Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Analytics

7/23/2010
02:10 PM
50%
50%

Tech Insight: How To Cut Security Costs Without A Lot Of Pain

Everything from trading costly training for local conferences to outsourcing some security tasks can save money --- but first carefully consider the options

Companies are spending more on security: According to the recent Information Week 2010 Strategic Survey, 36 percent are expecting an increase in their security budgets during the next year. Is your company one of them?

Those numbers are hopeful for some, but the survey also shows that security professionals who are seeing the increase are only getting money to help with products -- not to boost their staffing. In other words, they're still being expected to do more with less.

Whittling away at operational costs and coaxing existing resources to last as long as possible has become the norm for many security professionals. Some are stuck working with budgets that were slashed a few years ago, with no immediate hope for an increase, while others are seeing a slowly increasing trickle of funds. But no matter which camp you're in, there are still a few areas where current security practices can be trimmed, supplemented, and even replaced to increase effectiveness while cutting costs.

One of the first areas of security that gets cut is training, which is often seen as a luxury in the eyes of management. But cutting training can also affect morale. Many IT security professionals look forward to their annual security conferences, with the expectation of learning new skills and networking with other security pros. So instead of cutting training altogether, consider some alternatives to trim costs instead.

Local security conferences are popping up all over the country, with small events like Security BSides and the recent THOTCON, which carry great content and typically cost very little (or nothing) to attend. Making the case to attend a BSides event, which offers free admission, is going to much easier than the typical training event at which one course runs several thousand dollars -- not counting travel.

Online training is another way to save, and it has grown more accessible with training organizations like the SANS Institute offering many of its popular classes online. Offensive Security, creators of BackTrack Linux, provide "Pentesting with BackTrack" and "Cracking the Perimeter" classes in a computer-based training format that can be done at work or home.

Another area in which costs can be cut or reduced is recurring software maintenance fees. Open-source alternatives to software currently in use can replace, or sometimes supplement, existing software. Snort and Suricata are two examples of open-source intrusion detection systems that can be used instead of a commercial solution. Many free and open-source tools have been released during the years to complement Snort and help it scale to large distributed environments, making it an attractive option.

Open-source alternatives to expensive centralized log management tools also exist that can help companies centralize logs and identify attacks before they become breaches. Snare and Lasso are two tools that can send Windows event logs to syslog-based servers for analysis and correlation. OSSEC HIDS is a great example of a full-featured log analysis tool that ties distributed log analysis with centralized reporting, Windows Registry monitoring, and file integrity checking.

The caveat to free and open-source software, however, is that your personnel's time isn't free. Make sure any choices to move to open source takes into consideration current skill level and experience with the new technologies.

Outsourcing security solutions can cut considerable costs, too. There are often little to no capital costs upfront because all equipment is housed off-site at the service provider's data center. Also, operational expenses tend to be less because the software is managed by the service provider and not existing personnel, who are freed up for other tasks.

Content-filtering, including Web and e-mail, are two of the most common areas being outsourced and easy to evaluate. Often a simple change in the user's systems, a router configuration change, or MX record update can point users to the new service to evaluate the services' effectiveness.

Hosted security services offer more than just content filtering. Solutions are available that include multifactor authentication, firewalling, log management, and intrusion detection. Choosing one means weighing the costs differences between doing it in-house and determining your company's comfort level with your information being intercepted and monitored by a third party in the cloud.

It's definitely possible to cut costs in security without causing the corporate security program to suffer, but the alternatives and resulting costs need to be evaluated carefully.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Commentary
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-29370
PUBLISHED: 2021-04-13
A UXSS was discovered in the Thanos-Soft Cheetah Browser in Android 1.2.0 due to the inadequate filter of the intent scheme. This resulted in Cross-site scripting on the cheetah browser in any website.
CVE-2021-3460
PUBLISHED: 2021-04-13
The Motorola MH702x devices, prior to version 2.0.0.301, do not properly verify the server certificate during communication with the support server which could lead to the communication channel being accessible by an attacker.
CVE-2021-3462
PUBLISHED: 2021-04-13
A privilege escalation vulnerability in Lenovo Power Management Driver for Windows 10, prior to version 1.67.17.54, that could allow unauthorized access to the driver's device object.
CVE-2021-3463
PUBLISHED: 2021-04-13
A null pointer dereference vulnerability in Lenovo Power Management Driver for Windows 10, prior to version 1.67.17.54, that could cause systems to experience a blue screen error.
CVE-2021-3471
PUBLISHED: 2021-04-13
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Notes: none.