Information Security

Defending the digital infrastructure


Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

It's a Dirty Job...

SERVICES But someone has to handle vulnerability management. Giving it to an outsourcer seems like an easy solution, but enterprises need to first understand the gritty details.

But someone has to handle vulnerability management. Giving it to an outsourcer seems like an easy solution, but enterprises need to first understand the gritty details.

The idea of outsourcing an especially difficult duty is pretty appealing. At home, who wouldn't happily "outsource" cleaning the bathroom, doing the laundry or taking out the trash? And, in the professional IT world, who wouldn't want to outsource the tough task of vulnerability management (VM)?

More information from

Listen to our webcast with Burton Group senior analyst Diana Kelley and get smart shopper advice for choosing a vulnerability management service.

Visit our resource center for tips and expert advice on vulnerability management in the enterprise.

With the growing number of software patches, regulatory requirements, and increasing complexity of networks and threat models, managing network and system vulnerabilities has become an arduous chore for most enterprises.

Though it may appear that outsourcing VM is a no-brainer for many companies, outsourcing any security function is a far more complicated decision than sending your shirts to the cleaners. We'll take a look at what outsourcing VM means, and review the technical and non-technical considerations enterprises should sort through when assessing the benefits and costs associated with VM outsourcing.

Before considering VM outsourcing, it's important to understand VM. When discussed in an IT context, it's not meant to encompass the whole spectrum of potential enterprise vulnerabilities. Whole-enterprise vulnerability management would need to include the vulnerability associated with having a criminally minded CEO, or the vulnerability of investing time and money in an ill-conceived product.

When IT professionals discuss VM, we are most often talking about how to identify and remediate threats in the resource layer. This means looking for vulnerabilities in the operating system, applications, databases and other IT resources, and then closing the risk window via some form of remediation, like applying a patch or making a configuration change.

Be aware, though, that taking the wrong action could introduce a greater vulnerability to the enterprise. For example, if a database vendor releases a patch designed to fix an obscure and difficult-to-exploit vulnerability, and the patch is problematic, it can bring down your enterprise servers. Automatic responses outside the normal trouble ticketing, workflow and change management accountability chain can introduce unacceptable levels of risk. Risk reduction controls, such as testing the patch prior to applying it to the production server, can keep risk in check, as can keeping the response and remediation process inline with corporate workflows and approval processes.

To close the loop, most companies implement ongoing verification and monitoring of their VM system, and accomplish this, in part, by sharing the data collected and managed via the VM systems with external tools. In addition to integration with workflow and change management solutions, VM tools can share critical event information with network systems management (NSM) tools, security event and information management (SEIM) tools, compliance dashboard tools, and other correlative and analytic portals.

When thinking about outsourcing VM, break down what types of services an external provider supplies. Here are some of the most commonly outsourced VM services (most large outsourcers supply all of these services, but always check for details of specific vendor offerings):

  • Asset identification. There's an old saying that is appropriate in the VM world: "You can't manage what you don't know." There are dozens of vulnerabilities released every day, but many aren't a priority for your network. The only way to know which vulnerabilities and exploits matter to your company and your systems is to know exactly what you've got. It can also help to know where the systems are. Many attacks can be thwarted via port blocking; if a device is in a protected zone and all traffic into that zone can be filtered, the vulnerability can be mitigated. Asset identity services scan your network and return detailed listings that identify what systems are on the network, their patch and configuration levels and their location within the network topology.

  • Vulnerability identification/assessment. What vulnerabilities are in the wild? Part of the intelligence process of a VM outsourcer is the ability to gather and disseminate data on vulnerabilities and patches. Vulnerability information can come from a variety of sources: vendors, lists and media reports, among others. The depth of the information gathered in the asset identification is then assessed against known vulnerabilities and exploits. The outsourcer can then notify the customer where the problems are and what actions are recommended.

  • Remediation and patching. Taking action is a critical part of VM, but what about when remediation is outsourced? It can mean that the outsourcer makes the call and takes action as needed--anything from applying a patch to reconfiguring access control rules on a firewall. Alternately, the outsourcer could integrate with the customer's workflow and trouble ticketing system, so the patch is queued for deployment, but the actual deployment task is completed by the customer.

  • Control verification and monitoring. Because VM is fundamentally about closing windows of exposure, it's important to ensure that there is an audit and verification function to verify that changes and fixes have been applied properly. It is also important to know who approved the change and who applied it. An outsourcer should be able to provide the customer with detailed, real-time access into the audit and verification functions. Additionally, many enterprises want to have transparency back to the internal corporate network and event management engines via the export of log information from the service provider.

Before moving forward with outsourcing of vulnerability management, enterprises must take into account a number of important architectural considerations.

Will the outsourcer be using internal scans, external scans or both? If outsourcers are only scanning from outside the company (usually in front of the firewall), they will only be able to see what an external attacker can. While this is useful information, there are vulnerabilities inside corporate networks that should not be ignored. The traditional single perimeter continues to move deeper and deeper into the network and is distributed on hosts and sub-zones.

If the decision is made to allow the outsourcer to place internal scanners on the network, be clear up front about who is responsible for managing those scanners and how the data being sent back to the outsourcer is protected. What level of trust will the outsourced scanner have inside trusted corporate zones? If the scanner from the outsourcer is being placed in a restricted zone, will the owners of that zone have appropriate control of the scanner?

