Analytics
4/23/2010
02:08 PM
Connect Directly
RSS
E-Mail
50%
50%

Tech Insight: When To Pull The Outsourcing Trigger

Outsourcing security functions can work -- if the conditions are right

The economic crunch has left enterprises tightening their belts -- and one of the first areas to be cut is often security. Management might see security as important when they think about the impact of data breaches, but the immediate benefits of spending and staffing aren't always apparent when it comes to calculating the bottom line.

When is outsourcing security functions both safe and cost effective? To answer this question, CIOs must weigh the benefits of continued training and specialization for in-house personnel against the cost of using a managed security services provider (MSSP) for such functions as monitoring firewall and intrusion detection logs.

When should you outsource your security functions? As any consultant will tell you, it depends. Contributing factors include budget, manpower, and expertise. And then there's the willingness to give up security responsibilities to an outsider -- not something that can be decided by spreadsheets and dollar amounts.

Before deciding to outsource, make a detailed analysis of security to determine what is already being done well in-house -- and the areas that need better support. Assess the deficit areas to identify the underlying reasons for their shortcomings. Is there a shortage of budget to provide the needed technology? Is the security team short-staffed or nonexistent? Or does current staff lack the expertise required?

Companies that don't have the money to pay for high-priced firewall, IDS/IPS, and content filtering solutions can opt for a hosted service. The MSSP provides the hardware and management, while the company pays a monthly or annual fee. Hosted services like these can solve one or more of the problems stemming from lack of budget, manpower, and expertise.

There are many hosted services to choose from, including firewall, VPN, IDS/IPS, Web, and email filtering services. With the increasing buzz and adoption of cloud computing technologies, we've seen a shift from predominantly ISP-based hosted security services to those that occur in the "cloud." It's a market that includes practically every security company, from Websense and Trend Micro to Kaspersky and Google (Postini).

Sometimes all you need is better management of existing security solutions. You know how strong personalities and underlying political currents can often impact purchasing decisions, right? If you don't have the staff to manage that new whizz-bang, fully application-aware firewall, then it's either time to hire a staff member who can -- or pay an MSSP to manage it for you.

A lack of manpower and expertise doesn't just impact security management. Someone must handle the analysis of security events from firewalls, servers, workstations, IDS/IPS, and antivirus tools. MSSPs -- SecureWorks, Symantec Managed Security Services, and Verizon Business Cybertrust, to name a few -- provide monitoring services of those logs to identify malicious activity and alert customers before it's too late. Think of it as an analyst in a box -- but outside of your box.

Many enterprises rely on vulnerability scanning and penetration-testing services. Assessment services are often necessary because organizations do not have the staff with the expertise to perform these functions. Similarly, the cost of the tools and the manpower can be used to fund and staff other critical IT needs.

Sometimes you might not have a choice about outsourcing. For example, the PCI Data Security Standards (DSS) require that quarterly vulnerability scanning and annual penetration testing be conducted. A Qualified Security Assessor (QSA) is required for the vulnerability scanning, but experienced, in-house personnel can be used for the penetration testing.

Of course, many organizations don't have the manpower and expertise to perform in-house penetration testing. For those that do, taking penetrating testing in-house can be an option -- but enterprises must weigh the risks and benefits. (Read Keith Ferrell's take on the topic: "Taking Penetration Testing In-House.")

Choosing to outsource security services can be a hard decision. By surveying your organization's security needs and comparing them to existing resources -- including budget, manpower, and expertise -- you can clearly identify the areas in need. Then it's a matter of mapping those needful areas to available services -- determining if the price is right, or if it would be more economical to add or train staff to gain those additional skills.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Threat Intel Today
Threat Intel Today
The 397 respondents to our new survey buy into using intel to stay ahead of attackers: 85% say threat intelligence plays some role in their IT security strategies, and many of them subscribe to two or more third-party feeds; 10% leverage five or more.
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-3051
Published: 2014-10-29
The Internet Service Monitor (ISM) agent in IBM Tivoli Composite Application Manager (ITCAM) for Transactions 7.1 and 7.2 before 7.2.0.3 IF28, 7.3 before 7.3.0.1 IF30, and 7.4 before 7.4.0.0 IF18 does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof s...

CVE-2014-3668
Published: 2014-10-29
Buffer overflow in the date_from_ISO8601 function in the mkgmtime implementation in libxmlrpc/xmlrpc.c in the XMLRPC extension in PHP before 5.4.34, 5.5.x before 5.5.18, and 5.6.x before 5.6.2 allows remote attackers to cause a denial of service (application crash) via (1) a crafted first argument t...

CVE-2014-3669
Published: 2014-10-29
Integer overflow in the object_custom function in ext/standard/var_unserializer.c in PHP before 5.4.34, 5.5.x before 5.5.18, and 5.6.x before 5.6.2 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via an argument to the unserialize function ...

CVE-2014-3670
Published: 2014-10-29
The exif_ifd_make_value function in exif.c in the EXIF extension in PHP before 5.4.34, 5.5.x before 5.5.18, and 5.6.x before 5.6.2 operates on floating-point arrays incorrectly, which allows remote attackers to cause a denial of service (heap memory corruption and application crash) or possibly exec...

CVE-2014-3694
Published: 2014-10-29
The (1) bundled GnuTLS SSL/TLS plugin and the (2) bundled OpenSSL SSL/TLS plugin in libpurple in Pidgin before 2.10.10 do not properly consider the Basic Constraints extension during verification of X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and ob...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.