Security as a Service implementation?

I work for a Managed Services Provider. We currently don't have any security roles. My job is willing to make a security role for me if I can figure out how it looks and what it entails.

I've been doing some research and I haven't found much. It seems that we need to offer Security as a Service. I'm trying to find out how we could implement that or adopt it so we can sale it to our clients. I'm trying to get some kind of good base idea so I can tell my company. So far everything I've found has been very vague.

Anyone have any ideas?

Find more posts tagged with

Comments

SteveLavoie

I work for a small consulting IT firm(hourly based service) working toward a more Managed SP style of business. I don't think you can sell "Security" as a service. This label is way too wide and can mean different thing for different people. You could offer firewall-management as as service, or antivirus as a service and so on. Then complement this offer by security consulting. This way, it can be viable.

Remedymp

You will selling monitoring and you would be selling IR triage. You're going to have to figure out how much you're capable of vs what you're not. If you're a one man show, then it's a no go. You're going to need to provide 24/7 coverage because client is expecting it.

shochan

It's almost too risky to guarantee security services. You would be sued & shutdown pretty quick, unless you can figure out the fine print to state in the service contract (get a lawyer). There are too many security breaches nowadays & no fool proof way to secure everything on any network. Unfortunately, human error always seem to compromise them. IMO

fabostrong

Thanks for the responses guys but they all make me sad lol. My company is also open to creating an internal security role that would have nothing to do with our clients. I just figured that figuring out how to sale security to the clients would be better since the company would make money from it. I wouldn't be surprised if they're not as thrilled about an internal security role since it won't be billable. I have to figure out a way to make them see value in having an internal security role. So any ideas of what that looks like is good also.

infosec123

This is just my opinion, so take it for what its worth. If I had a MSP and they came to me selling security services, the first thing I would ask them is does this mean the existing services I pay for from said MSP do not include a security aspect. Be careful with where you are going with this as you will need to carefully delineate between what services you provide and what you want to sell. Here is a quick example of where this can go south. You do server maintenance for a company, they hire you to do a vulnerability assessment and find the servers arent patched properly and have less than secure configurations. You are now on the hook to show the company the issues your company was supposed to take care of, and will now need to fix them at your cost. Then said company very well may ask what else you have been missing if it took an actual engagement to find out your company didnt properly patch or configure said servers.

phatrik

The 4 I can think about of the top of my (edit: mind)

1. Server hardening services. You don't need to come up with your own procedures, this stuff is already standardized:

https://www.cisecurity.org/cis-benchmarks/ (click on operating systems)

2. Vulnerability assessments

OpenVAS - OpenVAS - Open Vulnerability Assessment System <-- open source/free. Please note there's also paid versions (Nessus, Nexpose, etc..)you'll need to do your own research to understand the benefits of one vs the other.

As a bonus to #2, you could also offer to verify the results of the test and then do the remediation if necessary.

3.a Become an ASV https://www.pcisecuritystandards.org/assessors_and_solutions/approved_scanning_vendors
3.b As a long term goal, you could aim to become a Qualified Security Assessor

https://www.pcisecuritystandards.org/assessors_and_solutions/become_qsa

As a bonus to #3, you could also verify the finding and do the remediation work if necessary.

4. If y'all aren't already doing so, an obvious one would be server/network monitoring.

infosec123

fabostrong wrote: »

. I have to figure out a way to make them see value in having an internal security role. So any ideas of what that looks like is good also.

This is simple. Your internal security role makes sure not only the customer configs your company is responsible for are secure, but your sensitive internal and customer information is secure. Let me give you an example. I worked at an MSP for 3 months (never again), I couldnt begin to describe the lack of security measures protecting customer data. As they were an MSP and were responsible for maintaining servers for various companies, they had numerous keys to the kingdom, and with poor security measures means if they are breached the hackers will have a goldmine of other companies to hack in without effort, think an excel spreadsheet sitting on desktops with all admin passwords, remote deskop info, etc... just shared and stored like its nothing. This would not only lead to the MSP shutting down but also being sued into oblivion... Your job would be to make sure everything is protected.

phatrik

infosec123 wrote: »

think an excel spreadsheet sitting on desktops with all admin passwords

Unfortunately that situation is just too common, I've been witness to such neglect more than once in my lifetime. PasswordState is a great tool with many features including the ability to audit who viewed or made changes to credentials, testing stored credentials for password strength and reminders to change passwords based on your desired scheduled just to name a few.

pevangel

Security-as-a-service is a cloud computing solution which doesn't sound like it's what you're looking for. There is a ton of complexity to it, and it requires a lot of capital to get started.

An internal security role that infosec123 describes may be a better idea. If/when a breach happens, it shows that your MSP was at least practicing due diligence by having a security professional proactively working on securing the infrastructure and customer data.

fabostrong

Thanks for all the input guys. Definitely some good thoughts and suggestions. I'm going to see what I can come up with. I'm also going to spend time with a consultant this weekend to see if I can figure some stuff out.