Hire a Hessian (Outsourcing)263
mantrap, close the outside door, and scan your identity badge.  e scan signals the service pro-
vider, who remotely locks the outside door, checks that you are alone in the mantrap, verifi es your
video image against your stored image, and then remotely unlocks the inside access door. ADT
and Sentor are examples of companies that off er these types of services. Monitoring and control
is typically based on vendor-supplied on-site appliances that communicate alerts to redundant
monitoring center.
Incident Support
Firms commonly supplement their in-house incident management capabilities with third-party
resources when dealing with security, fraud, and other IT-related malfeasance. Employing a red
team to assist with the containment and resolution of a major compromise is not uncommon.
“Red Team” is the military term used in war games for the opposing force or OPFOR. In incident
response, it is the team opposing or countering the attacker. Some organizations use the term
in reference to penetration testing. For example, the NSA Red Team is essentially a penetration
testing team that acts “like our country’s shadowy enemies…attempting to slip in unannounced
and gain unauthorized access.”  is is a misuse of the term: Penetration testing uses attack tech-
niques, whereas incident response uses defensive techniques; these are two very diff erent functions.
Calling them by the same name creates more of a confusion factor than anything else. Companies
are also prone to use external resources for forensics work and security investigations, usually for
the expertise, but impartiality is also a factor. A third factor is cost: Forensic tools and training
are expensive to purchase and maintain. Digital Intelligence and Encase are probably the two best
known vendors; their products range in price from $6,000 to $20,000 for hardware and $3,000
to $6,500 for software. Training for a primary and backup operator will run another $3,000.  is
is a pretty stiff entry fee for a system that will likely sit idle most of the time. Outsourcing this
function for most organizations is more cost e ective. Most MSSP consultancies off er forensic and
investigative services.
System Management/Administration
is class of security services also falls into the MSSP realm. Services include the installation,
confi guration, and operation of security devices such as fi rewalls, VPN servers, intrusion detec-
tion appliances, and content fi lters. Small and medium-size businesses are most likely to use these
services because the cost of maintaining in-house expertise for these functions is di cult to jus-
tify. SecureWorks’ Firewall Service is an example of this type of service. e service provides full
administration (i.e., confi guration, patching, software updates, and performance tuning) as well
as real-time monitoring of fi rewall logs for malicious activity.
Security Of cer Services
Outsourcing security offi cer (guard) services is another common practice. Service providers off er a
variety of services based on industry sector and client need.  ese services include reception/con-
cierge services, video (CCTV) console monitoring, vehicle and foot patrols, inspection services,
visitor badging, new employee orientation, campus access control (gates) and parking control/
coordination. Securitas and Wackenhut are examples of companies that off er outsourced guard
services. It is not uncommon for these companies to off er investigation, executive protection, and
secure transport services as well.
TAF-K11348-10-0301-C013.indd 263TAF-K11348-10-0301-C013.indd 263 8/18/10 3:12:26 PM8/18/10 3:12:26 PM
264Security Strategy: From Requirements to Reality
Outsourcing of Security Services Objectives
e primary driver for outsourcing security services remains cost savings, but savings will vary
depending on the size of the organization and the kind of services contracted.  e overhead
involved in keeping security expertise in-house for small and medium-size companies can be bur-
densome; IT salaries are high, but the turnover rates are relatively low. By comparison, security
offi cer compensation is modest but turnover rates are high. For large enterprises, the cost of in-
house expertise is a less important factor, and so savings are less pronounced. Compliance is
another big driver because many statutes, regulations, and industry standards require third-party
veri cation. For example, Section 404 of the Sarbanes-Oxley (SOX) Act requires annual fi nancial
reports for publicly traded companies to contain an assessment of the eff ectiveness of the internal
control structure and procedures for fi nancial reporting.  e act speci cally calls for the attesta-
tion of a registered public accounting fi rm. e Payment Card Industry Data Security Standard
(PCI DSS) requires an annual on-site review performed by a Quali ed Security Assessor (QSA).
