Transcription
Security Matters.HOW DO I TELL MY CLIENTS?
S ec u r ity M a tte r s . . .Security Monitoring and Alerting:ProVision is our multi-tenant, cloud robust platform is a proprietarysolution that we use to deliver managed security services to ourcustomers. If you would like to see a fully transparent, top-down view ofyour security operations through in-depth reporting and analysis, ourProVision Platform is the perfect solution.Foresite provides monitoring and management of securityinfrastructure and systems. Our services include managed firewall,intrusion detection, vulnerability scanning, and endpoint managementservices. We have high-availability security operation centers providing24/7 services designed to reduce the number of operational securityresources and investments an enterprise needs to retain to maintain anacceptable security posture and adhere to compliance mandates.2 Threat Intelligence Security device management Incident response Security testing and assessments Social engineering
C ontentsContentsCO M M O N O B J EC T I V E ST H E T RO U B L E W I T H SI E MQUOTING QUESTIONSS U P P O RT E D T EC H N O L O G I E SCO N TAC T U SDESK SHEET3
CommonObjectives& How toHandle Them“WE ALREADY HAVE ARESOURCE FOR THAT(COULD BEINTERNAL OR EXTERNAL).”Here are a few common objectives you may run into whilepromoting security services along with a few suggestions ofhow to get past them.“NO IMMEDIATE NEED ORCONCERN.”“I DON’T FEELCOMFORTABLE DISCUSSINGOUR SECURITY WITH YOU.”4
& H ow to H a ndle T hemWe Already Have aResource for ThatAcknowledge it, then question: how do you decide which partners to work with?Do you rotate your suppliers (for consulting)? Is your resource internal or external?GOAL – get the conversation flowing. Tell them many of our clients told us the samething when we first spoke.GOAL: GET THE CONVERSATION FLOWING!No Immediate Need orConcernAsk probing questions: I don’t hear that very often! What IS your top concern? Mostclients we speak to struggle with managing resources to stay on top of security. Howare you handling that? How do you assess and address cyber risks?Be prepared with statistics or stories to use, such as “It sounds like you have a lot onASK PROBING QUESTIONS!your plate Jim. We’re working with a lot of retail client to help them meet the latestPCI DSS 3.2 regulations. How are you handling that”? Or “Healthcare organizationshave such a challenge to protect data from being stored or transmitted securely, howdo you handle that?I Don’t Feel ComfortableDiscussing Our SecurityWith YouThis is the right attitude to have – you could be phishing them so you need to makethem comfortable: I agree, let’s just talk in general terms to determine if there isa reason to have a deeper conversation”. (Then lead into open-ended question,such as a common industry challenge). What can I do to make you feel comfortable?THAT IS THE RIGHT ATTITUDE TO HAVE!Maybe they want an NDA, or to schedule a time to call us back after viewing ourwebsite or your LinkedIn profile to confirm who is calling. How can we get to knoweach other better or Is meeting the only way to get to know you, or could we set up a15 minute introductory call? Prepping for calls can help with this. If you view theirLinkedIn profile, you may have people in common that you can mention to buildcredibility. Connecting with them provides opportunity to let us share informationwith them and build a relationship over time.5
The TroubleWith SIEMWhile SIEM tools seem like a complete solution to many, there areseveral areas where they are still lacking. Here are seven situationswhere our ProVision solution addresses difficulties often caused bySIEM tools.
