We are looking at a couple of vendors in the Managed Security Services space (MSS) to do some firewall monitoring for us. Essentially they give us an added line of data security and best practices that we don't already have the capabilities to do. We are testing them on 3 pairs of key firewalls. These products do several things:
- Absorb all of our firewall logs to a 3rd party, who does correlation, distillation, and has analysts who look at major events across the customer base.
- Send back alarms for critical issues and worms they detect.
- Log and report on the data, trends, and how our data compares against the collective whole of their customers.
The two vendors we are looking at have different pros and cons about their technology, methodology, and ability to provide these.
Eventually if this goes as planned and there is a major benefit, which will be easy to prove I believe, then we will roll this out to all major firewalls (of which we have about 70). I will also work on implementing snort IDS systems to help give the MSS more data and provide better visibility to our security events.