effective, enterprise-wide monitoring and management on a 24x7x365 basis.Need to develop a repeatable process for identifying and escalating security incidentsTrying to determine what constitutes a security incident can be difficult. Traffic that looks benign to the untrained eye can be highly malicious when correlated with other security information.Understanding how to develop a repeatable process that can be quickly and consistently executed can be daunting for many organizations, especially when there is a low margin for error.Security products generating vast amounts of difficult-to-manage dataIn order to adequately protect corporate information assets on a 24x7x365 basis, and to identify and counteract security attacks in real time, information security staff must constantly analyze disparate data from various security devices, such as firewalls and intrusion detection systems (IDSs). Security staff can attempt to consolidate this data for viewing purposes, but most consolidation software tools lack the ability to generate meaningful information.Symantec finds that 99.7% of data produced by security devices is of little to no value in finding security incidents; moreover, such data is often laden with false positives. Finding the real security threats in this overwhelming volume of data can be like finding the proverbial needle in a haystack. Untitled DocumentTable 3, cont'dCan Managing Enterprise Security Be Made Easier?A Symantec Advisory Guide12Finding the real security threats in this overwhelming volume of data can be like finding a needle in a haystack.Growing volatility and sophistication of threatsThe threat landscape has evolved away from large-scale pandemic threats to quieter, more targeted attacks engineered to include multiple exploitation methods. These lower-profile, targeted attacks are engineered by cyber-criminals searching for new ways to steal information for financial gain.The attacks propagate more slowly to avoid detection and to increase the likelihood of successful compromise before security measures can be put in place. The new Internet threat reality is clear: Fraudsters and hackers are working in concert for financial gain and they are relying increasingly on the Internet.Proactive intelligenceSetting up a security operations center in-house can be an expensive and cumbersome task, and many organizations that do so still aren t aware of emerging Internet threats and vulnerabilities. Organizations that don t stay abreast of new threats are on their own on the Internet. They are left to react to new challenges as opposed to being proactively protected.Cost-effective security protection on a 24x7 basisIncreased regulatory demands for business continuity coupled with a thrust for availability of systems to clients and partners is driving a requirement for cost-effective security protection on a 24x7x365 basis.The cost of building and staffing an SOC is daunting; it involves hiring 24x7x365 staff, implementing and tuning security information and event management (SIEM) technology, establishing processes, and managing the function. Furthermore, there is a high cost of entry just to have an in-house security management capability, regardless of the size of the security architecture being managed.Untitled DocumentTo build, upgrade, maintain, operate, and control its security systems, any in-house security management program needs personnel and supporting hardware, software, and equipment. These in-house programs also require outlay for the following variables:" All relevant capital and operating costs" Costs of supervising the MSSP" Likely increases in costs for salaries, benefits and service contracts" The cost of money and interest costs" Residual value of equipment and facilities" Cost of transition, including personnel" Cost of changes in direction and level of resources" Cost of contract modificationsTo effectively compute the total cost of ownership of in-house security management, companies need to identify and evaluate both overt and hidden costs over a number of years. The following sections list many of the costs of a security management program.EquipmentHardware and software costsFor in-house security management, companies must determine the cost of all hardware and software in addition to associated maintenance and support costs. This includes servers, PCs, and peripheral equipment, as well as all associated operating systems, databases, applications, and security software.Additional hardware and software required to support security operations may include system and network management tools, fault management systems, help desk systems, and correlation technology.While the software alone is expensive, to work effectively, the organization will also need to integrate and customize the software for their environment. These costs may be several times the cost of the software to be effective.MaintenanceMaintenance fees for software and equipment must be factored into the total cost of ownership. Software maintenance is typically assessed on an annual basis at a rate of 15 to 25 percent of the cost of the software.Measuring the cost of managing security in-houseCan Managing Enterprise Security Be Made Easier?A Symantec Advisory Guide If our network is down because of a security incident, or for any other reason, we calculate that our organization would lose a million dollars of revenue a day. Director of technology13Untitled DocumentCertifications and attestationsIn order to show the effectiveness of the security program as well as to stay compliant with industry regulations, the environment will need to be audited. While many SOCs are becoming compliant with the ISO17799 or ISO27001 standard, they will also need to be included in Sarbanes Oxley, MiFID, or Basel II audits. While these certifications themselves are quite difficult to obtain and ongoing maintenance is