Building Your Security Stack
By Joshua Liberman, Net Sciences, Inc.
The sun never sets on the threat landscape. And this is highly asymmetric warfare; you must provide 360 degrees of protection, but attackers need find only that one degree of weakness.
First; Build A Flexible Stack
Approach this challenge by designing security services in a modular enough fashion that you can add new vendors and services — or swap them out — as need be. Find services with minimal overlap that can work together without creating false positives across each other. And keep in mind that, should you have to swap out one or more of these services, you may find that leads to swapping out another service as well. That is because each change may lead to weak points in your shield, where there was once overlapping coverage. Did I mention this is tricky?
People like choices, but not too many of them. We offer three service packages, each of which are a superset of the lower choice. We offer a Basic Security Package with six components, an Advanced Security Package with three more services, and a Comprehensive Security Package with three more. The components of these packages have varied over time, and we’ve added to the basics over time, but in general, we try to keep it simple. There are some services that will appeal to only a very few and you’ll have trouble offering them within your plans, so be prepared to offer them a la carte.
Second; Identify And Strategize
Staying aware of emerging threats is very time consuming and for those of us actively running MSPs time is always our limiting factor. That’s why we take advantage of the “force multipliers” out there. Find good news feeds, online security communities, and newsgroups. Seek out peer groups and attend shows such as those put on by ASCII, ChannelPro, and others. These shows will expose you not only to vendors and their offerings, but to your peers — potentially your richest vein.
And find nonvendor certifications to pursue such as CompTIA Security Plus and CISSP. Once you’ve decided what you need to protect against, you have to start making some strategic choices. You might choose to partner with a managed security services provider (MSSP) or another security specialist that delivers services branded as yours, or you might decide to go it alone and build your own multi-vendor solutions as we’ve done. In a sense, this is quite a bit like the “build vs. buy” decisions you make in the delivery of cloud services. Did you build your own data center or are you offering AWS or Azure, or are you using one of the “turn-key” providers? Did I mention this is tricky?
Third; Partner Up And Deliver
Whether you’ve decided to partner up with an MSSP or roll your own services, this is where it all comes together. Figure out what you consider essential; for us its automated patching, NextGen anti-malware, DNS filtering, email filtering, end user training, and dark web alerting.
Build a package with providers you trust, delivering as broad a package as possible at a price point you’ve chosen, and get started. Do this in a modular fashion so you can swap out providers and products as industry trends, mergers and acquisitions, and pricing changes occur. Then come up with a next tier (we offer new device alerting, internal vulnerability scans, firewall log analysis, and external vulnerability testing). At the top tier, we offer services that regulated agencies and other highly security aware clients are drawn to, including mobile device management, two-factor authentication, and device encryption. And remember, these are just “serving suggestions” at this point.
The market you serve, the vendors you select, and the nature of your clientele will ultimately determine which strands you’ll weave together into your security tapestry. Did I mention this is tricky?
Finally; Leave Room To Grow
We also offer additional a la carte services such as email archiving and encryption, physical access control and tracking, and more. We will no doubt add more offerings and perhaps an additional plan at some point. After all, Titanium is the new Platinum. And don’t worry about getting it completely right the first time, as this is more of a “ready, fire, aim” story than it is the painting of a masterpiece. Finally, remember to lace security into every aspect of your IT practice and company culture, because security is not a part of your offering, security IS your offering.
About The Author
Joshua Liberman is the President and founder of Net Sciences, Inc. Joshua started PC Services in 1990, doing Novell networking and becoming an early Master CNE. As a contractor to the DOE from 1990 to 1995, Joshua developed one of the first digital video networks in the nation. After starting Net Sciences in 1996, Joshua began his migration to Microsoft networking and has since built and secured hundreds of Microsoft Windows networks over the past twenty years. Joshua has been a rock & ice climber, mountaineer, martial artist, and a lifelong photographer. Joshua speaks five languages has forgotten four more by now, and has traveled half of the world. In his spare time, Joshua writes, travels, does photography, and raises Siberian Huskies with his wife and best friend of 22 years, Heidi Olsen, who calls him the Most Interesting Geek in the World.