Few security functions are better suited to being outsourced than intrusion-detection systems (IDS). That being said, users are still a little sheepish about letting others manage their network security monitoring systems.
IDS has taken its place alongside antivirus software and firewalls as a standard element of security infrastructure. In a recent SearchSecurity.com poll, two out of three respondents rated IDS as very critical or most critical to their security.
IDS is unlike firewalls and antivirus, however, in that it requires constant monitoring to be effective. Firewalls need occasional tweaks and antivirus needs updating, but IDS needs 24/7 monitoring and fine-tuning if the dreaded false-positives are to be avoided. More than a few organizations ignore the alerts because they are getting so many, thus negating the benefits of the systems.
A major reason why companies outsource IDS is that they don't have the "intellectual infrastructure" to effectively manage these systems in-house, said Edwin Covert, manager for information security services at Integrated Communication Solutions, a Frederick, Md.-based company that does IDS outsourcing. "It would cost a lot to acquire the relevant skill set," he said.
Often companies new to IDS experience information overload. Sorting out problems in the sea of alerts and incidents is where experience and skill comes in, Covert said.
Companies that outsource IDS often have "tried and struggled with it internally," said Pete Lindstrom, research director at Malvern, Pa.-based Spire Security. Outsourcing IDS gives companies access to people who know a lot about the technology. Also, outsourcers often have a broader prospective, as they see incidents at other companies as well.
Companies have two classes of outsourcers from which to choose. There are product-oriented outsourcers, such as Internet Security Systems or Symantec, and more agnostic providers. Companies in the former category offer a variety of combinations of services and products. But if a company already has "a jumble of technology," a more agnostic outsourcer may be better, Lindstrom said.
Some organizations are a little concerned about letting others run or monitor their systems. Greg Francis, senior system administrator at Gonzaga University in Spokane, Wash., isn't considering outsourcing IDS. "We're still developing our IDS implementation and don't want to lose the control over that aspect of our infrastructure," he said in a recent e-mail interview.
Issues of control and trust are often cited as reasons why organizations don't outsource IDS. Lindstrom rejects this logic because people outsource data centers all the time. Specific business contracts should address any concerns a company might have.
Yet companies should scrutinize potential IDS outsourcers, Lindstrom said. Among the questions to ask: Is the outsourcer a stable company? Is its staff well-trained? Are current customers happy?
Companies also need to look inward. Sometimes outsourcing IDS alleviates some of the political and cultural ruminations that occur when a security incident occurs, Lindstrom said. On the other hand, some companies will find it difficult to outsource IDS for political and cultural reasons.
Additionally, outsourcing IDS forces companies to consider how they will respond to various situations before they occur. Those decisions and actions can then be spelled out in the service-level agreement. "It forces companies to think through the entire process, which is a good thing," Lindstrom said.