required, the real challenge is to develop all of the processes needed to run the operation on a day-to-day basis and to ensure that it is effective and integrated within the overall information security and information technology program.PersonnelStaffing for information security professionals is perhaps the most crucial, difficult, and costly component of an effective security management program.While the salary of individual contributors may vary from 60,000 to 140,000 (averaging 85,000 to 90,000) based upon experience and skill, this is only a small part of their compensation. After bonuses and stock incentives, space and equipment costs, and the cost of ongoing education and training benefits are added in, these numbers may be over 50 percent higher.The following scenario can aid in calculating the costs to expand security operations from standard 8am-to-5pm to full 24x7 coverage. To provide coverage 365 days per year, a company must consider staffing multiple shifts of workers:" Three sets of staff to cover three eight-hour shifts" One backup for time-off coverage for shifts 1, 2, and 3" One managerBased on these assumptions, a company would need a minimum of five people to cover one seat in a 24x7 security operation and these five would need to possess expertise or specialization in a range of security issues.RecruitingGiven the high turnover rate in the IT field, organizations may also need to consider the cost of recruiting. Whether internal HR staff or external recruiters are used, the cost of recruiting may average 20 to 30 percent of total annual compensation costs for the position being recruited.Can Managing Enterprise Security Be Made Easier?A Symantec Advisory Guide14 In each country where we have deployed managed security services, our company is saving on employing full time equivalent (FTE) staff. Altogether, we have been able to re- allocate roles for 10 staff in EMEA, which is equivalent to a savings of almost 1.2 million every year. European IT security headUntitled DocumentTraining and educationSecurity professionals require continuous training and education to hone their skills and, more importantly, to stay aware of the latest updates in an ever-changing, fast-paced technology environment.Ongoing education should encompass the latest security tools and technologies, threat techniques, and best-practice protection strategies. Costs in this area may include:" Product or technology training" Training in general security awareness" Certification preparation classes" Certification costs" Attendance at major security conferences or shows" Books, magazine subscriptions, journals, or eLearning courses to help security professionals stay abreast of the latest technologies, tips, techniques, threats, and safeguards in the industryMany organizations provide their personnel with two weeks of employee training each year, though more is often necessary. Most security courses are one week in duration; therefore, each security employee would be eligible to attend two security courses per year. Because course expenditures may range from 1000 to 3000, an average cost per headcount for annual training would be 5000.Security operations centerAn SOC provides a secure work environment. Typically this area needs to be physically separated from the rest of the facility, requiring strong authentication to enter.Most companies find it cost-prohibitive to build or lease an SOC because the cost can exceed 10 million (USD) in capital expenditures. Organizations also need to consider the need for power, HVAC, and fire suppression systems for their SOC. In addition, a disaster recovery plan that would likely involve the build-out of a failover facility should be taken into account.However, to build a full end-to-end SOC as a business, MSSPs invest between 25 million and 40 million (USD) for the required robust infrastructure, tools, and redundancy. Companies that choose to work with a MSSP benefit from these significant investments as well as the expertise of trusting their business to security experts.Can Managing Enterprise Security Be Made Easier?A Symantec Advisory Guide15Untitled DocumentBeyond pure cost, there are a number of advantages an organization receives from a professionally managed service contract with a team of dedicated, experienced security professionals.Partnering with an experienced, well-established, and professional MSSP offers enhanced levels of protection, 24x7x365 vigilance, a strengthened security posture, and a potential decrease in the risk of cyber-threats.Improve information protectionProviding security for today s networks and information systems is an increasingly complex and critical endeavor, especially as hackers are using increasingly sophisticated methods and technologies. Organizations whose core focus is not security are at a disadvantage in providing a comprehensive, 24x7 security management program. The training, expertise, and diligence required to stay abreast of the latest protection strategies is time-consuming for in-house staff and distracts from other mission-critical activities.Additionally, the vast amounts of data produced by firewalls and intrusion detection system devices can quickly overwhelm an organization that lacks the sophisticated technology to help its security staff with the daunting task of filtering through the data to find the real threats and eliminate the false positives.Leverage knowledge and experience of security expertsAccording to Gartner s April 2007 report MarketScope for Managed Security Services in Europe, client discussions consistently say that the skilled resources of providers are one of the major benefits of using MSSPs.Organizations can take advantage of the expertise of MSSP security analysts and engineers who manage and monitor security devices on a full-time basis. These analysts identify and respond to thousands of security