Published: 01 Jun 2006
Make sure you have your house in order before calling a managed security service provider for help.
I've seen a troubling trend when it comes to security outsourcing: Over-whelmed by a flood of firewall and IDS alerts, companies want a quick fix--they figure they can outsource their security and their problem. Not so fast.
Outsourcing certainly can look like the easy answer. Hiring a managed security service provider (MSSP) to monitor your evening and weekend alerts should be simpler and cheaper than having your staff do the job. An MSSP could provide you with a crew of security experts that you can tap for your overall security needs more cheaply than your own hired guns.
But to make outsourcing work, you'll need to have your security house in order. Instead of throwing your problems over the fence, you'll have to figure out just how your security program should be running. You'll need a clear picture of the exact state of your system and a solid set of working processes in place.
Taking inventory and implementing processes will improve your security program and prepare you for outsourcing. Who is going to do that? Unfortunately, the same overworked people you've already got running security. They know your systems, and leveraging their talent means adding even more resources up front.
An accurate inventory determines what versions of software are on which machines. That's critical information; network-based intrusion devices identify only exploitation attempts, not successful exploits. If an MSSP alerts an administrator that a Nimda worm is attacking a machine, it makes a big difference if the target is a Solaris machine, which is not vulnerable to Nimda, or a Windows system, which might be. If a Windows machine is targeted, has that system been patched? Is the target machine accepting traffic from the Internet? If not, the worm is dead on arrival for lack of a host.
Many may suggest that the problem lies with network intrusion devices--if we put smart hosts on each node, we will know the state of our devices. True, but somebody will still have to purchase, install and configure each agent, and then tune the security event manager. Plan on budgeting resources for this task before you think about outsourcing.
Processes are a bigger nut to crack. Ramping up a security program, you have the opportunity to develop hundreds of policies and procedures. The policies aren't hard to create, but working out the details of the procedures for everything is an enormous undertaking. Just for securing communications with SSH--a must if you use an MSSP--you must make a number of decisions: Who will generate the SSH keys? How will you publish the public key? Where will you store the private key? Who will change the keys periodically?
Processes also need to be established for incident reporting, alerting, escalation, containment, remediation and return to service. Hiring a technical writer to develop these procedures won't work unless you have the commitment from management to force the know-how out into the open, prying it out of the heads of the various administrators. And, who is going to generate those procedures? Yeah, you know the answer.