Then consider how invasive the scans will be on the network. Scanning can be done via an agent or from the network, with or without credentials. An agent requires a piece of code be installed on every host that will be scanned. Does your company feel comfortable having a piece of code from an outsourcer installed on all its monitored devices? Many do not, so the outsourcer may have to use a network-based scanning solution. Although these are less invasive because no code installations are required, they can be a heavier hit to network traffic depending on how frequently and how many devices they scan.

In addition, VM scanning can be more or less invasive based on whether or not credentials are used. In credentialed scanning, some form of valid credentials is given to the scanner so that it can log in and look for vulnerabilities as a legitimate user. This kind of scanning can turn up more information, but can also crash systems.

Some scanners attempt to exploit vulnerabilities, with or without credentials, which can result in system or service crashes. Check with your outsourcer to determine the right level of invasiveness to keep system outages to a minimum.

It's important to consider the general readability of the information gathered by the outsourcer. Having a lot of wonderful data stored at the outsourcing partner won't help much if you can't access it and understand it easily. Is the dashboard data shown in near real-time, or is there a delay? Some VM outsourcers provide dashboards that enable the customer to have the same visibility into the current state of the network that their security operations center engineers have. Also, can the information be accessed securely, with appropriate authentication and protection in transit, and can it be exported to stem systems and consoles, such as a SEIM or other event correlation tool?

Vulnerability Assessment
Ironing Out the Details

In the outsourced VM services world, the phrase "vulnerability assessment" usually means scanning a network of target devices for current patch levels and configurations, and matching this information against technical security policy requirements and known vulnerabilities.

The question that often arises from customers is whether the vulnerability assessment offered as part of a VM service is the same kind of large-scale vulnerability assessment offered by consulting firms and even some VM outsourcers. The answer is, "No, not really."

VA, as part of VM, is tightly focused on automated scanning and information gathering from target devices. A full-blown security and vulnerability assessment usually includes a people, process and technology review of security and vulnerability in an enterprise. A large-scale security and vulnerability assessment project can include a number of moving parts:
  • Tiger team penetration testing
  • Process and procedure reviews
  • Interviews with key personnel
  • Documentation reviews
  • Code reviews
  • In-depth assessment of threat models and paths
  • Recovery readiness
Clearly, a vulnerability or security assessment of that level is a much more complicated process than automated scanning of systems. Before contracting with a VM outsourcer, check to see what the company will explicitly provide as part of the vulnerability assessment service. If you need a deeper and more complete VA, it's possible to outsource that, too. Be aware, though, that you may need to contract with a specialized consulting firm (such as one of the Big 4) for this type of detailed assessment work.

--Kelley Damore

Any company that is considering outsourcing vulnerability management needs to take a long, hard look at accountability issues. The bottom line is that accountability cannot be outsourced. This places additional management and monitoring responsibility on the company that has contracted with an outsourcer. If a critical accounting server goes down in the last quarter of the year, your IT department will be accountable even if the server went down because of an error by the VM outsourcer. Simply put, any information that is lost and any downtime that is suffered will be your IT department's responsibility.

Cyber-insurance may defray the cost of losses due to internal or outsourcer errors. Think through what kind of data the outsourcer will be holding, and whether you trust the outsourcer to hold this data. If your servers do not have the latest patches, does that constitute a risk to your organization? This vulnerability could be used by an attacker to know where to strike, or by a lawyer to prove lack of diligence.

Also, you need to examine the level of communication that you expect between your IT team and the outsourcer. Defining key liaisons from each team to work together can increase the success of the communication process. Make weekly status calls to go over any outstanding issues. The communication plan should extend to escalation and disaster procedures: When and why should the outsourcer start paging internal administrators? What constitutes an emergency? What is the escalation path at your organization that the outsourcer should take to get resolution?

Once your questions have been addressed, get everything in writing before contracting the service. Clear, concise, enforceable service level agreements (SLAs) can go a long way to keep the relationship productive. It also helps to have a clause in the SLA regarding remuneration should the outsourcer fail to keep to the terms of the agreement. Although accountability can't be transferred, partial cost of failure can be distributed back to the outsourcer in the event of a security incident.

Security is a notoriously difficult area in which to prove ROI; what is being measured is often the cost of nothing bad happening. To realize realistic ROI, focus on metrics that can be measured rather than estimated.

For VM outsourcing, review how the service may save your enterprise head count. Are there full-time employees currently in charge of internal scanning, monitoring vulnerability lists and deploying patches? If so, how many of them can be reassigned to other jobs if the VM task is outsourced? Don't forget that you will still need staff to manage the outsourcer, as well as some to oversee escalation and change management approval.

Many enterprises are outsourcing vulnerability management to reduce demands on internal personnel and resources. There are many benefits that can be realized by outsourcing VM. Overall head count requirements for VM may go down as the tasks are assigned to the outsourcer and, subsequently, internal resources can be reassigned to other projects.

But VM outsourcing is not a decision to be made lightly. For the best chance at success, think through the questions and concerns that matter to your enterprise and get the answers from your outsourced agency in writing.

Remember that while much of the labor and resource requirements can be outsourced, accountability cannot. Someone at your organization will still be on the hook to ensure that the outsourcer takes the correct steps in managing the vulnerabilities. If all your white shirts come back from the laundry gray due to a bad process, who has to go to work the next day in a gray shirt? If your systems are attacked because the right patches or configurations were not applied, who takes the fall?

Think carefully about the process and how it will work optimally for your organization before dumping this laundry load on an outsourcer.

Article 5 of 19

Dig Deeper on Risk assessments, metrics and frameworks

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.

Get More Information Security

Access to all of our back issues View All