incidents and attacks every day. This means that, compared to an organization s in-house security staff, they are more aware of potential threats and are more knowledgeable about best practices for protecting critical data.Benefits of managed security servicesCan Managing Enterprise Security Be Made Easier?A Symantec Advisory Guide16 The bottom line is that we can react in real-time to any security threats that take place, while keeping our security management costs in check. Head of IT securityUntitled DocumentStay abreast of the most recent security threats and attacksAn experienced MSSP maintains a research capability dedicated to staying abreast of the latest cyber-threats, vulnerabilities, hacker techniques, and security developments. Constant monitoring of security alerts and advisories is essential to providing maximum protection against security threats.Share responsibility with a trusted security partnerA MSSP acts as the company s security partner and shares the burden and the responsibility of security management and incident response.Consistent SLAs across the organizationMSSPs offer service-level agreements (SLAs) that define a contractual obligation to deliver services in a particular manner and within a specific response-time window. The SLAs determine the services the MSSP will provide and the performance targets they must achieve, and they define exactly what will be delivered and when specific organizational requirements will be met.Gain reliable 24x7x365 security managementA thorough MSSP will provide around-the-clock coverage for a client s most critical systems, monitoring networks and infrastructures to ensure protection during the hours most hackers attack. This vigilance, especially important in an always-on, always-connected business environment, ensures that information assets are protected.Concentrate on what you do bestResource-constrained IT departments must support the company s core business and security requirements. In an ideal world, talented in-house IT resources would be leveraged to plan network redesigns and migrations in order to support strategic business initiatives, or to implement new applications that focus on areas of greater return-on-investment (ROI) potential.Many elements of security, such as compliance and antivirus, can be very labor-intensive and subject to human error. Partnering with a MSSP removes the burden of constant device monitoring and management. This enables organizations to direct in-house resources toward only the most pressing security issues and vulnerabilities.Can Managing Enterprise Security Be Made Easier?A Symantec Advisory GuidePartnering with a MSSP removes the burden of constant device monitoring and management, enabling organizations to direct in-house resources toward only the most pressing security issues and vulnerabilities.17Untitled DocumentMaximize investment on existing security productsMany organizations purchase security products that, for a variety of reasons, are never fully implemented. A high-quality MSSP ensures that purchased solutions are installed, implemented, and integrated to provide the ongoing value an organization needs and expects.Make project and running costs more predictableBy partnering with a MSSP to protect critical information assets, organizations can avoid the extensive personnel costs associated with hiring, training, and retaining security professionals. Managed security services reduce total cost of ownership by delivering predictable monthly costs for security coverage. Because managed services are billed on a monthly basis, organizations are also better able to predict and manage their security-related budgets.Continuous improvementBy tapping into the expertise of a company comprised of literally thousands of security experts working in the field every day, you will always be at the forefront of security knowledge and expertise.Can Managing Enterprise Security Be Made Easier?A Symantec Advisory Guide18Untitled DocumentDetermining the cost of partnering with a managed security services provider is only one, limited criterion in the overall evaluation of MSSPs. Organizations should also consider the following key factors:" Longevity Consider partnering with a stable vendor that has a proven track record of delivering quality services to a large number of clients over a long period of time. These are the MSSPs most likely to weather economic downturns or industry shakeouts." Annual revenues For publicly traded companies, according to Gartner, annual run rates of more than 10 million per year in managed security services contracts indicate a sufficient base of revenue to support growth and enhancement of services." Management experience A successful MSSP selects its security experts from a range of backgrounds, including the military, government, and industrial sectors. Appropriate management experience is usually represented as well, from a variety of related services such as online, financial, and service bureaus." Range and flexibility of the services The range of services offered indicates the MSSP s ability to meet evolving security management needs of a wide variety of organizations. Leading MSSPs will offer a complete set of managed and consulting security services, either organically or through partnerships. Services should include managed mail security; managed firewall; managed intrusion detection system; threat and vulnerability management; security intelligence services; and monitoring, remediation, and reporting tools. Ideally, the MSSP will offer multiple levels and types of services, as well as customized services to meet the unique organizational requirements of each client.Breadth of supported technologiesEvaluating a MSSP on its ability to provide broad support for multiple technologies is essential to ensuring a smooth and effective managed security program. Some MSSPs will