gespenstern wrote: » I worked as one for many, many years. It's "overall security posture" audits for clients, serving parts of bigger specific (like "PCI DSS") audits, remediating/investigating malware running on clients' premises, "security considerations", basically having a say on ongoing projects like migrating to cloud, configuring firewalls (I was an SME on MS ISA/TMG and installed TONS of them) and other security tools for them, configuring MTAs to fight spam/malspam effectively, etc. Occasionally JOAT types of work. Pretty much nothing for own company as my specialization was pretty much enterprise stuff which wasn't in use in own company as MSPs tend to be smaller than companies they serve. That's for information. For electronic security I designed and managed CCTV, ACS, burglary alarm, face recognition/plate recognition, uninterruptible power supply, external lighting systems.
gespenstern wrote: » Vulnerability management (and patch management) is a mundane repetitive task and is usually done by internal company resources. MSPs get usually hired to establish the process, and yes, I did that. Like designing the architecture, overseeing deployment and configuration of nexpose and setting up scopes and schedules and interpreting first results and establishing the processes for internal folks to follow. Similar with patch management, requirements analysis, setting up scopes and schedules, out-of-band patching, procedures and processes, necessary integrations and scripting, documenting and leaving it for internal folks to follow. Occasionally fixing issues. Quality pentesting is hard and highly specialized, it's not a generic task. If an MSP is really big (Accenture, etc) they have their own experts, otherwise it's better be subcontracted and the test results incorporated into a general audit results doc, a specific pentest is a part of. You can find an expert who's good at post-exploitation in MS environments, but helpless when web-app exploitation or linux post-exploitation is needed and vice versa. For really basic generic stuff that the MSP doesn't charge any serious money I can run let's say a sqlmap in almost fully automated mode, but it's hardly a quality pentest. I bet that the MSP you are in is small, therefore, dedicated specialized pentests are better subcontracted, if a quality pentest is needed. I can name a few, let's say you are hired to conduct a lucrative audit that includes pentesting of pretty much everything or at least many things. "General security posture with proofs of compromise". Then you may do some generic parts of it and subcontract specialized parts. You can scan (nmap, etc) the public IP range for services. Majority of services you discover are probably web services. So you subcontract it to web-application pentesting firm. Some services you discover are general infrastructure (let's say, they expose SMB to the outside). This is something you can do yourself, or hire people who specialize in MS infrastructure (they are also usually good at post-exploitation in MS env). Also you may hire a social engineering firm. They'll compose convincing emails and seed flash thumbdrives. But the actual payload that gets executed upon compromise is yours, usually post-exploitation guys can help you with that. So on and so forth. Then you get the results from all of them, combine, learn it well and present to the company. Their IT sec folks grill you as they hate you because you are trying to undermine their defensive efforts to some degree so they will surely grill you on your audit, so you'd better know you stuff. Then CEO or CISO, or whoever the judge is, is convinced if you are good and writes off the check (if your salesfolks didn't negotiate 100% prepaid, LOL, in this case you don't care much).
SpetsRepair wrote: » Yes, I've done it for over 2 years at a company. I ended up leaving once I found out there are companies out there paying much more for these type of skills. Many people stayed and it is good to be loyal in this type of role, but some companies don't pay as others might. The role itself can be challenging at times and still rewarding. It's a great role but some companies value sales more than they do actual engineers. Sales dept get raises, extra staff and nicer building in HQ. Actual engineers wouldn't get a raise unless you wanted to step into management, but once you're in management you are not an engineer anymore so than the former engineer get tired of their role as a manager/supervisor.. The job is amazing, it just depends on the individual work environment. MSSP are on the rise and there's a lot of competition out there
SpetsRepair wrote: » It's a great role but some companies value sales more than they do actual engineers.
