<quote>
A lot of the debunking
is not the actual alert but really happens behind the scenes to determine
if one or many alerts are actually valid or not.
</quote>
<chuckle> It can be worse then this, some managed sec providers do
nothing to make a determination, they merely have it stated in the
paperwork that they will notify the client of *any* attempts, it
certainly changes the the focus of what responsibility is in the
situation. Now, you tell me, if open, untuned sensors are sitting on the
outside perimiter of a large corporation, how many alerts a day might they
get of various inappropriate packets hitting those sensors?
Take it this way; how is
policy enforced and what determines what a policy is? Is the managed
security provider to implement rules in perimiter equipment that is
outrightly *dangerous* if the client contact makes such a request? Should
the tech taking the request actually contact the client contact to advise
them of known issues that petain to the request in hand? What actually
constitutes a security policy, merely rules set in the perimiter devices?
Is it subject to one or two admins at the client site just deciding that
these requested changes need to be implimented? It sometimes becomes a
question at the managed provider end, of what it is they are supposed to
be implimenting. Granted a policy is not a static entity, still to make
major deviations from a documented policy, should a managed provider just
simply make changes issued from a contact at the client side, should upper
level senior mgt be advised of such requests? Then again, since the
corporation decided to outsource their security, do they have anyone
knowledgeable on their end to actually understand the corporate policy and
ramifications of requests they are considering?
Outsourcing is not a simple black and white issue, and it has
ramifications that need to be faced by both sides in any contractual
agreement in these areas. but, it's all defined on paper, or at least
should be, before the managed services in question are taken over. Still,
I've seen some pretty large corporations poorly define entities and
services and end up with quite a mess on their hands after all the dots
and slashes were placed and signatures and checks exchnged, in both
security outsourcing and network management. On oneside, folks need to
know what they can supply and offer as a real service and still make a
buck. On the other, folks need to accuratly detail in writing, after
verbal negociations, and define what they require, and at a minimum what
services they are contracting for.
Thanks,
Ron DuFresne
On Wed, 27 Jun 2001 [EMAIL PROTECTED] wrote:
> Smoke and mirrors has been an issue with Managed Security Service since the
> early 90's. also Buyer beware. How do you the person sitting back
> watching the screens is actually a bonafide security type person and not
> some person who got hired because they should up at DefCon and impressed
> someone with their Pez collection (true story).. :) A lot of the debunking
> is not the actual alert but really happens behind the scenes to determine
> if one or many alerts are actually valid or not. Each environment can
> generate their own typical noise or discard that normally traverses the
> network on a daily basis. It is the MSP's job to sort through the noice or
> discard and actually call the customer to tell them that their is an actual
> intrusion or possible intrusion. Now this whole process seems a bit tedius
> and the folks at ADT can probably provide better statistics on false
> positives than an a MSP can, but back to the point, what value does an MSP
> like DigitalMojo provide when if you read between the lines, they actually
> outsource to other MSPs..
>
> /m
>
> At 04:27 PM 6/27/2001 -0500, Ron DuFresne wrote:
>
> >smoke and mirrors has been one of the issues with managed service
> >providers and especially managed security providers for sometime. Just
> >becuase they may sell you a service for IDS does not mean alot if the IDS
> >is setup on the exterior of the network and they are constantly alerting
> >you and your staff of 'intrusion detections' 30-500 times a day. In fact,
> >it tends to devalue such 'warnings' to the point folks tend to just start
> >routing those reports to the trash bin. Thourough reading of contracts in
> >such outsourcing aggreements is a must, as well as *understanding* what
> >those contracts are really saying.
> >
> >Thanks,
> >
> >Ron DuFresne
>
>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"Cutting the space budget really restores my faith in humanity. It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation." -- Johnny Hart
***testing, only testing, and damn good at it too!***
OK, so you're a Ph.D. Just don't touch anything.
_______________________________________________
Firewalls mailing list
[EMAIL PROTECTED]
http://lists.gnac.net/mailman/listinfo/firewalls
