I've been reading this thread and I think it is pretty good, but
wanted to make some random comments ...
- Don't pick the MSSP which will put you out of a job. If they are
that good, you need to be prepared to give up tweaking your IDS
rules, and be much more focused on management.
- If you are doing a bake-off, a real good way to remove the
wanna-bees is to turn off the sensor and see who calls first.
You'll get two groups, the ones that call right away and the
ones that call next week.
- try and visit their NOC or operations center on Microsoft
Tuesday. Don't tell their sales person that you want to visit
on 'MS Tuesday' specifically though. If you show up and there
is pandemonium, that could be bad.
- Ask the MSP their stance on patching third-party vendor products.
For example, MSP deploys product XYZ with a management console
that has something like MySQL in it. When patches for MySQL are
available, who deploys them - the vendor, the MSP or is it up to
you?
- There are some great MSPs out there, and there are many which
will be acquired, go out of business or decide to get into the
product business. Make sure your purchasing and legal department
understands exit scenarios for the MSP of choice.
- Make sure your MSP has fully supported licenses for the products
they manage if they are commercial products.
I'm sure there are more thoughts that folks can throw into this
thread.
Ron Gula, CTO
Tenable Network Security
http://www.tenablesecurity.com
http://www.nessus.org
--------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
--------------------------------------------------------------------------
