Building Your Security Service

with Network Detective

by Win Pham, RapidFire Tools VP Development

Copyright© 2016 RapidFire Tools, Inc. All rights reserved.

 v2016.1.a

1 Overview
Managed Service Providers (MSPs) can use Network Detective to build or grow a managed services
practice. Discover how thousands of MSPs are already using Network Detective to capture more
business.

2 One-time Assessments vs. Ongoing

Using Network Detective, MSPs can offer on-demand one-time assessments, as well as provide
ongoing, monthly services to capture recurring revenue.

One-time security assessments are typically used to audit security or support a larger compliance
initiative.

As opposed to one-time assessments, which are typically driven by customer demand, an ongoing
security offering is positioned to streghen the security position for your client by:

1. Creating and enforcing security policies

2. Identifying anomalous user activity
3. Assuring that changes in the environment are not harmful
4. Reducing risk associated with internal vulnerabilities
5. Eliminating threats caused by misconfigurations

In this sense, an ongoing offering provides more long-term benefit than an individual assessment
because vulnerabilities and threats are routinely neutralized before they can harm your client’s
environments.

Copyright© 2016 RapidFire Tools, Inc. All rights reserved. 2

 v2016.1.a

3 One-time Assessments
For one-time assessments, we propose a 3-tiered approach. The tiers are named SILVER, GOLD, and
PLATINUM. Silver can be provided to a vast majority of the customer base and incurs the least cost
to the client and service provider, while the Platinum level consists of concierge-level services.

3.1 SILVER Level

The SILVER level is designed as a broad-based evaluation of the security of a customer’s network
with the least amount of manual work. The table below shows the tasks involved, as well as how
Network Detective helps complete them.

Task Network Detective Deliverable Purpose

Evaluate inbound firewall
configuration and search
for known external
vulnerabilities
Evaluate out-bound firewall
configuration
Evaluate the effectiveness
of the current patch
management tool
Evaluate anti-virus and anti-
spyware deployment
Administrator review
Share permission review
Physical security walk-
through
Component
Security Assessment
Module – External
Vulnerability Scan
Security Assessment
Module – Outbound
Security Report
Network Assessment
Module
Network Assessment
Module
Network Assessment
Module
Security Assessment
Module
InForm
External Vulnerability
Management Plan
External Vulnerability Scan
by Issue Report
Outbound Security Report
Detailed Report
Detailed Report
Detailed Report
Share Permission Reports
InForm Response Report
These reports will form the basis of
checking for vulnerabilities in the
firewall. If a managed firewall service
is not in place, it justifies the need to
implement one. It also ensures that
changes made to the external
firewall—or exposure of outward-
facing applications—is minimized.
The SANS Institute best practices for
egress filtering points to the vital role
the blocking of unnecessary traffic
plays in eliminating the spread of
viruses, worms, and Trojans in the
environment.
Looks for systems in which security
patches have not been applied in a
timely manner
Determine where anti-virus and anti-
spyware is not deployed or is out of
date.
Validates, through interview with
business owner, the list of users with
administrative privileges
Validates which users have access to
critical business data through
interview with the business owner
Provides an in-person walk- through of
the office and gathering of the results
using Network Detective InForm.

Copyright© 2016 RapidFire Tools, Inc. All rights reserved. 3

 v2016.1.a

Tasks performed by MSP:

Day 1
1. Initiate External Vulnerability Scan (can be performed remotely)
2. Run the Network and Security Data Collector selecting the Network Scan option
(can be performed remotely)
3. Run the Local Push Data Collector selecting Network and Security
(can be performed remotely)

Day 2
4. In-person site visit and interview with CEO/CTO (after initial automated assessment):
a. Physical security walk-through
b. Administrator Review – present list of administrators and domain administrators of
the environment and assure the list is accurate and as minimal as possible.
c. Share Permission Review
5. Prepare deliverables for final review

Day 3
6. Final review with stakeholders

Labor Requirement:

 15-30 minutes to configure and launch the scan

 1 hour for an on-site walk-through and interviews
 1 hour for report preparation and review
 1 hour for final review with stakeholders