Businesses may also use external auditors to certify their compliance with a set of international,
national, or industry standards, for example, ISO 27001 or ISO 17799 accreditation.  ere are
also a number of commercially available trust seal attestations. For a fee the vendor will assess the
security and privacy features of a company’s online services and attest that they are trustworthy if
they meet the vendor’s criteria.  e customer may then display the vendor’s trust seal on their web-
sites. TRUSTe requirements include ongoing compliance monitoring, reporting of key changes in
data management practices, and periodic reviews by a certi ed Client Services Manager.
Coverage is another driver. Most businesses do not have 24/7 security monitoring capabilities,
and on-call sta ng management can be problematic. It is for this very reason that hackers attack at
night and on weekends. Coverage can be an issue for small and large companies alike. A large retailer
Bill worked for in North Carolina had one of the best implementations of SNORT he had ever seen,
and the young lady who operated the system was very profi cient. Unfortunately, she was it: If she
wasnt sitting at the console monitoring events, the events didn’t get monitored. When she wasnt at
work, alerts were sent to her pager, and when she was on vacation the alerts were forwarded to one of
the network technicians.  e lack of coverage severely limited the e ectiveness of the tool, and, sure
enough, they got hacked when no one was watching. Improved coverage leads to improved incident
management, another driver for security service outsourcing. In Chapter 6 we talked about timeli-
ness and its eff ect on potential damages; the prompter the response the lower the damage. MSSPs
monitor and analyze events in real time and provide immediate noti cation for critical (high-risk)
events. Not only does this facilitate response, but it also eliminates false responses (a major headache
for on-call personnel). MSSP personnel evaluate events to establish criticality; false alarms detected
during this process are not forwarded, and on-call personnel get a full night’s sleep.
Incident response points to another bene t of MSSP outsourcing: expertise. MSSPs gather
data from multiple customer sites and have a highly skilled sta analyzing attack trends and attack
methods. eir assessment of an event as well as the information they provide in a noti cation will
be more comprehensive than anything you could generate in-house.  eir recommended actions
and support will be more focused and eff ective because their knowledge base and experiences are
broader. When you combine all of these factors, the net result is improved security, which is an
obvious driver for any security outsourcing eff ort. Security improvement is also the main driver
for outsourcing security assessment services.
e majority of hacker attacks are now aimed at the application layer. SQL injection, cross-
site scripting, and response splitting are some of the most prevalent attacks. SANS listed applica-
tion attacks as the second biggest cybersecurity risk in 2009. Citing attack and vulnerability data
TAF-K11348-10-0301-C013.indd 264TAF-K11348-10-0301-C013.indd 264 8/18/10 3:12:26 PM8/18/10 3:12:26 PM
Hire a Hessian (Outsourcing)265
collected by TippingPoint and Qualsys, SANS concluded, “During the last few years, the number
of vulnerabilities being discovered in applications is far greater than the number of vulnerabilities
discovered in operating systems. As a result, more exploitation attempts are recorded on application
programs. is shift can be partially attributed to improvements in operating system and network
security controls, but the prevalence of targets and the lack of e ective application patching are the
more likely culprits. In addition to employing secure development practices, companies will hire
third parties to assess the security of their applications. Pre-deployment assessments may include
security architecture and design reviews, code reviews, and security testing. Outsourcing a penetra-
tion test on a fully staged deployment is a common practice. Penetration testing is also a popular
post-deployment assessment used to verify security controls after system changes are deployed.
Organizations outsource security services in seven distinct areas (auditing, assessment, moni-
toring, consulting, incident support, device management, and facility security) primarily for
defensive purposes.  e largest driver is cost savings, followed by compliance mandates, broader
coverage, improved incident response, and a better overall security posture. Cost savings tend to
be more modest because of the narrower scope of the services; small and medium companies real-
ize the best benefi ts from not having to keep in-house expertise.