T he T r o u ble W ith S I E MMore than half ofusers complainabout too muchnoise from theSIEM.Cost ofimplementation,ongoingresources, &billing by usage.SIEMs generate noise.ProVision includes our SOC team. The SOC team reviewsall events generated by the logs & business rules toeliminate the noise. The TAM makes sure the rules areupdated to tune out false positives where appropriate.SIEM expenses are morethan expected.Foresite’s quotes include licensing of our proprietary tool,onboarding, and ongoing support and tuning. No usage orper event or change request fees. The annual service costis consistent throughout the term of the agreement.Mostmanufacturers’solutions that onlyaccept feed fromtheir own devices.Implementationoften costs asmuch as thesolution.Lack of visibility.ProVision is vendor agnostic. We help clients determinewhich feeds are needed during scoping, and can includefeeds from a variety of leading manufacturers’ devicesand endpoint solutions.Configuration is complex.Our ability to leverage a client’s virtual machines,minimal licensing costs, and very competitiveonboarding fees make ProVision a much lower costof entry.Compliancemay require logsto be stored foryears. SIEM solutionsoften can onlystore 30-60days.Requires at leastone dedicatedperson with theskills to manage.More long-term storageneeded.ProVision can be configured to store logs for any amountof time, either locally or in our secure cloud archives.Staffing costs are higherthan expected.Foresite’s SOC team assigns a Technical Account Manager(TAM) who handles ongoing management and tuning ofProVision, taking this burden off the client.Automatedresponses toevents and eventcorrelation is notincluded in mostSIEM solutions.Task automation isoften missing.When automation is not practical, Foresite’s SOC team isproviding responses for managed clients and eventcorrelation is handled by a combination of our customisedparsers and our threat intelligence team.7
Q u otingQuotingQuestionsNumber of locationswhere the devices in scopereside? How are the sitesinter-connected? Pleasesend a network diagram ifavailable.Service Level Desired(Standard or Premier)?Make/Model of allInfrastructure in scope? (Ifyou have OS version, thatwould be great. We can’ttake on service for out ofsupport devices)Functionality used perdevice (FW/VPN/IDS/etc)?This is common for NextGeneration Firewalls.8When does the client needthis level of service Live?If services Firewalls, pleasespecify if they are Single orHA configuration?Testing: Please specifyif internal and externaltesting is needed and thenumber of IP’s for internaland external.
P r o V ision P o r tfolio of S u ppo r ted T echnologiesProVision Portfolioof SupportedTechnologiesVendorMA1MA2MA3MA4Other ServicesMA1MA2MA3MA4WindowsYesYesNoNoFirewalls / Network & SecurityServersCheck PointSMB FW & IDS (700 Series)N/AN/AYesYesDomain ControllersYesYesNoNoSMB Other BladesN/AN/AYesYesUnix / LinuxYesYesNoNoNGFW & VPNYesYesYesYesAppleYesYesNoNoNext Generation All Other BladesYesYesYesYesStandalone YesYesYesAV - Anti-VirusSA / MAG (Pulse SSL VPN)YesYesNoNoCB DefenseYesYesYesYesEX / MX (switching / routing)YesYesNoNoCyphortYesYesNoNoWireless (WLC W & VPNYesYesYesYesMcAfee EPOYesYesNoNoNGFW Additional FunctionsYesYesYesYesTrend Micro Deep esYesNoNoSophosRoadmap, pending justificationFW & VPNYesYesYesYesTrapsRoadmap, pending justificationNGFW Additional FunctionsYesYesYesYesWebRootRoadmap, pending justificationJuniperSnortPalo AltoFortinetSonic WallFirewall (TZ & NSA Series)SIEM / Log ManagementYesYesYesYesSophosFirewall (TZ & NSA Series)On Hold, unlikely to progressRoadmap , pending justificationCISCOSplunkiYesYesNoNoVMWare Log InsightYesYesNoNoDuoYesYesNoNoRoadmap, pending justificationAuthenticationASAYesYesYesYesRSA Authentication ManagerMeraki (MX / MS / MR)YesYesYesYesLoad BalancersFirePOWERYesYesYesYesF5 BIG-IPRoadmap, pending justificationASR / ISR (routing)YesYesNoNoCitrix NetscalerYesCatalyst/IOS (switching)YesYesNoNoProxy & MailNexus/XOS d Vulnerability AssessmentWatchGuardFirewall (TZ & NSA Series)OpenVAS Bases SolutionRoadmap, pending justificationYesNoNoRoadmap, pending justificationRoadmap, pending justificationCASBNetSkopeRoadmap, pending justificationIPAM / DNSRoadmap, pending justificationFIMOSSECRoadmap, pending justification9
