Anyone do Security for an MSP?

fabostrongfabostrong Member Posts: 215 ■■■□□□□□□□
Does anyone here work for an MSP and do either in house security or security for the clients your company supports? If so, what do the job duties look like for that position?

I'm trying to carve this position into my company now but not super sure what it looks like.

Thanks!

Comments

  • gespensterngespenstern Member Posts: 1,243 ■■■■■■■■□□
    I worked as one for many, many years.

    It's "overall security posture" audits for clients, serving parts of bigger specific (like "PCI DSS") audits, remediating/investigating malware running on clients' premises, "security considerations", basically having a say on ongoing projects like migrating to cloud, configuring firewalls (I was an SME on MS ISA/TMG and installed TONS of them) and other security tools for them, configuring MTAs to fight spam/malspam effectively, etc. Occasionally JOAT types of work. Pretty much nothing for own company as my specialization was pretty much enterprise stuff which wasn't in use in own company as MSPs tend to be smaller than companies they serve. That's for information.

    For electronic security I designed and managed CCTV, ACS, burglary alarm, face recognition/plate recognition, uninterruptible power supply, external lighting systems.
  • fabostrongfabostrong Member Posts: 215 ■■■□□□□□□□
    I worked as one for many, many years.

    It's "overall security posture" audits for clients, serving parts of bigger specific (like "PCI DSS") audits, remediating/investigating malware running on clients' premises, "security considerations", basically having a say on ongoing projects like migrating to cloud, configuring firewalls (I was an SME on MS ISA/TMG and installed TONS of them) and other security tools for them, configuring MTAs to fight spam/malspam effectively, etc. Occasionally JOAT types of work. Pretty much nothing for own company as my specialization was pretty much enterprise stuff which wasn't in use in own company as MSPs tend to be smaller than companies they serve. That's for information.

    For electronic security I designed and managed CCTV, ACS, burglary alarm, face recognition/plate recognition, uninterruptible power supply, external lighting systems.

    Sounds legit lol. Do you do any vulnerability management? Any PenTesting? I'm trying to figure out a package or security services that we can offer to our clients to show to my manager and CEO.
  • gespensterngespenstern Member Posts: 1,243 ■■■■■■■■□□
    Vulnerability management (and patch management) is a mundane repetitive task and is usually done by internal company resources. MSPs get usually hired to establish the process, and yes, I did that. Like designing the architecture, overseeing deployment and configuration of nexpose and setting up scopes and schedules and interpreting first results and establishing the processes for internal folks to follow. Similar with patch management, requirements analysis, setting up scopes and schedules, out-of-band patching, procedures and processes, necessary integrations and scripting, documenting and leaving it for internal folks to follow. Occasionally fixing issues.

    Quality pentesting is hard and highly specialized, it's not a generic task. If an MSP is really big (Accenture, etc) they have their own experts, otherwise it's better be subcontracted and the test results incorporated into a general audit results doc, a specific pentest is a part of. You can find an expert who's good at post-exploitation in MS environments, but helpless when web-app exploitation or linux post-exploitation is needed and vice versa. For really basic generic stuff that the MSP doesn't charge any serious money I can run let's say a sqlmap in almost fully automated mode, but it's hardly a quality pentest.

    I bet that the MSP you are in is small, therefore, dedicated specialized pentests are better subcontracted, if a quality pentest is needed. I can name a few, let's say you are hired to conduct a lucrative audit that includes pentesting of pretty much everything or at least many things. "General security posture with proofs of compromise". Then you may do some generic parts of it and subcontract specialized parts. You can scan (nmap, etc) the public IP range for services. Majority of services you discover are probably web services. So you subcontract it to web-application pentesting firm. Some services you discover are general infrastructure (let's say, they expose SMB to the outside). This is something you can do yourself, or hire people who specialize in MS infrastructure (they are also usually good at post-exploitation in MS env). Also you may hire a social engineering firm. They'll compose convincing emails and seed flash thumbdrives. But the actual payload that gets executed upon compromise is yours, usually post-exploitation guys can help you with that. So on and so forth. Then you get the results from all of them, combine, learn it well and present to the company. Their IT sec folks grill you as they hate you because you are trying to undermine their defensive efforts to some degree so they will surely grill you on your audit, so you'd better know you stuff. Then CEO or CISO, or whoever the judge is, is convinced if you are good and writes off the check (if your salesfolks didn't negotiate 100% prepaid, LOL, in this case you don't care much).
  • fabostrongfabostrong Member Posts: 215 ■■■□□□□□□□
    Vulnerability management (and patch management) is a mundane repetitive task and is usually done by internal company resources. MSPs get usually hired to establish the process, and yes, I did that. Like designing the architecture, overseeing deployment and configuration of nexpose and setting up scopes and schedules and interpreting first results and establishing the processes for internal folks to follow. Similar with patch management, requirements analysis, setting up scopes and schedules, out-of-band patching, procedures and processes, necessary integrations and scripting, documenting and leaving it for internal folks to follow. Occasionally fixing issues.