Challenges to Outsourcing Security Services
Losing in-house expertise can be a downside to outsourcing from two di erent perspectives.  e
rst perspective is availability: Vendor resources are shared across multiple customers; you may
need to “wait your turn” to get a quali ed resource, especially when you need them the most (e.g.,
when the region is getting hit by a major worm attack).  e second perspective is validation: When
changes are made, you dont have the ability to con rm they were done correctly. A great example
of this is an assessment Bill did for a law fi rm in Phoenix.  e rm had a Cisco PIX fi rewall that
was managed by an external provider.  e IT director asked him to review the confi guration,
which he did; he found more than 20 confi guration errors, including seven exploitable “holes” in
the fi rewall rules. Some of those holes had been there for years, but the fi rm had no way of know-
ing because no one in-house knew how to evaluate a PIX confi guration. Another issue associated
with outsourcing expertise is, how expert is that expertise? You don’t really have a good way to
assess the knowledge, skills, and abilities of the provider’s sta . During an IT services bid review
for the U.S. Navy, Bill noticed, based on the submitted resumes, that the vendor had assigned a
relatively inexperienced resource to a senior-level task. When he raised the question, the contrac-
tor indicated that the resource was one of their top performers and that one of their most senior
resources (he was sitting in the room at the time) was on call to assist if necessary.  e vendor
won the contract, the senior resource was never seen again, the primary resource was completely
overwhelmed, and ultimately the U.S. taxpayers footed the bill for his lack of expertise! Anyone
who has done much outsourcing likely has similar stories. When outsourcing security consulting
and assessment services involving individual contributors, resume and training record reviews are
a good way to assess expertise; interviews are even better. Microsoft contracts resources from a
number of vendors to sta spikes in workloads. While interviewing a potential vendor resource
for a security engagement, Bill asked about his CISSP and his job experience leading up to his
certifi cation. e man had falsifi ed his application! He may have had the requisite skills, but he
certainly didn’t command trust—and without the interview no one would have known the diff er-
ence. When outsourcing to a MSSP for monitoring or system management, the best way to deal
with the question of expertise is to stick with name-brand vendors, check out what the industry
analysts say, or talk with other customers of the service.
TAF-K11348-10-0301-C013.indd 265TAF-K11348-10-0301-C013.indd 265 8/18/10 3:12:26 PM8/18/10 3:12:26 PM
266Security Strategy: From Requirements to Reality
Using name-brand vendors also alleviates two other common outsourcing challenges: longev-
ity and performance. A lot of small companies off er a variety of security services, some of which
are solid value propositions and some are not.  e industry has already seen a number of unprofi t-
able MSSP ventures fail, including Pilot Network Service and Salinas. Name-brand vendors stick
to what they know, do it well, and remain in business. With the exception of consulting services,
the performance of small service providers can also be an issue because you dont have a viable
means of observing their operations. Smaller companies dont always have the luxury of planning
things in advance; attrition, absenteeism, recruiting, and other sta ng issues may cause a provider
to shirk their obligations, take shortcuts, employ unquali ed staff , and the like.  is is less of a
concern with providers that have a brand name to protect and promote. Consulting services are
the exception; a number of highly skilled professionals work in small consultancies that special-
ize in specifi c security disciplines (e.g., architecture, strategy, forensics, code review, etc.). For
short-term and specialty projects, these fi rms deliver exceptional results for substantially lower
rates. is makes them a good option for small and medium-size companies. Large businesses
can also benefi t from this expertise but usually prefer the stability and brand recognition of larger
consultancies.
e shared-risk issues were addressed earlier in this chapter but bear additional mention here
because a number of outsourced security services involve elevated user privileges and/or access to sen-
sitive data. Consequently, the potential damage from malicious or erroneous vendor behavior can be
substantially greater. Security device management has the highest risk, auditing probably the lowest.
Realizing expected cost savings for outsourced security services is also a challenge. Some out-
sourcing versus in-house costs are diffi cult to quantify. Loss of in-house expertise is also a concern
from both a resource availability and a confi guration/change verifi cation standpoint. Organizations
can avoid longevity, expertise, and performance issues by using brand-name providers. When out-
sourcing system management and other tasks involving elevated privileges or high-value data (e.g.,
source code), organizations must ensure that share risks are properly mitigated.
Success Factors and Lessons Learned
Companies reporting the best results are those that outsource for expert assistance. Firms out-
sourcing management havent fared as well, especially those impacted by vendor failures (e.g., Pilot
Network Services).
Stay clear of outsourcing any activity that’s critical to policy development, or that has
a critical impact on your business. ose are the company jewels and theyre too valu-
able to trust to strangers.
Jonathan Gossels
CEO of SystemExperts
Avoiding con icts of interest in security outsourcing is also important. Self-auditing is not a good
security practice. If you are outsourcing device management, monitoring should be done by a
diff erent provider.  is resolves the confl ict of interest issue and also supports the “four-eyes”
principle for change validation.