only manage certain security technologies; others will provide comprehensive multivendor support.Security management processesA MSSP should be able to provide documented standards and policies for handling both typical and atypical operations and threats. It should also offer a variety of attack alert notification methods to give the client s security staff the ability to mitigate risk in real time. A MSSP should facilitate the incident response phase, integrating the capabilities of the client incident response team (IRT) with the MSSP alerting process. This requires a pre-defined and shared incident response roadmap.1 Gartner RAS Core Research Note G00149649, Kelly M. Kavanagh, John Pescatore, 1 August 2007 RA4 8/4/2008. The Magic Quadrant is copyrighted 2006 by Gartner, Inc. and is reused with permission. The Magic Quadrant is a graphical representation of a marketplace at and for a specific time period. It depicts Gartner's analysis of how certain vendors measure against criteria for that marketplace, as defined by Gartner. Gartner does not endorse any vendor, product, or service depicted in the Magic Quadrant, and does not advise technology users to select only those vendors placed in the "Leaders" quadrant. The Magic Quadrant is intended solely as a research tool, and is not meant to be a specific guide to action. Gartner disclaims all warranties, express or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.Selecting a managed security services provider Can Managing Enterprise Security Be Made Easier?A Symantec Advisory Guide The managed security service (MSS) market in North America generated revenue of approximately 500 million in 2006, and Gartner estimates that revenue will grow about 19% in 2007. Gartner, Magic Quadrant for MSSPs, North America, 1H07 119Untitled DocumentAuditingCompanies are being held to a higher standard of accountability with respect to audit requirements. As an extension of the organization, a MSSP must have facilities, processes, and procedures that are validated and certified by a third-party auditor in the form of an ISO27001 and/or SAS70 Type II audit.Effectiveness of technologyThe technology used to analyze and correlate data collected from multiple devices should support rapid response while ensuring the scalability to support an ever-increasing number of managed devices. So that clients can focus their security staff on the most critical issues, the technology should be supported by security analysts who can separate real threats from false ones.ReportingReporting can provide an enterprise-wide, real-time view into the client s security posture and the effectiveness of the managed services. Thorough reports will include detailed information gathered from the managed devices, from the related or recommended responses, from any changes the MSSP has made to the devices, and from information about the latest threats. Ideally, the MSSP will provide options for viewing and managing reports, including access via email, standard desktop programs, and a secure Web portal.Security operations center capabilitiesA MSSP will need to operate multiple security operations centers from which it can globally monitor and manage security issues across its client base. In today s business environment, these centers must be run 24x7x365. This is not only to remain abreast of the latest threats, but also to ensure business continuity. The centers must follow predictable and proven processes and be staffed with a range of security experts that extend the client s in-house capabilities. Strict hiring guidelines must ensure that hackers are not entrusted with the sensitive security data of an enterprise.Can Managing Enterprise Security Be Made Easier?A Symantec Advisory Guide20Determining the cost of partnering with a MSSP is only one, limited criterion in the overall evaluation.Untitled DocumentRecommended MSSP checklist Real-time monitoring, analysis, and incident response Security is core business Demonstrated long-term financial stability Global online community providing insight and intelligence Uses proven managed security services policies, standards, and procedures Recruited and trained professional security staff Real-time view through flexible client interface Defined staff development and career path Background checks to verify staff trustworthiness 24x7x365 manned global operations Multiple, redundant SOCs with disaster recovery and global coverage In-depth technical and security support skills Dedicated threat and vulnerability research support Dedicated team per client Services support multiple vendors products Can implement security products Security and financial risks accepted under contract Defined metrics and accountability Incident-handling and response capabilityCan Managing Enterprise Security Be Made Easier?A Symantec Advisory Guide21Untitled DocumentConclusionEffective security management requires a comprehensive combination of skilled personnel, best practice processes, and state-of-the-art technology.Each organization will come to a different conclusion about whether to manage their security requirements in-house, partner with a MSSP, or decide on a combination of both.A thorough cost analysis is important when evaluating a MSSP, but it comprises only part of the total analysis. Levels of staffing, security expertise, specialized skills that may only exist in-house, and existing security investments are other important considerations.Deciding between leveraging in-house security resources and partnering with a MSSP requires research and budgetary scrutiny. It also requires consideration of both the short- and long-term expenses and benefits.Ultimately, you should choose the option that will allow you to maintain a strong security posture that enables you to pursue your primary mission, whether that is a revenue-generating or service opportunity.Symantec Global