Contact Uswww.foresite.comForesiteEast Windsor, CT1 Hartfield Blvd, Suite 300East Windsor, CT, 06088 USA1 (800) 940-4699ForesiteOverland Park, Kansas7311 West 132nd Street,Suite 305Overland Park, KS 662131 (800) 940-4699ForesiteUnited KingdomCody Technology Park(Building A8)Ively Road, Farnborough,Hants. GU14 0LX 00800-900-400-21
Desk SheetForesite Offers:Security monitoring and alertingProVision is our multi-tenant, cloud robust platform is aproprietary solution that we use to deliver managed securityservices to our customers. If you would like to see a fullytransparent, top-down view of your security operations throughin-depth reporting and analysis, our ProVision Platform is theperfect solution.Foresite provides monitoring and management of securityinfrastructure and systems. Our services include managedfirewall, intrusion detection, vulnerability scanning, and endpointmanagement services. We have high-availability securityoperation centers providing 24/7 services designed to reducethe number of operational security resources and investmentsan enterprise needs to retain to maintain an acceptable securityposture and adhere to compliance mandates. Threat Intelligence Security device management Incident response Security testing and assessments Social engineeringTrouble with SIEMSIEM ChallengeSIEM expenses are oftenmore than anticipatedCost of implementation, ongoingresources and billing by usageForesite includes use of our proprietary tool, onboarding and ongoingsupport and tuning. No usage, per event or change requests fees. Theannual service cost is consistent across the contract length.Foresite SolutionConfiguration iscomplexImplementation often costs asmuch as the solutionOur ability to lever client’s VMs, minimal licensing costs and competitive onboarding fees make ProVision a lower cost of entryStaffing costs are higherthan expectedRequires at least one person withthe skills to manageOur SOC team assign a TAM who will handle all onboarding and ongoing management, including tuningSIEMs generate noiseMore than 50% of users complainabout the amount of noise generated by their SIEM toolProVision includes the SOC team. They review all events generated bythe logs and business rules to eliminate the noise. The TAM makes surethe rules are updates to tune out false positives where appropriate.Lack of visibilityMost manufacturers will onlyaccept feeds from their owndevicesProVision is vendor agnostic. We help clients determine which feedsare necessary during scoping and can include feeds from a variety ofdevices and endpoint solutionsMore long term storageneededCompliance may require logs tobe stored for years. Most SIEMscan only hold logs for 30-60 daysWe can store logs for as long as necessary, either locally or in oursecure cloud archivesTask automation is oftenmissingAutomated responses to eventsand event correlation is notincluded in most SIEM solutionsWhen automation is not practical, our SOC team is providing responsesfor managed clients and event correlation is handled by a combinationof our customised parsers and our threat intelligence teamOther ServicesSupported TechnologiesVendorMA1MA2MA3MA4Firewalls / Network & SecurityWe already have a resource for that (could be internalor external)Acknowledge it, then question: how do you decide which partners to work with?Do you rotate your suppliers (for consulting)? Is your resource internal or external?GOAL – get the conversation flowing. Tell them many of our clients told us the same thingwhen we first spoke.No immediate need or concernAsk probing questions: I don’t hear that very often! What IS your top concern? Most clients we speakto struggle with managing