This plan level addresses the major weaknesses faced by small business:

1. Inadequate or no perimeter defense

2. Inadequate patching to prevent vulnerabilities
3. Lack of anti-virus/anti-spyware to combat malware
4. Improper administrative access
5. Improper access to sensitive information
6. Poor physical security practices, including handling of removable drives, data center security,
and inadequate access control

Pricing: $1,500 - $3,000 one-time charge

Copyright© 2016 RapidFire Tools, Inc. All rights reserved. 4


3.2 GOLD Level
The GOLD Level builds onto the items already in the SILVER level and is designed for businesses with
a higher level of risk. The GOLD Level includes everything in the SILVER level plus log-in analysis and
internal vulnerability scanning.
Task
Evaluate inbound firewall
configuration and search
for known external
vulnerabilities
Evaluate out-bound
firewall configuration
Evaluate the effectiveness
of the current patch
management tool
Evaluate anti-virus and
anti-spyware deployment
Administrator review
Share permission review
Physical security walk-
through
Internal Vulnerability Scan
Anomalous login
detection
Security Policy
Assessment
IT Administrator Review
Copyright© 2016 RapidFire Tools, Inc. All rights reserved.
Network Detective
Component
Security Assessment
Module – External
Vulnerability Scan
Security Assessment
Module – Outbound
Security Report
Network Assessment
Module
Network Assessment
Module
Network Assessment
Module
Security Assessment
Module
InForm
Inspector
Inspector – Anomalous
Login Scan
Security Assessment
Module
Security Assessment
Module
Inspector – Layer 2/3 Scan
Network Assessment
Module
v2016.1.a
Deliverable Purpose
External Vulnerability These reports will form the basis of checking for
Management Plan vulnerabilities in the firewall. If a managed
firewall service is not in place, it justifies the
External Vulnerability need to implement one. It also ensures that
Scan by Issue Report changes made to the external firewall or
exposure of outward- facing applications is
minimized.
Outbound Security The SANS Institute best practices for egress
Report filtering points to the vital role the blocking of
unnecessary traffic plays in eliminating the
spread of viruses, worms, and Trojans in the
environment.
Detailed Report Looks for systems in which security patches
have not been applied in a timely manner
Detailed Report Determines where anti-virus and anti-spyware is
not deployed or is out of date
Detailed Report Validates, through interview with business
owner, the list of users with administrative
privileges
Share Permission Validates which users have access to critical
Reports business data through interview with the
business owner
InForm Response Report Provides an in-person walk-through of the
office and gathering of the results using
Network Detective InForm
Internal Vulnerability Scans for internal vulnerabilities within the
Management Plan client’s network to find security flaws that could
be exploited once an attacker makes it inside
Internal Vulnerability the network
Detail Reports
Anomalous Login Report Reviews security audit logs looking for
suspicious logins
Login History Reports
Security Policy Reviews default Group Policy and applicable
Assessment Local Security Policies for consistency and
alignment with best practices
Layer 2/3 Reports Reviews user, computers, and Layer 2/3 detail
with the in-house administrator to identify
Detailed Report possible defunct or rogue users and systems
5
 v2016.1.a

Tasks performed by MSP:

Day 1
1. Plug in and configure Inspector appliance on-site
2. Initiate External Vulnerability Scan, Network and Security Data Collectors, and the Internal
Vulnerability Scan from the Inspector
3. Run the Local Push Data Collector selecting Network and Security
4. Physical Security walk-through during data collection

Day 2
5. In-person site visit and interview with CEO/CTO and IT Administrator:
a. Administrator Review – present list of administrators and domain administrators of
the environment and assure the list is accurate and as minimal as possible.
b. Share Permission Review
c. IT Administrator Review
6. Prepare deliverables for final review

Day 3
7. Final review with stakeholders

Labor Requirement:

 30 minutes to configure the Inspector and launch the various scans

 2 hours for an on-site walk-through and interviews (CEO/CTO and IT Administrator)
 1 hour for report preparation and review
 1 hour for final review with stakeholders

This plan level addresses the major weaknesses faced by small and medium sized businesses:

1. Inadequate or no perimeter defense

2. Inadequate patching to prevent vulnerabilities
3. Lack of anti-virus/anti-spyware to combat malware
4. Improper administrative access
5. Improper access to sensitive information
6. Poor physical security practices, including handling of removable drives, data center security,
and inadequate access control
7. Internal vulnerabilities
8. Poorly set up Group Policies
9. Lack of consistency with application of Local Security Policies
10. Unusual or unauthorized log-in attempts by employees or attackers
11. Defunct or rogue users and computers

Pricing: $3,000 - $5,000 one-time charge

Copyright© 2016 RapidFire Tools, Inc. All rights reserved. 6


3.3 PLATINUM Level
The PLATINUM Level security offering builds even further on the GOLD-level by including compliance
audit level reviews of the client’s security position. It is performed through the use of either the PCI
or HIPAA assessment modules from Network Detective. Many of the elements in the SILVER and
GOLD level will be covered by performing the PCI DSS assessment.
Task
Evaluate inbound firewall
configuration and search
for known external
vulnerabilities
Evaluate out-bound
firewall configuration
Evaluate the effectiveness
of the current patch
management tool
Evaluate anti-virus and
anti-spyware deployment
Administrator review
Share permission review
Physical security walk-
through
Internal vulnerability scan
Anomalous login
detection
Security policy assessment
IT Administrator Review
Compliance-level auditing
Copyright© 2016 RapidFire Tools, Inc. All rights reserved.
Network Detective
Component
Security Assessment
Module – External
Vulnerability Scan
Security Assessment
Module – Outbound
Security Report
Network Assessment
Module
Network Assessment
Module
Network Assessment
Module
Security Assessment
Module
InForm
Inspector
Inspector – Anomalous
Login Scan
Security Assessment
Module
Security Assessment
Module
Inspector – Layer 2/3 Scan
Network Assessment
Module
PCI or HIPAA Module
Deliverable
External Vulnerability
Management Plan
External Vulnerability Scan
by Issue Report
Outbound Security Report
Detailed Report
Detailed Report
Detailed Report
Share Permission Reports
InForm Response Report
Internal Vulnerability
Management Plan
Internal Vulnerability Detail
Reports
Anomalous Login Report
Login History Reports
Security Policy Assessment
Layer 2/3 Reports
Detailed Report
PCI Evidence of Compliance
Report
HIPAA Evidence of
Compliance Report
v2016.1.a
Purpose
These reports will form the basis of checking
for vulnerabilities in the firewall. If a managed
firewall service is not in place, it justifies the
need to implement one. It also ensures that
changes made to the external firewall or
exposure of outward- facing applications is
minimized.
The SANS Institute best practices for egress
filtering points to the vital role the blocking
of unnecessary traffic plays in eliminating the
spread of viruses, worms, and Trojans in the
environment.
Looks for systems in which security patches
have not been applied in a timely manner
Determines where anti-virus and anti-
spyware is not deployed or is out of date
Validates, through interview with business
owner, the list of users with administrative
privileges
Validates which users have access to critical
business data through interview with the
business owner
Provides an in-person walk-through of the
office and gathering of the results using
Network Detective InForm
Scans for internal vulnerabilities within the
client’s network to find security flaws that
could be exploited once an attacker makes it
inside the network
Reviews security audit logs looking for
suspicious logins
Reviews default Group Policy and applicable
Local Security Policies for consistency and
alignment with best practices
Reviews user, computers, and Layer 2/3 detail
with the in-house administrator to identify
possible defunct or rogue users and systems
For all companies, even if they are not
required to comply with a compliance
standard such as HIPAA or PCI, a compliance-
level audit is beneficial in finding security
related best practice violations.
7
 v2016.1.a

Tasks performed by MSP:

Day 1
1. Plug in and configure Inspector appliance on-site
2. Initiate External Vulnerability Scan, Network and Security Data Collectors, as well the Internal
Vulnerability Scan from the Inspector
3. Run the Local Push Data Collector selecting Network and Security
4. Physical security walk-through during data collection using the PCI or HIPAA On-site Survey

Day 2-3
5. Complete various identification worksheets with stakeholders
6. Initiate secondary scans if needed

Day 4
7. In-person site visit and interview with CEO/CTO and IT Administrator:
a. Administrator Review – present list of administrators and domain administrators of
the environment and assure the list is accurate and as minimal as possible.
b. Share Permission Review
c. IT Administrator Review
8. Prepare deliverables for final review

Day 5
9. Final review with stakeholders

* Note that compliance assessments vary greatly with the size of the organization in terms of
complexity and the timeframes given.

Labor Requirement:

 30 minutes to configure the Inspector and launch the various scans

 4+ hours for an on-site walk-through and interviews
 2 hours for report preparation and review
 1 hour for final review with stakeholders

Copyright© 2016 RapidFire Tools, Inc. All rights reserved. 8

 v2016.1.a

This plan level addresses the major weaknesses faced by larger entities and those with compliance
needs:

1. Inadequate or no perimeter defense

2. Inadequate patching to prevent vulnerabilities
3. Lack of anti-virus/anti-spyware to combat malware
4. Improper administrative access
5. Improper access to sensitive information
6. Poor physical security practices, including handling of removable drives, data center security,
and inadequate access control
7. Internal vulnerabilities
8. Poorly set up Group Policies
9. Lack of consistency with application of Local Security Policies
10. Unusual or unauthorized log-in attempts by employees or attackers
11. Defunct or rogue users and computers
12. Compliance-level auditing

Pricing: $7,000+ one-time charge

Copyright© 2016 RapidFire Tools, Inc. All rights reserved. 9

 v2016.1.a

4 Ongoing Security Service

The Network Detective software modules, along with the Detector™ virtual appliance, can be the
ideal foundation for MSPs who want to provide a cost-effective and high-value security offering to
their customers. The model proposed consists of multiple tiers that wrap around both alert response
and additional reporting services performed throughout the year.

4.1 SILVER Level

The SILVER level is designed as a low cost entry point that will appeal to companies with less than 50
computers and offers a way for MSPs to both create incremental recurring revenue, as well as
provide an opportunity to engage the customers for new projects. The offering keeps security “top-
of-mind” by delivering value daily. It is built around the Detector appliance to provide the highest
degree of automation possible, reducing the internal cost of adding the service.

The SILVER level offering consists of:

 A Detector™ appliance placed at the customer site

 Initial configuration of the appliance and Smart Tags
 Alerts sent to your client’s stakeholder(s)

Through the DAILY alerts, your customer will be able equipped with the knowledge to:

 Ask you to investigate an issue and report back to them

 Notify you of false positives
 Ask you to address an issue

Your responsibilities and potential service model:

 Investigate and Report – As part of your NOC/SOC services, you will evaluate the threat level
and determine if the issue is valid and report back to the customer.
 False Positive – Either you will ignore the issue or add proper tagging to avoid the alert from
being sent in the future.
 Address Issue – At the SILVER level, remediation is not included but can be done as a Project
or Time and Materials arrangement.

Therefore, the customer incurs extra costs only if they want you to fix a legitimate issue found in
their environment.

Your cost:

 $69/month for Detector (+$40 if you want a hardware appliance)

 Cost of Basic NOC/SOC services to Investigate and Tag (minimal time required)

Proposed cost of offering to customer:

 $250-500/month (with Internal Vulnerability Scans turned off)

Copyright© 2016 RapidFire Tools, Inc. All rights reserved. 10

 v2016.1.a

4.2 GOLD Level

The GOLD level offering builds on the SILVER, but additionally offers ongoing internal vulnerability
scans, SOC filtering of alerts, and verification services. It also includes a quarterly network and
security assessment review.

The GOLD level offering consists of:

 A Detector™ appliance placed at the customer site

 Initial configuration of the appliance and Smart Tags
 Alerts sent to the NOC/SOC and reviewed daily
 Manually reviewed items are sent to the stakeholders
 Additionally, internal vulnerability scans are included

Through the DAILY alerts, your customer will be able equipped with the knowledge to:

 Ask you to investigate an issue and report back to them

 Notify you of false positives
 Ask you to address an issue

Your responsibilities and potential service model:

 Investigate and Report – As part of your NOC/SOC services, you will evaluate the threat level
and determine if the issue is valid and report back to the customer.
 False Positive – Either you will ignore the issue or add proper tagging to avoid the alert from
being sent in the future.
 Address Issue – At the GOLD level, some level of remediation can be included, but additional
and out of scope issues can be done as a Project or Time and Materials arrangement.

Therefore, the customer incurs extra costs only if they want you to fix a legitimate issue found in
their environment.

Your cost:

 $69/month for Detector (+$40 if you want a hardware appliance)

 Cost of Basic NOC/SOC services to review Daily Alerts (once consolidated notification once
a day)
 Cost of Basic NOC/SOC services to Investigate and Tag (minimal time required)
 (optionally) 4 days of labor per year to review and report on the automatically scheduled
and generated network and security assessments reports created by the Detector once a
quarter.

Proposed cost of offering to customer:

 $500-1,000/month (can bundle some level of remediation services as well)

Copyright© 2016 RapidFire Tools, Inc. All rights reserved. 11

 v2016.1.a

4.3 PLATINUM Level

The PLATINUM level offering builds on the GOLD level and adds investigative and remediation
services. It can also include an annual PLATINUM-level Risk Analysis. This would be designed for
organizations that have higher security needs or need to demonstrate ongoing compliance.

The PLATINUM-level offering consists of:

 A Detector™ appliance placed at the customer site

 Initial configuration of the appliance and Smart Tags
 Alerts sent to the NOC/SOC and reviewed daily
 Manually reviewed items are sent to the stakeholders
 Internal vulnerability scans are included
 Annual risk assessment (PCI/HIPAA or other)

Your responsibilities and potential service model:

 Investigate and Report – As part of your NOC/SOC services, you will evaluate the threat level
and determine if the issue is valid and report back to the customer.
 False Positive – Either you will ignore the issue or add proper tagging to avoid the alert from
being sent in the future.
 Address Issue – Most basic security-issue remediation can be included as part of the
agreement. More complex arrangements involving multi-day efforts could always be scoped
as additional projects.
 Perform an annual security risk assessment.

Your cost:

 $69/month for Detector (+$40 if you want a hardware appliance)

 Cost of Basic NOC/SOC services to review Daily Alerts (once consolidated notification once
a day)
 Cost of basic NOC/SOC services to Investigate and Tag (minimal time required)
 Cost of basic remediation services, such as Active Directory management (removing
users/computers, modifying permissions and Group Policies), and internal/external firewall
configuration (ties into a Managed Firewall offering).
 Cost to perform annual risk assessment

Proposed cost of offering to customer:

 $1,500+ /month

Copyright© 2016 RapidFire Tools, Inc. All rights reserved. 12

 v2016.1.a

5 Variations and Combinations

The one-time and ongoing offerings are not mutually exclusive and some MSPs may wish to bundle
the one-time assessments as part of an ongoing offering as well. This provides a very powerful story,
especially for compliance purposes where annual risk assessments may be required but
demonstrating ongoing compliance is equally valuable.

6 Next Steps
This document is intended to be a guide to help you define your own Managed Security offering.
Combined with the ability to incorporate your own practices, conduct interviews using our InForm
technology, and receive low, fixed per-site pricing for Detector, the possibilities are endless for
forming a service offering at all levels, to a variety of customers, using trusted technology.

Additionally, the Detector alerting provides a systematic and methodical approach to security rather
than error-prone human review of logs and settings.

The next step is to contact your RapidFire Tools Account Manager and Solutions Engineer to help
formulate a model that works for you.

RapidFire Tools Sales

sales@rapidfiretools.com

678-323-1300, ext. 2

Copyright© 2016 RapidFire Tools, Inc. All rights reserved. 13