ServicesWith nearly 4,000 professionals and an extensive partner network, Symantec Global Services offers deep technical knowledge and proven expertise to help you manage IT risk, performance, and cost.Symantec offers several services that help manage and reduce security risks, giving your organization the foundation to protect its systems, data, and applications all while providing the reliability, flexibility, and performance needed to rapidly respond to changing business needs.Symantec Managed Security ServicesSymantec Managed Security Services provides 24x7 remote monitoring and management of labor-intensive security operations under strict SLAs. As a result, you can confidently focus existing resources on strategic projects that drive a competitive advantage for your business.Symantec Global ServicesCan Managing Enterprise Security Be Made Easier?A Symantec Advisory Guide22 Thanks to the way that Symantec Managed Security Services filters threats, we only have to respond personally to one or two attacks a month, compared to up to 60 with our previous security vendor. Manager of information technology and securityUntitled DocumentBased on groundbreaking SOC technology from Symantec, Symantec Managed Security Services are delivered through a unique and highly effective combination of skilled personnel, best-practice processes, and state-of-the-art technology.Key offerings include:" Security Monitoring Services" Global Intelligence Services" Security Device (IDP) Management Services" Log Management Services" Vulnerability Assessment Services" Managed Threat Analysis" Symantec Intrusion Detection/Protection Solution with Sourcefire Our unique combination of insight, research, and expertise allows us to relieve your organization of the burden of analyzing and correlating critical security intelligence as it provides greater insight into key business information.Symantec Residency ServicesSymantec Residency Services offers highly trained experts who can augment your existing staff at any level. Residents work onsite as members of your team for an extended period of time, helping with strategy, projects, ongoing operations, and knowledge transfer. Symantec residents can perform services under a statement of work, or they can operate under an arrangement where Symantec takes on responsibility for key IT operations under a strict SLA.Symantec Advisory ServicesSymantec Advisory Services focuses on helping your organization understand and minimize the security risks associated with your specific information environments. Advisory Services consultants start by assessing your existing security posture, including policies, architecture, infrastructure, and operations. Advisors then work to understand your tolerance for risk based on business goals and strategies.Armed with this information, our team then works with you to develop a plan to reduce and manage security risk taking into account what vulnerabilities need to be addressed immediately, what can wait until the next upgrade or patch cycle, and what can be considered an acceptable risk. The end result is a holistic approach to reducing security risk that is based on your business priorities.Can Managing Enterprise Security Be Made Easier?A Symantec Advisory Guide23Symantec gathers data from more than two million decoy email addresses, 120 million desktop antivirus sensors, and 40,000 intrusion-detection and firewall sensors worldwide.Untitled DocumentSymantec DeepSight" Early Warning ServicesSymantec DeepSight Early Warning Services delivers notification of vulnerabilities and Internet security attacks along with threat analyses and actionable information.Early warning statistics provide insight into real-time incidents collected from more than 40,000 sensors in 180 countries. With these statistics, you can analyze and compare local event data with global threat activity, threats in organizations similar to yours in size, and threats in companies in your geographic proximity.By comparing internal data to the global landscape, your organization can demonstrate security benchmarking for regulatory compliance. Through integrated management and early warning, you can accelerate the decision-making process for protecting critical assets.Free 30-day trial serviceYou can experience the first line of defense for proactive enterprise security by taking advantage of our 30-day free trial of Symantec DeepSight" Early Warning Services. Contact your sales representative for more information.Symantec Managed SolutionsSymantec Managed Solutions combine onsite Symantec Consulting expertise with standardized managed services delivered from remote locations. Symantec experts take over repetitive, labor-intensive IT operations under strict SLAs so that you can optimize your resource investments and focus on strategic initiatives with confidence.To find out moreTo find out more about the range of Symantec services available, visit our Web site at www .symantec .com/business/services.Can Managing Enterprise Security Be Made Easier?A Symantec Advisory Guide24Untitled DocumentUntitled DocumentFor specific country offices andcontact numbers, please visitour Web site. For productinformation in the U.S., calltoll-free 1 (800) 745 6054.Symantec CorporationWorld Headquarters20330 Stevens Creek BoulevardCupertino, CA 95014 USA+1 (408) 517 80001 (800) 721 3934www.symantec.comCopyright 2008 Symantec Corporation. All rights reserved. Symantec, the Symantec Logo, DeepSight, and Managed Security Services are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. 04/08 13670834-1About SymantecSymantec is a global leader in providing security, storage, and systems management solutions to help businesses and consumers secure and manage their information. Headquartered in Cupertino, Calif., Symantec has operations in more than 40 countries. More information is available at www.symantec.com.
