How will you leverage the remote management platform architecture to demonstrate controls effectiveness?
For most organizations, the decision to implement a network security management platform and use an MSSP is driven by factors such as regulation and audit requirements. A logical question, therefore, is how do you plan to demonstrate operational effectiveness of the architecture to auditors and industry regulators? This may require customized reporting of not only event data, but the corresponding response activities as well.
Assuming that you take on the responsibility of helping your customer be compliant, you as the MSSP will provide the analyzed event data and you will need to chronicle the response activities. Most importantly, you need to present a cohesive, integrated incident summary so that auditor and regulators can follow and understand your response activities on your customer's network. Your customer's security requirements under most regulations extends well beyond event logging and you will need to periodically explain their overall security program including assessments and testing, as well as the entire monitoring/alerting/responding thread.
Make sure the customer knows that your responses to the alerts and/or the security management platform will vary greatly based on the risk characteristics of the event at hand. Some events can be easily investigated and represent minimal or non-existent threats while others may point to more complex scenarios. Prepare for the eventuality that your customer's event data will need to be leveraged for detailed forensic analysis, perhaps by law enforcementor regulatory agencies, as part of electronic discovery.