    Quality pentesting is hard and highly specialized, it's not a generic task. If an MSP is really big (Accenture, etc) they have their own experts, otherwise it's better be subcontracted and the test results incorporated into a general audit results doc, a specific pentest is a part of. You can find an expert who's good at post-exploitation in MS environments, but helpless when web-app exploitation or linux post-exploitation is needed and vice versa. For really basic generic stuff that the MSP doesn't charge any serious money I can run let's say a sqlmap in almost fully automated mode, but it's hardly a quality pentest.

    I bet that the MSP you are in is small, therefore, dedicated specialized pentests are better subcontracted, if a quality pentest is needed. I can name a few, let's say you are hired to conduct a lucrative audit that includes pentesting of pretty much everything or at least many things. "General security posture with proofs of compromise". Then you may do some generic parts of it and subcontract specialized parts. You can scan (nmap, etc) the public IP range for services. Majority of services you discover are probably web services. So you subcontract it to web-application pentesting firm. Some services you discover are general infrastructure (let's say, they expose SMB to the outside). This is something you can do yourself, or hire people who specialize in MS infrastructure (they are also usually good at post-exploitation in MS env). Also you may hire a social engineering firm. They'll compose convincing emails and seed flash thumbdrives. But the actual payload that gets executed upon compromise is yours, usually post-exploitation guys can help you with that. So on and so forth. Then you get the results from all of them, combine, learn it well and present to the company. Their IT sec folks grill you as they hate you because you are trying to undermine their defensive efforts to some degree so they will surely grill you on your audit, so you'd better know you stuff. Then CEO or CISO, or whoever the judge is, is convinced if you are good and writes off the check (if your salesfolks didn't negotiate 100% prepaid, LOL, in this case you don't care much).

    Thanks a lot for all of that information. A few hours after I posted this my company had a meeting with me and they want me to figure out what an internal security position would look like for us and how we could offer security services to our clients. They'll create the position for me...Just gotta figure a lot of this stuff out.
  • fabostrongfabostrong Member Posts: 215 ■■■□□□□□□□
    Anyone else have any experience?
  • pevangelpevangel Member Posts: 342
    I deal mostly with the networking side of things, but I took a dip in security when I was migrating customers to security-as-a-service. I converted their existing configs to work with our "firewall in the cloud." I also looked into several DDoS attacks on customers to figure how to prevent or reduce the impact.
  • SpetsRepairSpetsRepair Member Posts: 210 ■■■□□□□□□□
    Yes, I've done it for over 2 years at a company. I ended up leaving once I found out there are companies out there paying much more for these type of skills. Many people stayed and it is good to be loyal in this type of role, but some companies don't pay as others might. The role itself can be challenging at times and still rewarding. It's a great role but some companies value sales more than they do actual engineers.

    Sales dept get raises, extra staff and nicer building in HQ. Actual engineers wouldn't get a raise unless you wanted to step into management, but once you're in management you are not an engineer anymore so than the former engineer get tired of their role as a manager/supervisor..

    The job is amazing, it just depends on the individual work environment. MSSP are on the rise and there's a lot of competition out there
  • fabostrongfabostrong Member Posts: 215 ■■■□□□□□□□
    Yes, I've done it for over 2 years at a company. I ended up leaving once I found out there are companies out there paying much more for these type of skills. Many people stayed and it is good to be loyal in this type of role, but some companies don't pay as others might. The role itself can be challenging at times and still rewarding. It's a great role but some companies value sales more than they do actual engineers.

    Sales dept get raises, extra staff and nicer building in HQ. Actual engineers wouldn't get a raise unless you wanted to step into management, but once you're in management you are not an engineer anymore so than the former engineer get tired of their role as a manager/supervisor..

    The job is amazing, it just depends on the individual work environment. MSSP are on the rise and there's a lot of competition out there

    Thanks. Did you work at a MSSP or a MSP?
  • fabostrongfabostrong Member Posts: 215 ■■■□□□□□□□
    I'll pay the right person for consulting services. I really need help with this
  • phatrikphatrik Member Posts: 71 ■■□□□□□□□□
    It's a great role but some companies value sales more than they do actual engineers.

    Sad but true.
    2018 goals: Security+, CCNA CyberOps (Cohort #6), eJPT, CCNA R&S 2019 goals: RHCE ????, OSCP || CISSP
Sign In or Register to comment.