Friday, October 31, 2014

Hiring an MSSP?

I've been reading Anton's running commentary on hiring and using an MSSP, and I had to comment.

Wapack Labs does backend work for incident response teams who don't have the ability to do it themselves. Get your blood drawn? It probably goes to a lab for workup. We do the workup.

Yesterday, we (Wapack Labs) out-briefed a report on a case where a small (100 person) company had been breached... standard stuff (although not for them!). Spyware delivered Zeus, which delivered Crytpolocker, which of course, held them (the CEO) hostage until he paid a $600 bitcoin ransom, encrypting his files, and presumably more. But it's not the incident that had me scratching my head, it's that when we passed them a half dozen Command and Control IP addresses and domains, and told him to put them in his UTM (he's got a Sonicwall) and monitor for a few minutes to see who they're talking to internally, he had no idea what I was talking about. These guys simply were not prepared.. and they probably had no clue until recently that this stuff even existed.

The company has SSL VPNs, a Sonicwall UTM, and that's about it as far as we can tell. The IT staff is one guy.

The CEO thought they were safe.

So here's the deal... His company -a manufacturing company, has computers, but is primarily a machine shop. So what's he to do? In his case, more IT (Security) is an overhead cost in an already competitive, tight margin business... so what's he to do? Rent or buy?

My recommendation to him? Rent. Focus on his core business of making widgets.

He's already asked for recommendations - we work with four MSSPs --who all use the intel from either Red Sky Alliance or the lab (or both) to protect their customers. We've passed on recommending others, simply because the customer feedback we receive about them has been, well, less than stellar.

Look, for a company who prefers to focus on their core, MSSP is a wonderful thing, but its got to fit your use model, and you've got to know what you're going to get. In the mean time, the idea of installing a suite of security tools, hiring a team, and budgeting those increasingly hard to maintain margins comes at a high price for manufacturing companies like the one we visited. MSSP's, when used correctly, are a GREAT alternative.

2 comments:

Anton Chuvakin said...

BTW, Jeff, care to introduce me to those 4 MSSPs you work with?

Jeff said...

Anton, absolutely. We have four MSSP members in Red Sky Alliance, all using Red Sky and Wapack Labs intel in protecting customers --in alphabetical order :)

Alert Logic (brand new with us!)
AT&T
Cincinnati Bell Technology Services (CBTS)
and last but not least, Solutionary

Jeff