SIDEBAR: THE TRADE-OFF BETWEEN CONFLICT AND INTEGRITY
Assuming someone is lying because there’s a possible confl ict of interest is a slippery slope. Attesting to your own
work has never been considered a sound practice; Accenture spun off from Arthur Andersen for this very reason.
Andersen consulting was providing IT services to clients, and those services were subsequently being audited by
TAF-K11348-10-0301-C013.indd 266TAF-K11348-10-0301-C013.indd 266 8/18/10 3:12:26 PM8/18/10 3:12:26 PM
Hire a Hessian (Outsourcing)267
Andersen accounting services. Confl icts of interest result when telling the truth or making the best decision has nega-
tive impacts on you or your employer: for example, Andersen accounting fi nding fault with Anderson consulting
work or Microsoft Consulting Services (MCS) recommending an IBM software solution. Where confl icts of interest
exist, the integrity of both parties is tested. Presenting a biased conclusion or making a biased recommendation lacks
integrity. Ignoring or devaluating the same on the assumption it is biased also lacks integrity. There is a balance. A
few years ago I (Bill) was working with Telco to improve its patch management processes. The company was using
an old Tivoli system to distribute and install software patches to 6,000 desktops. The process involved manually
creating a Tivoli distribution package for each patch, then placing it on the Tivoli system for distribution and instal-
lation. The process took 10 or 11 days to reach an 80% completion mark; the remaining systems had to be manu-
ally patched. The Tivoli system was slated for an upgrade, but I recommended replacing it with Microsoft System
Management Server (SMS). The system was only used to manage Windows workstations, and SMS (being a Windows
product) did the better job. The decision looked like a no-brainer, but I was “biased,” and so my recommendation
was invalid. Instead of doing her due diligence (comparing the features and costs of the two products), the manager
took the “unbiased” opinion of the IBM representative and stayed with Tivoli! The funniest part of the whole story is
that her company actually paid me for the privilege of ignoring my advice!
If cost savings is one of your objectives, its important for you to know your run costs up front;
otherwise, you can’t make a valid comparison to the vendors fees. Most vendors have cost/value
models that are heavily skewed in their favor. Dont be too optimistic. You may not see any cost
savings, but there are still a number of other advantages that make the eff ort worthwhile.
Outsourcing Security Services Control Objectives
Because of the sensitive nature of the information involved in security services outsourcing, some
additional control objectives are warranted in order to:
Maintain the confi dentiality of results
Prevent the disclosure of events
Preserve evidence
Avoid retention/discovery liabilities
Prevent the loss of intellectual property
Mitigate elevated privilege risks
Maintain the Confi dentiality of Results
e unauthorized disclosure of security-related information is a risk in all outsourced security ser-
vices. e biggest risks involve the disclosure of assessment results from code reviews or penetra-
tion testing because they expose potentially exploitable vulnerabilities.  e disclosure of fi rewall,
IDS, and appliance results (logs) can facilitate attacks because the information allows an attacker
to map the internal network topology, protocols, and access control (i.e., fi rewall, router) rules.
e disclosure of audit results can create legal liabilities as well; it proves you were aware of a secu-
rity fl aw. If the fl aw is exploited and damages result, you can be held culpable if you didnt make
a reasonable eff ort to fi x the problem. Verizon Communications learned this lesson the hard way
when they were ned for a late FCC fi ling that Verizon attributed to a worm infestation.  e court
found in favor of the FCC because a patch of the vulnerability the worm exploited had been avail-
able for six months prior to the attack, and Verizon had failed to do “due diligence” in getting it
deployed. Loss of customer con dence and reputation are two other potential liabilities.  e risks
are similar from the disclosure of monitoring and incident response information, especially if these
disclosures are not consistent with what the organization has been saying publicly.
ese scenarios are essentially the same shared-risk issues found in nonsecurity outsource sce-
narios only with an elevated risk. Furthermore, you dont have the option to limit the services or
TAF-K11348-10-0301-C013.indd 267TAF-K11348-10-0301-C013.indd 267 8/18/10 3:12:26 PM8/18/10 3:12:26 PM
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset