Outsourcing Security Maintenance | Inside the Security Mind: Making the Tough Decisions

With the growing demand for security services and the high costs associated with hiring a local security staff, many organizations look for alternate methods of managing security. This has opened the market for managed security services wherein clients can pay an external organization to monitor and react to various security issues. Managed services are a great way to provide certain types of services, such as off-hour monitoring of local security devices and running continual penetration scans and attack simulations. Hackers usually attack at odd hours of the night, when security staff are not present. With managed services, however, a staff shared among many clients can be utilized 24x7, rather than hiring a local staff to perform the same functions.

Limitations of Managed Services

At first glance, bringing in a managed services company may seem like the solution to all security problems. Indeed, managed security services can remove much of the work involved in maintaining security. However, remember that a managed service provider (MSP) can only offload certain aspects of security. There are far too many pieces of security to consider any external organization to have "ownership." Security as a whole must be managed from within an organization and seen in all aspects of its operations. Paying an MSP to monitor Internet connections or manage intrusion detection may be helpful, but it does not relieve us of security issues.

Beware of Free Managed Security

As the demand for managed services began to grow, many Internet service providers (ISPs) realized they could attract more customers by managing the security of their customers' Internet connections. Most ISPs offer firewall filtering, intrusion detection, and incident reporting at a minimal fee to their clients. This has led many organizations to forgo implementing their own local perimeter defenses and rely on their ISPs. I highly discourage organizations with more than a few computers from accepting this as their only security solution. Looking back to the discussion on trust, we must fully trust the ISP's equipment, staff, and policies to protect our organization. An ISP's primary focus, however, is not on the firewall or its management, but rather on the networking aspects of the business. As such, it is rare to find an ISP that will give adequate attention to protecting a company of any size. Heavy caution is recommended for any organization outsourcing its perimeter defenses.

A couple years ago, I performed an audit within a giant New York City-based organization. This company had elected to have its ISP manage the Internet firewall for all connections, including a network with hundreds of servers and thousands of workstations. During the audit, I contacted the ISP to inquire about its security policies and how this service was managed. After several days of trying to hunt down a technician, I finally learned that the firewall was Checkpoint 3.51, which had been outdated for more than five years. The system the firewall was running on had never been hardened, and the individual monitoring it knew as little about security as my beloved grandmothers.

Properly Using Managed Security Services

Managed security services are a great resource, when used properly. The best use for managed services is when an organization requires 24x7 monitoring for security events and does not have the staff to handle it. Another good use for such services is to enhance security maintenance, since the staff can spend a lot of time searching for new vulnerabilities, new exploits, and new patches on behalf of their clients. This is a great service if an organization is unable to have a security expert on staff. Before any MSP is used, the following issues should be considered:

Does the organization have local security devices for the managed service provider (MSP) to manage? It is usually not a good idea to hook up to an external party's firewall. Firewalls are often shared, and without a local device, there is no chance to directly interact with the device or check up on the service provider.
Can the MSP be trusted? Only use MSPs from large companies with good reputations. Choosing the wrong provider can be a horrible experience.
Does the MSP have security experts on staff at all hours? MSPs sometimes have a security expert on staff for part of the day and then college interns with no experience as the night-time staff. Make sure there is someone with security expertise on staff at all required hours.
How often does the MSP research new vulnerabilities, exploits, and fixes? An MSP should check for newly discovered exploits at least one or two times a day.
How often will they update your systems? There should be some form of service level agreement (SLA) that states when your systems will be updated or that your organization will be informed within x hours after a new exploit has been discovered.
Will the MSP provide reports on potential violations? Security should never be left solely in the hands of the MSP. Make sure you receive regular reports that you can review and question.
Will the organization have access to security policies and configurations? Again, never put 100% trust in your MSP. Make sure you have access to policies and configurations.
What sort of liability does the MSP accept if a break-in occurs? MSPs should be insured in case a break-in occurs and it is shown to be because of the MSP's negligence.
How does the MSP prevent its own staff from hacking into client systems? Managing security for another organization yields a lot of temptation for the local staff. Many hacks occur from such providers each year. Make sure the MSP has measures to control its own staff, and that reports concerning the MSP's access events into your systems are available upon request.