Managing security without losing your head (count)

As information security threats grow in number, volume and sophistication, the Internet is becoming a more dangerous neighborhood in which to set up shop.

In the first months of 2003, companies fought off the Slammer worm, another CodeRed variant (CodeRed.F) and Deloder. Security professionals scrambled to address the most recent bit of "worm bait" -- the WebDav vulnerability. A company's CIO and IT staff often have neither the resources nor the expertise to handle these security challenges. Even those companies that are fortunate enough to have full-time chief information security officers and security staffs don't typically have the tools in-house to visualize and address real-time attacks. In addition, few have the capability to obtain Internetwide security intelligence. This is where managed security services providers (MSSPs) can help.

Most companies today have installed firewalls and intrusion-detection systems to protect their networks. However, these and other security devices produce an immense volume of data that's nearly impossible to interpret without consuming significant in-house IT resources. Most organizations don't have the technology, people or processes to pinpoint genuine cyberattacks among the millions of alerts generated by security devices. MSSPs work with their clients to provide round-the-clock security management, analysis, recommendations and remediation.

The best MSSPs have built a sophisticated correlation and data mining technology that allows them to find the real attacks among the false positives, like looking for a needle in a haystack. They also employ security analysts who determine the significance of each attack to each specific customer, notify the customers and make recommendations on what actions to take. World-class MSSPs can also manage clients' firewalls and implement firewall rules to block many cyberattacks.

1pixclear.gif
Opinion
Grant Geyer
1pixclear.gif

The most successful MSSPs have so many clients and such a substantial volume of security data that they can take security to the next level. At the moment a customer's network is attacked, even with simple reconnaissance activity, MSSPs can provide a historical perspective, modus operandi and predictive behavioral analysis on attacks from the same source. Furthermore, because of the volume of traffic, the best MSSPs can visualize new threats as early as seconds after they emerge on the Internet and notify their entire client bases. The longer a client has worked with an MSSP, the better its security posture.

Outsourcing security to an MSSP can help companies to more successfully and efficiently protect networked resources. However, how can a company's management decide if outsourcing security is the right choice, particularly if it's concerned with the effect such a decision will have on the its IT staff?

Traditional approaches to outsourcing: Off with their heads

The concept of outsourcing isn't new. A company will hire an outside organization to provide critically needed services so it can focus on its core business. The outsourcer provides specialized services and expertise that the customer can't match, unless it chooses to add staffers or spend a significant amount of capital to train the right people in-house. Consulting firms, especially in the security consulting space, have helped companies reap the benefits of outsourced services in this way for years and have built successful businesses.

However, choosing to outsource isn't a decision to be made lightly. When a company brings an outsourced partner on board, senior management often seeks to reduce its internal IT head count to reduce redundancy and save money. Does the MSSP fit into this classic outsourcing model? Yes and no.

MSSP: Cavalry or executioner?

Some MSSPs have positioned themselves as cost-effective alternatives to hiring and maintaining a security staff in-house. Although it makes sense for small businesses to outsource security to an MSSP, chances are this course of action doesn't make sense for the midsize or enterprise-class corporation. If a company has hired internal security experts and is paying them top rates, an MSSP can help the company to significantly improve its overall security posture.

If a company partners with an MSSP to mine and analyze security data for cyberattacks, the MSSP can provide recommendations to in-house security staffers, empowering them to take action and prevent future attacks. In other words, in-house security experts will have time to do the jobs they were hired to do. The fundamental difference between MSSPs and traditional outsourcers is that MSSPs don't make an internal security staff obsolete. MSSPs make internal staff more relevant.

Let them eat cake: Co-sourcing security

Companies that are considering a partnership with an MSSP should think of the relationship as "co-sourcing" instead of outsourcing. In a healthy co-sourcing relationship, the MSSP and the customer each take responsibility for a piece of the security puzzle, and together they can provide a stronger approach to risk management. Maintaining a strong internal IT and security staff is necessary to ensure that the company develops and implements a comprehensive security program, which encompasses technology, policy and employee education. This is a must in today's dangerous Internet environment.

"We've seen a significant shift in thought regarding MSSPs as business partners," says Allan Carey, a senior analyst at IDC. "In the early days, it was thought that a company had to hand over complete control of its security to an MSSP and trust the service provider did its job well. However, the best leverage points for today's businesses, especially those in the upper end of the medium to large enterprises group, is to partner with MSSPs in a co-sourcing arrangement. Clearly in this partnering model, the customer retains a sense of control while enhancing the level of security and better utilizing its internal resources."

Outsourcing security to an MSSP enables internal security staffers to be more effective in their everyday jobs. If a company's security professionals aren't hampered reviewing log files and alerts all day, they'll have time to plan and implement a more comprehensive security strategy, as well as to focus on vulnerability patch management priorities. The co-sourcing relationship leads to the development of a team of outsourced analysts and in-house professionals that's prepared to address a variety of challenges that arise in today's complex security environments.

Copyright © 2003 IDG Communications, Inc.

  
Shop Tech Products at Amazon