Tech Insight: How To Cut Security Costs Without A Lot Of Pain

Everything from trading costly training for local conferences to outsourcing some security tasks can save money --- but first carefully consider the options
Companies are spending more on security: According to the recent Information Week 2010 Strategic Survey, 36 percent are expecting an increase in their security budgets during the next year. Is your company one of them?

Those numbers are hopeful for some, but the survey also shows that security professionals who are seeing the increase are only getting money to help with products -- not to boost their staffing. In other words, they're still being expected to do more with less.

Whittling away at operational costs and coaxing existing resources to last as long as possible has become the norm for many security professionals. Some are stuck working with budgets that were slashed a few years ago, with no immediate hope for an increase, while others are seeing a slowly increasing trickle of funds. But no matter which camp you're in, there are still a few areas where current security practices can be trimmed, supplemented, and even replaced to increase effectiveness while cutting costs.

One of the first areas of security that gets cut is training, which is often seen as a luxury in the eyes of management. But cutting training can also affect morale. Many IT security professionals look forward to their annual security conferences, with the expectation of learning new skills and networking with other security pros. So instead of cutting training altogether, consider some alternatives to trim costs instead.

Local security conferences are popping up all over the country, with small events like Security BSides and the recent THOTCON, which carry great content and typically cost very little (or nothing) to attend. Making the case to attend a BSides event, which offers free admission, is going to much easier than the typical training event at which one course runs several thousand dollars -- not counting travel.

Online training is another way to save, and it has grown more accessible with training organizations like the SANS Institute offering many of its popular classes online. Offensive Security, creators of BackTrack Linux, provide "Pentesting with BackTrack" and "Cracking the Perimeter" classes in a computer-based training format that can be done at work or home.

Another area in which costs can be cut or reduced is recurring software maintenance fees. Open-source alternatives to software currently in use can replace, or sometimes supplement, existing software. Snort and Suricata are two examples of open-source intrusion detection systems that can be used instead of a commercial solution. Many free and open-source tools have been released during the years to complement Snort and help it scale to large distributed environments, making it an attractive option.

Open-source alternatives to expensive centralized log management tools also exist that can help companies centralize logs and identify attacks before they become breaches. Snare and Lasso are two tools that can send Windows event logs to syslog-based servers for analysis and correlation. OSSEC HIDS is a great example of a full-featured log analysis tool that ties distributed log analysis with centralized reporting, Windows Registry monitoring, and file integrity checking.

The caveat to free and open-source software, however, is that your personnel's time isn't free. Make sure any choices to move to open source takes into consideration current skill level and experience with the new technologies.

Outsourcing security solutions can cut considerable costs, too. There are often little to no capital costs upfront because all equipment is housed off-site at the service provider's data center. Also, operational expenses tend to be less because the software is managed by the service provider and not existing personnel, who are freed up for other tasks.

Content-filtering, including Web and e-mail, are two of the most common areas being outsourced and easy to evaluate. Often a simple change in the user's systems, a router configuration change, or MX record update can point users to the new service to evaluate the services' effectiveness.

Hosted security services offer more than just content filtering. Solutions are available that include multifactor authentication, firewalling, log management, and intrusion detection. Choosing one means weighing the costs differences between doing it in-house and determining your company's comfort level with your information being intercepted and monitored by a third party in the cloud.

It's definitely possible to cut costs in security without causing the corporate security program to suffer, but the alternatives and resulting costs need to be evaluated carefully.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.