Improved Security and DFARS Compliance using the NIST 800-171 Framework! 21 Nov 2017, 10:28 pm

NIST 800-171 So Many Questions 11 Oct 2017, 7:58 pm

This post is by guest blogger Gustav Plato from our partner It’s Just Results who helps firms respond to the compliance mandates like the new DFAR regulations (252.204.7012) requiring government contractors to be compliant with the NIST 800-171 standard.  You can follow Gustav’s company on Twitter: @itsjustresults 

You can also download a PDF of this post here:Its Just Results Compliance Questionnaires

Questionnaire Scenario

You go about your daily work. Without much warning, you receive notification about an inquiry regarding your compliance with National Institute of Standards and Technology Special Publication (NIST SP) 800-171. The full special publication is available on the NIST website. Notionally, you may know what it is, but when looking at a questionnaire or examining the Special Publication a bit of unease begins to creep in.

The inquiry may come from many sources. A source could be your own contracts organization who is pointing out that this document is referenced in a contract solicitation. It may also come from a government procurement official. You may also be asked by a major Aerospace and Defense contractor who as your prime, participates in the Exostar program, and requires that you fill out the questionnaire.

There are hundreds of questions. You may think, “who needs to know all this detail”, we run a tight ship. Truth be told you need to know. You know that, but you are thinking, “my gosh, with all on our plates, where will we find the time?”

Implications

The immediate implications to your business if you do not respond to the questionnaire or questions from your clients include losing a business partner, failing an audit, losing a contract, and lost revenues. That is a steep price to pay.Here is some of what may happen:

• Losing a Partner: Not meeting the cybersecurity requirements of one of “the Exostar Partners” or failing to respond to 800-171 related questions from a government agency
• Failing an Audit: Failing a review / audit because there is no real understanding of what needs to be done by the entire company in governing the information and cyber security program
• Losing a Contract: Losing a contract that you hold or not being able to pursue a contract you believe you are best suited to win
• Lost Revenues: Losing revenues for a brief period can impact immediate cash flow. Cash is king. It can also impact future procurements and revenues as evaluations of your capabilities push you to the bottom of the evaluation list.The implications can result in immediate and long-term revenue loss. With little time on your plate, how can you do it quickly and who can help?

Rapid Response Support

Start by taking a deep breath.

You, and many others, are part of the current wave of compliance activities in government as well as other industries. The compliance wave requires you to answer the questions in the questionnaire you received. In the case of the Department of Defense, it could be from Exostar or based on a Department of Defense (DoD) procurement you wish to bid on, or any other of many triggers that caused you to look the questionnaire in the face. NIST 800-171 consists of 110 controls. You have many of them in place already and do not even know it. Hooray, things are not as bad as you think!

Our team is called when we receive calls from customersasking our assistance to fill in the questionnaires. They parallel our own assessments. We perform a variety of assessments on a regular basis, so we understand the Key Factors (see graphic), such as the questions, what is being asked, and how best to respond in your environment. Once we come into your organization we can work through the questionnaires before they become an issue or challenge for you.
We will walk you through the process and do the heavy lifting so you can continue to focus on your business. At each step, we carefully explain each of the questions and what they mean for you. Then by looking at your environment (existing policies and procedures), looking at your infrastructure, speaking to several key individuals, we assess gaps and risks and rapidly guide your response. Once we are done we explain why we are answering the questions the way we are.

After completing the questionnaire, understanding gaps and risks, we begin to prioritize what you need to do. We work quickly (days not weeks or months) and provide you with best practices guidance on a prioritized set of steps or solutions you need to put into place. We apply the Center for Internet Security (CIS) 20 framework within the 800-171 to define specific controls to harden your environment. Exostar uses the CIS 20 approach in its questionnaire.

In addition, most companies do not have security and event information readily available, or actionable for staff or management to make decision. We recommend deploying a tool as part of the upfront work to gain immediate control of the environment. For example, Netwatcher, is a Security Information and Event Management (SIEM) tool has capabilities to identify, communicate, and report many of the control areas in the questionnaire you are accountable to manage. Implementing their toolset is not only easy, it is a highly cost-effective tool that accelerates hardening the security environment for midsized and small businesses.

We will also deploy our 800-171 custom policy package. We do refinement with you, but the package has been developed to address 800-171 controls.

Immediate Benefits You Receive

• A completed 800-171 Questionnaire. We develop this for you and ease your workload.
• Custom recommendations regarding tools and modifications that can be immediately implemented to harden your security environment and mature your cyber security systems (e.g. Exostar seeks you have attained level 03 maturity)
• Meets expectations of the Exostar and Government Client base (provides the communications materials to instill confidence in your program)
• Fifty (50) tailored 800-171 policies and procedures (either provided by our team or modifications made to your policies). Each policy has an action plan and we provide an integrated calendar so that you are clear on how the policies fit together.
• We provide hands on guidance in understanding and communicating with outside organizations on the questions, the policies, the controls, and the ongoing administration of the controls

First Action Steps to Take (FAST)

Getting the questions answered quickly is a requirement faced by the Department of Defense its contractors, as well as other agencies and their contractors. In the next year similar questionnaires will land on everyone’s doorstep.

We launched It’s Just Results to help firms respond to the compliance mandates you are facing while at the same time improving security.

Send us an email at info@itsjustresults.com or call us at 703-570-4266

NetWatcher Completes MSP/Cloud Verify Certification 10 Sep 2017, 11:24 pm

MSP/Cloud Verify Program offers vendor agnostic Certification for Cloud and Managed Services Practitioners Worldwide; Provides Quality Assurance, and Stamp of Reliability for Current, Potential Customers

Reston, VA 9/11/2017 – NetWatcher® today announced that it has successfully completed the MSPAlliance’s MSP/Cloud Verify Program (MSPCV) certification process, the oldest certification program for cloud computing and managed services providers. The MSPCV is based on the 10 control objectives of the Unified Certification Standard for Cloud & MSPs.

The MSPCV was the first certification created specifically for the managed services and cloud industry. Every certification comes with a written report with the entire process documented, validated and signed by a 3rd party accounting firm. The MSPCV has been reviewed by governmental agencies and regulatory bodies across the globe and is used and accepted in 5 continents around the world.

“The MSPCV examination is a rigorous certification process that benchmarks and verifies the quality of the company providing cloud and/or managed services,” said Charles Weaver, MSPAlliance CEO. “We are very proud to have NetWatcher as a member of this elite community of cloud and MSPs.”

MSPCV was created, using a wide base of criteria, to certify cloud and Managed IT Solution Providers thereby ensuring that they have met and exceed well-established standards of excellence and client care. Customers who select a company that is part of the MSPCV can also rest assured that their IT solution provider has met and exceeded the following standards dealing with:

• Corporate Risk Management
• Documentation
• Service & Program Change Management
• Event Management
• Logical Security
• Data privacy, security, and integrity
• Physical security
• Managed services SLA, reporting, and billing
• Corporate health
• Company is under constant external review from the MSPAlliance and the IT profession to continually maintain and improve standards of care of excellence
• The MSPCV examination is performed by a third-party accounting firm.

ABOUT NETWATCHER

NetWatcher is a 24×7 network and endpoint security monitoring and “Managed Detection and Response” service designed specifically for ease of use, accuracy and affordability. With NetWatcher you can reduce risk and support your regulatory compliance security requirements.

ABOUT MSPALLIANCE

MSPAlliance® is a global industry association and accrediting body for the Cyber Security, Cloud Computing and Managed Services Provider (MSP) industry. Established in 2000 with the objective of helping MSPs become better MSPs. Today, MSPAlliance has more than 30,000 cloud computing and manage service provider corporate members across the globe and works in a collaborative effort to assist its members, along with foreign and domestic governments, on creating standards, setting policies and establishing best practices.  For more information, visit www.mspalliance.com

# # #

MSPAlliance Webinar 30 Jul 2017, 5:26 pm

Charles Weaver (CEO of MSPAlliance) interviews Scott Suhy (CEO of NetWatcher) about why MSPs should consider offering managed security services..

Check out the webinar here.

You’ll Learn:

• The market opportunity for MSPs
• What Gartner is saying about Managed Security and “Managed Detection & Response” (MDR)
• The SMB and MSP challenges solved by Managed Detection & Response
• How an MSP can build a business model around Managed Security
• Easy to follow next steps

Become a NetWatcher MSP–Click here to join!

How an MSP can offer Managed Security Services 23 Jul 2017, 7:46 pm

Let’s face it, up to now enterprise security has been expensive.   Small and Medium Businesses (SMB’s) tend not to deploy enterprise security platforms given the investment required.   In the past, Managed Services Providers (MSPs), who support the SMBs, did not offer more than managed anti-virus and firewalls management because investing in security talent and installing enterprise security technology (SIEM, NIDS, HIDS, Vulnerability Scanning etc…) put their price points above the market they were serving.   Some MSPs tried working with companies like SecureWorks and AlienVault, who promote MSP programs, but found out the hard way that the business model doesn’t work for their customer base.  However, Managed Detection and Response (MDR) service providers like NetWatcher are changing this dynamic and making enterprise security affordable for the SMB and easy to deploy for the MSP (with literally no upfront investment).

The Problem and the Opportunity

Most SMBs and MSPs have deployed the security stack in figure 1 — these components, combined with a Remote Management and Monitoring (RMM) platform are generally inexpensive, easy to deploy and add great value.   However, in today’s environment where the bad actors are:

1. Using automation to scan and exploit vulnerabilities in networking gear or servers you have exposed to the internet
2. Phishing your users constantly at both their work email, personal email and social networking sites
3. Leveraging your stolen creds they bought on the TOR network (dark web)
4. Posting nefarious banner ads on ad networks that engage vulnerabilities in old browsers, Flash and Java

…these commodity platforms are not enough.

This is why the Fortune 5000 enterprise accounts have been using the stack in figure 2 (on top of the stack from figure 1) for over 10 years.   This is also why most of the security mandates, such as the HIPAA Security Rule, the GLBA Safeguards Rule, PCI-DSS, FINRA, NIST 800-171, NYCRR 500 from NY State DFS etc.., all call out the need for some or all of this technology along with all the appropriate policies and proceedures necessary to secure a customer’s data.    This is also why most Fortune 5000 companies are mandating that their suppliers use an enterprise security stack–Most large corporations know that their suppliers have their data (third party law firms have contracts and patent data, accountants have tax data,  application developers have code, data entry firms have customer data etc..) and they want those suppliers to have the same protections that they have deployed.   In fact, some of the compliance requirements such as HIPAA require that healthcare providers push the liabilities down to their suppliers via Business Agreements (BAA).  The new DFARS 252.204.7012 requirement for Department of Defense contractors has similar requirements.

So, the million-dollar question is… if customers are demanding their supply chain have an enterprise security stack and industry compliance mandates an enterprise stack what are SMBs and MSPs supposed to do if they can’t afford the tools and they can’t find/afford the security talent to run enterprise security tools?

This is why we built NetWatcher!

There is a giant opportunity here for MSPs at the moment. If you look at each vertical by employee size and count up the number of companies that fit into each just in the USA the numbers are staggering.   All of these organizations are moving to a more advanced security footprint over the next several years.   You also know that they will first look to their MSP partner to provide the advanced stack and if you can’t provide it, they will find a MSP that can provide the stack and manage it for them.

How MSPs Become MSSPs — better yet, providers of MDR

We built NetWatcher to enable MSPs to easily offer their own Security Monitoring / Managed Security / Managed Detection and Response service.   We designed and built NetWatcher from the ground up for SMBs and MSPs.   We built the service to be easy to install, easy to use for SMB/MSP IT professionals (not hard to find security analysts–although, analysts tend to love it too) and affordable.  MSPs will also find the multi-tenant single pane of glass user interface where they can manage all their customers — and the ConnectWise integration very valuable.

With NetWatcher, you deploy Sensors &/or Endpoints that send indicators of compromise (events) over a secure VPN to the cloud.

• Sensor(s) (hardware or Virtual Machine) are required for each egress/ingress point to the internet and sits on the inside of customer’s network and listens for anomalies… (IDS, Netflow, SIEM, Scanner)
• Endpoint agent (HIDS, Logs, Sensor-in-Cloud VPN/IDS)

Automated (cloud) “hunting” is used for creating Actionable Threat Intelligence Alarms about poor security hygiene, vulnerabilities, active exploits and malware. The service is delivered as a multi-tenant service to MSP partners & customers and is backstopped by a team of SOC analysts that become your Secure Operations Center (SOC)!

…by 2020, 80% of MSSPs will offer MDR services – Gartner MDR May 2017

Here is a quick video on how NetWatcher works.  (other videos can be found here)

How Does an MSP Build a Security Monitoring / MSSP / MDR Business Model

There are 11 easy steps to figuring out what you should charge and how to best prepare your organization to offer Managed Security Services (MSSP).  You can find a more detailed article here but it comes down to the following steps:

• Step 1: Estimate the number of issues you will need to remediate (we give you some worse case defaults to help you)
• Step 2: Estimate the number of hours each issue will take to fix
• Step 3: Estimate your efficiency over time
• Step 4: Forecast how many customers you can close
• Step 5: Budget for the remediation hours
• Step 6: Budget your remediation services costs
• Step 7: Budget your remediation services revenue
• Step 8: Budget the cost of NetWatcher
• Step 9: Forecast revenues
• Step 10: Determine your profit
• Step 11: Determine your pricing

You can download the forecasting template here: Partner Profitability Model_v1

How To Work With NetWatcher

• Step 1: Sign reseller agreement – no cost
• Step 2: Schedule free sales and tech training
• Step 3: Configure NetWatcher – ConnectWise integration (10 min)
• Step 4: Install a VM sensor in your company – yes, service is free for you!
• Step 5: Begin talking to customers–Fill out Deal Registration Form
• Step 6: Fill out Order Fulfillment Form
• Step 7: Install Sensor(s), endpoints, configure SIEM/Scanner (15 min)
• Step 8: Work to remediate issues
• Step 9: Invoice customer

With NetWatcher, your MSP can easily start offering Security Monitoring, MSSP and MDR services with no upfront investment.   The platform is built to be understood by the IT professionals that you already have on staff.   NetWatcher is built as a SaaS service so the only thing you have to install are endpoints and a sensor and this should take no more than 15 minutes (how to install).

You can also add many other offerings to your new managed security business.  You can help customers with security related policies (all compliance mandates require organizations to have policies such as these).  You can help customers with new proceedures such as an incident response plan.  Your MPS can also offer white hat pen-testing and phishing services, as well as, cyber security training.

Become a NetWatcher MSP–Click here to join!

Managed Security is a Huge Opportunity for MSPs 21 Jun 2017, 3:05 am

Get Your Cyber Security Score 18 Jun 2017, 5:20 pm

Loading…

At NetWatcher we help companies with thier overall cyber security hygine and we are big fans of the CSC20.  You can read about NetWatcher and the CSC20 here.

WanaCry (WCry, WannaCry, WannaCrypt, WanaCrypt0r 2.0, Wanna Decryptor) Ransomware 1 Jun 2017, 8:39 pm

From our friends at http://securitysolutionswatch.com  @SecStockWatch

May 12th, 2017 the WanaCry (or WCry, WannaCry, WannaCrypt, WanaCrypt0r 2.0, Wanna Decryptor) ransomware was unleashed and caused over 75,000 attacks in 99 countries.

How Does the WanaCry Ransomware Work?

The Ransomware initially entered organizations via a phishing email message and then exploited a vulnerability (MS17-010) in Windows to spread within a network locking down computers and asking victims to pay $300 via Bitcoin.  The Windows vulnerability was leaked as part of the NSA Shadow Brokers hack and Microsoft soon after released a patch however many computers were not yet updated at the time of the attack.

What Should I do?  What do NetWatcher Customers do?

• Customer’s first need to ensure they are not vulnerable to the attack: NetWatcher Managed Detection & Response customers leverage a built-in vulnerability scanner that periodically scans their environment for vulnerabilities.   If the customer was vulnerable to the new ransomware they would have seen the vulnerability titled “SMBv1 Unspecified Remote Code Execution (Shadow Brokers)” show up in their reports as a high severity issue and warned that they needed to patch the Windows asset.
• Customer’s need to continuously monitor their network: NetWatcher customers leverage a Network Intrusion Detection System (NIDS) that continuously monitors their internet bound network traffic in case an issue like this is ever seen in the future.   NetWatcher’s NIDS uses many rulesets.   Some of the best indicators are from the ProofPoint/Emerging Threats Open NIDS ruleset and are used as a correlation vector to detect a WanaCry ransomware attack.  Example signatures are as follows:
  • ET CURRENT_EVENTS ETERNALBLUE Exploit M2 MS17-010
  • ET EXPLOIT Possible ETERNALBLUE MS17-010 Echo Request (set)
  • ET EXPLOIT Possible ETERNALBLUE MS17-010 Echo Response
  • ET EXPLOIT Possible ETERNALBLUE MS17-010 Heap Spray
• The NetWatcher’s cloud correlation service leverages these events (and many others) and creates Alarms when a threat like WanaCry worm is detected.   Most NetWatcher customers set themselves up to receive High Security Alarms via SMS so they never miss a critical Alarm.  If WanaCry is detected a customer would see an email or SMS titled: “WanaCry (or WannaCry, WannaCrypt, WanaCrypt0r 2.0, Wanna Decryptor) ransomware has been detected on XYZ asset!”
• Ensure your monitoring your endpoints: NetWatcher’s endpoint Host Intrusion Detection (HIDS) and LOGS modules also add a high degree of value in producing events when ransomware is detected. The HIDS file integrity monitoring, rootkit detection and process monitoring events (as well as Windows security event log events) all aid the cloud correlation engine to determine what’s been exploited, how bad is the exploit and is it spreading. Any asset that not on the corporate network and running NetWatcher’s Sensor-in-the-Cloud endpoint could even be tracked remotely.
• Respond quickly: Isolate any infected assets to prevent the malware from spreading.

What is NetWatcher?

NetWatcher is a 24×7 network and endpoint security monitoring service designed specifically for ease of use, accuracy and affordability. With NetWatcher you can reduce risk and support regulatory compliance security requirements. You get: § An advanced, tightly integrated, security platform that only the Fortune 5000 could afford in the past § Actionable threat intelligence on what malware exists in your enterprise and remediation guidance § Visibility into the unintentional insider threat — what your employees are doing on the network that is exposing the organization to exploit § A Secure Operation Center with security analysts monitoring your data and reaching out to your team when necessary § Easy to use customer portal designed for managers and IT, not for those hard to find security analysts, however you can go deep if you want… § Real time scores for today’s security situational awareness picture and the risk of exploit in the future

NetWatcher includes: § Host Intrusion Detection System (HIDS) Endpoint Agents § Network Intrusion Detection System (NIDS) § Security Information & Event Management System (SIEM) § Vulnerability Scanner § Net-flow Analysis § Actionable Threat Intelligence Use Cases: § Monitor Corporate Network and Assets for Security Exploits and Hygiene Issues § Monitor AWS, Azure or Google Cloud Servers § Monitor Off Network Assets (via Sensor-in-the-Cloud) § Regulatory Compliance-as-a-Service support for HIPAA, FINRA, NIST 800-171, PCIDSS, GLBA, NYCRR 500, etc.)

NIST 800-171 Compliance Challenges Small DOD Contractors 30 May 2017, 10:19 pm

On December 30, 2015, DoD amended both DFARS 252.204-7008 (Compliance with Safeguarding and Covered Defense Information Controls), and DFARS 252.204-7012 (Safeguarding Covered Defense Information and Cyber Incident Reporting) allowing contractors until December 31, 2017 to fully implement all NIST SP 800-171 controls on covered contractor information systems.

The new DFARS mandates are necessary however they pose huge challenges for small business professional services contractors.  The mandates are necessary because too many small businesses ignore security primarily due to cost concerns and lack of understanding of the issues.

It’s easy to understand the DOD’s concern when the stats show the following:

• 43% of cyber-attacks target small business.
• Only 14% of small businesses rate their ability to mitigate cyber risks, vulnerabilities and attacks as highly effective.
• 48% of data security breaches are caused by acts of malicious intent. Human error or system failure account for the rest.
• While many small businesses are concerned about cyber attacks (58%), more than half (51%) are not allocating any budget at all to risk mitigation.
• Small businesses reported that only: 38% regularly upgrade software solutions, 31% monitor business credit reports and22% encrypt databases
• If a company has a password policy, 65% of respondents say they do not strictly enforce it.  16%  of respondents admitted that they had only reviewed their cybersecurity posture after they were hit by an attack.  75%  of small businesses have no cyber risk insurance.

However, when a small business looks at these mandates they can be overwhelmed.  They see compliance is expensive and time consuming and they don’t understand how the government can expect them to invest when they are already being squeezed by LPTA contracts (more) and live on a 5% margin (more).

Most business leaders understand that they have a responsibility to protect their business and their customer’s data–This is why they either hired some IT professionals or outsourced the network to a third party managed services provider.  However, in many cases this is where it starts and ends.   NIST 800-171 requires business leaders to know much more about cyber security in the necessary precautions to protect an organization.  NIST 800-171 requires the contractor’s executives to know how their organizations deal with the following 14 families of security requirements (see chapter 3 here):

1. Access Control
2. Audit and Accountability
3. Awareness and Training
4. Configuration Management
5. Identification and Authentication
6. Incident Response
7. Maintenance
8. Media Protection
9. Physical Protection
10. Personnel Security
11. Risk Assessment
12. Security Assessment
13. System and Communications Protection
14. System and Information Integrity

… and to understand how their organization is dealing with the specifics of each.  For example, this is just a bit of detail from item 4 (Configuration Management)

• 3.4.1 Establish and maintain baseline configurations and inventories of organizational information systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles.
• 3.4.2 Establish and enforce security configuration settings for information technology products employed in organizational information systems.
• 3.4.3 Track, review, approve/disapprove, and audit changes to information systems
• 3.4.4 Analyze the security impact of changes prior to implementation.
• 3.4.5 Define, document, approve, and enforce physical and logical access restrictions associated with changes to the information system.
• 3.4.6 Employ the principle of least functionality by configuring the information system to provide only essential capabilities.
• 3.4.7 Restrict, disable, and prevent the use of nonessential programs, functions, ports, protocols, and services.
• 3.4.8 Apply deny-by-exception (blacklist) policy to prevent the use of unauthorized software or deny-all, permit-by-exception (whitelisting) policy to allow the execution of authorized software.
• 3.4.9 Control and monitor user-installed software.

When the small business gets the time to understand the details of what they are being asked to do to comply with NIST 800-171 they realize they don’t have the people, time or experience—and they definitely don’t have the money to accomplish the task.

The DOD estimates that there are about 5000 small businesses impacted by the legislation (here) but the Small Business Administration (SBA) doesn’t agree (more here).

Compliance for these small business prime contractors is very expensive as many small businesses will be forced to purchase services from outside vendors to provide “adequate safeguards” for covered defense information. Most small businesses have neither the technical expertise nor the information technology personnel or software to conduct these services in-house. — US SBA Office of Advocacy

If you understand how a small professional services business Profit & Loss (P&L) works you will recognize that small business IT budgets are usually less than $500k/year and the security portion of that budget is usually 6-7% (reference table to the right from sans.org).  So, if you take a company with a $250k/year IT budget the security portion of that budget is probably $16,250 (6.5%).  The question you have to ask is… do you think a small professional services firm can buy all of this for $16k???

• Hire or allocate people to build policies (example: Logical Access Policies, Encryption Policies etc.) and procedures (example: Incident Response Plans and Disaster Recovery Plans…) and then manage those policies and procedures?
• Continually purchase (upgrade) and maintain the hardware and software necessary to get to a stable state with maintainable security patches?
• Train their employees on Cyber
• Purchase Cyber Liability Insurance
• Hire legal support to update contracts
• Invest in new required security capabilities (intrusion detection (HIDS/NIDS), log aggregation (SIEM), Vulnerability Scanning etc..

…of course not.  …but that is the ask.

Then there is the responsibility of the prime contractor—does the DOD expect the prime to audit their subs?  There is liability there… Who is going to ensure the subs are not just checking the box?

The DOD could learn a lot by watching how the HIPAA Security Rule has impacted small healthcare firms.  The HIPAA Security Rule has been in place Since 2005 and many SMBs are still not compliant…   The new NY Department of Financial Services (NY DFS) also recently passed legislation that requires Banks, Financial Services firms and Insurance companies working in the state of NY to adhere to more stringent security policies and procedures and to open themselves up for audit.   The NY DFS has realized that small businesses are going to be a challenge (more) and they both built exemptions into the ruling as well as staggered out what needs to be in place over a few years.

Eventually every company in every vertical will need to get their act together when it comes to security or lose their customers and their business altogether however there is a need to appreciate the financial investment required by these small businesses to get to a place where they are capable of more effectively managing the security of their data (and their customer’s data).   We built NetWatcher to help these firms with a low cost, high value platform that helps them meet many of the technical demands outlined in these compliance mandates.

MSP’s – Here is a model to use to help forecast resources, pricing, revenues and profit for your new Managed Security Business 25 May 2017, 1:32 am

When Managed Services Providers (MSPs) decide to get into the managed security business it is a big leap.  However, for most MSPs it is a necessary step because it was likely your company that setup the customer’s network and it’s likely your company will have to remediate the issues.  If you don’t get into the managed security business your customer will end up bringing some other company in and you may eventually be nudged out of the account.   Managed security is also a great new revenue stream for your MSP company.

2017 Kaseya MSP Global Pricing Survey — …when asked what the top service MSPs believe will be the most sought after by clients, security was #1

Most MSPs today are selling and managing a commodity security stack–but in today’s world, your customers need a much more advanced stack.

Without a more advanced security stack your customer may not realize that they have lingering command and control malware on corporate assets stealing data for months without knowing they have been exploited.   All it takes is an employee losing their login credentials or clicking on the wrong website or clicking on the wrong link in an email and they may get “owned” and then a bad actor has the access they need to begin to steal data.  The commodity stack never recognizes the issue.

However, with an advanced security stack (like http://netwatcher3.wpengine.com) you would see an automated Alarm that recognized that the Network Intrusion Detection System (NIDS) flagged a command and control beacon, the Host Intrusion Detection System (HIDS) flagged that there has been a strange registry change on a laptop & the Netflow reported data going back to a foreign country.   This type of activity wouldn’t be caught by the standard commodity security stack.  This is why every Fortune 5000 account has been using this more advanced stack for over 10 years.   The key however is that someone/something needs to be reviewing the data coming off this more advanced stack.  The Fortune 5000 companies have armies of people reviewing this data however an SMB account cannot afford this type of investment.  Therefore, they need a third party, and a lot of automation, to review events for them and alert when something unfortunate occurs or if one of their staff is doing something that is going to lead to the company being exploited in the future.  NetWatcher brings the Secure Operations Center (SOC), the service and the tools to enable you to turn your MSP into a Managed Security Services Provider immediatly utilizing your current helpdesk infrastructure.

Most SMB executives hear about hacking but they don’t understand the issues and they don’t understand the risk to their businesses.  It’s your responsibility as the MSP to educate them on the risk.   If you don’t, I guarantee you someone else will.    Also, many SMBs are under some sort of compliance regime such as HIPAA, PCIDSS, GLBA, NIST 800-171, NYCRR 500 etc. and if this is the case they must be using a more advanced stack and it’s your responsibility to help them understand how to meet some of these demands (again, if you don’t someone else will…)

So, you decide you want to be in this business but you are not sure how to take the next steps…   First and foremost, you need to understand that managing a company’s network and asset security is different than managing their network, email, backups etc..   Managing security is about managing risk – your customers and your own.  The first thing you need to do is get a good contract in place that minimizes your liabilities however this is where you may want to involve your lawyer.   There are several contracts available on the internet that are good Managed Security starter contracts.   The second thing you need to realize is selling security require good business acumen – help the customer understand what they have to lose…. Or help the customer understand security compliance based on one of the regime’s mentioned above and what happens if they do not meet those regulations.   But you also should realize your customers will ask hard technical questions – “explain what this IDS thing does…”, “explain what this file integrity monitoring is…” etc.  so, you also must have technical people that support your sales people that can answer those questions.

Then you (the MSP) will ask how much additional work will be put on your helpdesk engineering and remediation staff… You will ask how much you can I make ($) doing this more advanced security work.   We’ve created an 11-step spreadsheet to help you model your business and assumptions to help you get to those answers.

• Step 1: Estimate the number of issues on average that a particular size account will need to deal with in a one month time frame.
• Step 2: Estimate the amount of hours each issue will take to fix.
• Step 3: Estimate the efficacy over the time the MSP manages the account. Technicians that remediate security issues/vulnerabilities get more efficient at fixing issues.   Also, once the hygiene issues are address there are less malware issues and less new hygiene issues if the account is managed appropriately.
• Step 4: Forecast the amount of customers you (the MSP) can close of different sizes over the next 12 months.
• Step 5: Budget for the amount of remediation hours you will need to allocate toward these new projects at your customers. This is calculated for you.
• Step 6: Allocate the MSPs cost for the people necessary to perform the remediation efforts. Add in the pay rate of the engineer and the wrap rate.
• Step 7: Budget the MSP remediation services revenues.
• Step 8: Budget the cost associated with what NetWatcher charges the MSP for the customer (monthly). These are averages.  Use the NetWatcher pricing spreadsheet if you believe these estimates are wrong.
• Step 9: Forecasting revenues (markup) for the NetWatcher service. Add how much markup you will add to the cost of the service.
• Step 10: Determine the profit from the NetWatcher remediation services revenues plus the NetWatcher base platform profitability.
• Step 11: Determine the cost of the services to your customers so you can see if they are reasonable. Is this something that your customer would pay this amount for to get NetWatcher advanced security?

You can download the forcasting template here: Partner Profitability Model_v1

Now that you have your advanced offering in place you can think of offerings that you can add on to this as well such as Security Forensics, Penetration Testing, Helping customers with Policy documents or Incident Response Plans etc..