resources to stay on top of security. How are you handling that? How doyou assess and address cyber risks? Be prepared with statistics or stories to use, such as “It soundslike you have a lot on your plate Jim. We’re working with a lot of retail client to help them meet thelatest PCI DSS 3.2 regulations. How are you handling that”? Or “Healthcare organizations have such achallenge to protect data from being stored or transmitted securely, how do you handle that?I don’t feel comfortable discussing our security with youThis is the right attitude to have – you could be phishing them so you need to make them comfortable: I agree, let’s just talk in general terms to determine if there is a reason to have a deeperconversation”. (Then lead into open-ended question, such as a common industry challenge). Whatcan I do to make you feel comfortable? Maybe they want an NDA, or to schedule a time to callus back after viewing our website or your LinkedIn profile to confirm who is calling. Howcan we get to know each other better or Is meeting the only way to get to know you,or could we set up a 15 minute introductory call? Prepping for calls can help withthis. If you view their LinkedIn profile, you may have people in common thatyou can mention to build credibility. Connecting with them providesopportunity to let us share information with them and build arelationship over time.MA2MA3MA4WindowsYesYesNoNoDomain ControllersYesYesNoNoUnix / s-a-serviceOn Hold, unlikely to progressStandalone IDSCheck PointSMB FW & IDS (700 Series)N/AN/AYesYesSMB Other BladesN/AN/AYesYesNGFW & VPNYesYesYesYesNext Generation All Other BladesYesYesYesYesSRXYesYesYesYesSSGYesYesYesYesSA / MAG (Pulse SSL VPN)YesYesNoNoEX / MX (switching / routing)YesYesNoNoWireless (WLC )YesYesNoNoNGFW & VPNYesYesYesYesNGFW Additional MMONOBJECTIVES & HOW TOHANDLE THEMMA1ServersPalo AltoFortinetFW & VPNYesYesYesYesNGFW Additional FunctionsYesYesYesYesSonic WallFirewall (TZ & NSA Series)YesYesYesYesCB oNoKasperskyYesYesNoNoMcAfee EPOYesYesNoNoTrend Micro Deep ap, pending justificationTrapsRoadmap, pending justificationWebRootRoadmap, pending justificationSIEM / Log ManagementSplunkiYesYesNoNoVMWare Log InsightYesYesNoNoDuoYesYesNoNoRSA AuthenticationManagerRoadmap, pending justificationAuthenticationLoad BalancersSophosFirewall (TZ & NSA Series)AV - Anti-VirusRoadmap , pending justificationCISCOF5 BIG-IPRoadmap, pending justificationCitrix NetscalerYesASAYesYesYesYesProxy & MailQuoting Questions:Meraki (MX / MS / MR)YesYesYesYesProofPoint1. Number of locations where the devices in scope reside? How are the sitesinter-connected? Please send a network diagram if available.FirePOWERYesYesYesYesManaged Vulnerability Assessment2. Make/Model of all infrastructure in scope? (If you have OS version, thatwould be great. We can’t take on service for out of support devices).ASR / ISR (routing)YesYesNoNo3. Functionality used per device (FW/VPN/IDS/etc)? This is common for NextGeneration Firewalls.Catalyst/IOS (switching)YesYesNoNoNexus/XOS (switching)YesYesNoNoWLCYesYesNoNo4. If services Firewalls, please specify if they are Single or HA configuration?5. Service Level Desired (Standard or Premier)?6. When does the client need this level of service Live?7.For Vulnerability Scanning and Pen Testing: Please specify if internal andexternal testing is needed and the number of IP’s for internal and external.WatchGuardFirewall (TZ & NSA Series)OpenVAS Bases SolutionYesNoNoRoadmap, pending justificationRoadmap, pending justificationCASBNetSkopeRoadmap, pending justificationIPAM / DNSRoadmap, pending justificationFIMRoadmap, pending justificationOSSECRoadmap, pending justification
Citrix Netscaler Yes No Proxy & Mail ProofPoint Roadmap, pending justification Managed Vulnerability Assessment OpenVAS Bases Solution Roadmap, pending justification CASB NetSkope Roadmap, pending justification IPAM / DNS Roadmap, pending justification FIM OSSEC Roadmap, pending justification Quoting Questions: 1.
