Analytics
4/23/2010
02:08 PM
Connect Directly
RSS
E-Mail
50%
50%

Tech Insight: When To Pull The Outsourcing Trigger

Outsourcing security functions can work -- if the conditions are right

The economic crunch has left enterprises tightening their belts -- and one of the first areas to be cut is often security. Management might see security as important when they think about the impact of data breaches, but the immediate benefits of spending and staffing aren't always apparent when it comes to calculating the bottom line.

When is outsourcing security functions both safe and cost effective? To answer this question, CIOs must weigh the benefits of continued training and specialization for in-house personnel against the cost of using a managed security services provider (MSSP) for such functions as monitoring firewall and intrusion detection logs.

When should you outsource your security functions? As any consultant will tell you, it depends. Contributing factors include budget, manpower, and expertise. And then there's the willingness to give up security responsibilities to an outsider -- not something that can be decided by spreadsheets and dollar amounts.

Before deciding to outsource, make a detailed analysis of security to determine what is already being done well in-house -- and the areas that need better support. Assess the deficit areas to identify the underlying reasons for their shortcomings. Is there a shortage of budget to provide the needed technology? Is the security team short-staffed or nonexistent? Or does current staff lack the expertise required?

Companies that don't have the money to pay for high-priced firewall, IDS/IPS, and content filtering solutions can opt for a hosted service. The MSSP provides the hardware and management, while the company pays a monthly or annual fee. Hosted services like these can solve one or more of the problems stemming from lack of budget, manpower, and expertise.

There are many hosted services to choose from, including firewall, VPN, IDS/IPS, Web, and email filtering services. With the increasing buzz and adoption of cloud computing technologies, we've seen a shift from predominantly ISP-based hosted security services to those that occur in the "cloud." It's a market that includes practically every security company, from Websense and Trend Micro to Kaspersky and Google (Postini).

Sometimes all you need is better management of existing security solutions. You know how strong personalities and underlying political currents can often impact purchasing decisions, right? If you don't have the staff to manage that new whizz-bang, fully application-aware firewall, then it's either time to hire a staff member who can -- or pay an MSSP to manage it for you.

A lack of manpower and expertise doesn't just impact security management. Someone must handle the analysis of security events from firewalls, servers, workstations, IDS/IPS, and antivirus tools. MSSPs -- SecureWorks, Symantec Managed Security Services, and Verizon Business Cybertrust, to name a few -- provide monitoring services of those logs to identify malicious activity and alert customers before it's too late. Think of it as an analyst in a box -- but outside of your box.

Many enterprises rely on vulnerability scanning and penetration-testing services. Assessment services are often necessary because organizations do not have the staff with the expertise to perform these functions. Similarly, the cost of the tools and the manpower can be used to fund and staff other critical IT needs.

Sometimes you might not have a choice about outsourcing. For example, the PCI Data Security Standards (DSS) require that quarterly vulnerability scanning and annual penetration testing be conducted. A Qualified Security Assessor (QSA) is required for the vulnerability scanning, but experienced, in-house personnel can be used for the penetration testing.

Of course, many organizations don't have the manpower and expertise to perform in-house penetration testing. For those that do, taking penetrating testing in-house can be an option -- but enterprises must weigh the risks and benefits. (Read Keith Ferrell's take on the topic: "Taking Penetration Testing In-House.")

Choosing to outsource security services can be a hard decision. By surveying your organization's security needs and comparing them to existing resources -- including budget, manpower, and expertise -- you can clearly identify the areas in need. Then it's a matter of mapping those needful areas to available services -- determining if the price is right, or if it would be more economical to add or train staff to gain those additional skills.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Threat Intel Today
Threat Intel Today
The 397 respondents to our new survey buy into using intel to stay ahead of attackers: 85% say threat intelligence plays some role in their IT security strategies, and many of them subscribe to two or more third-party feeds; 10% leverage five or more.
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-2595
Published: 2014-08-31
The device-initialization functionality in the MSM camera driver for the Linux kernel 2.6.x and 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, enables MSM_CAM_IOCTL_SET_MEM_MAP_INFO ioctl calls for an unrestricted mmap interface, which all...

CVE-2013-2597
Published: 2014-08-31
Stack-based buffer overflow in the acdb_ioctl function in audio_acdb.c in the acdb audio driver for the Linux kernel 2.6.x and 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, allows attackers to gain privileges via an application that lever...

CVE-2013-2598
Published: 2014-08-31
app/aboot/aboot.c in the Little Kernel (LK) bootloader, as distributed with Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, allows attackers to overwrite signature-verification code via crafted boot-image load-destination header values that specify memory ...

CVE-2013-2599
Published: 2014-08-31
A certain Qualcomm Innovation Center (QuIC) patch to the NativeDaemonConnector class in services/java/com/android/server/NativeDaemonConnector.java in Code Aurora Forum (CAF) releases of Android 4.1.x through 4.3.x enables debug logging, which allows attackers to obtain sensitive disk-encryption pas...

CVE-2013-6124
Published: 2014-08-31
The Qualcomm Innovation Center (QuIC) init scripts in Code Aurora Forum (CAF) releases of Android 4.1.x through 4.4.x allow local users to modify file metadata via a symlink attack on a file accessed by a (1) chown or (2) chmod command, as demonstrated by changing the permissions of an arbitrary fil...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
This episode of Dark Reading Radio looks at infosec security from the big enterprise POV with interviews featuring Ron Plesco, Cyber Investigations, Intelligence & Analytics at KPMG; and Chris Inglis & Chris Bell of Securonix.