Hi James,
My current client had an audit requirement to implement a IDS
infrastructure a while ago so did, along with an any-any-any allow
firewall! They did not have the skills in house so outsourced this to a
3rd party. This went fine, until I came in and the first thing I did
was to remove the any-any-any allow, and start putting in a proper
rulebase.
When the firewall was outsourced, did the 3rd party actually comment on
the existing configuration ? From experience I know that it would be very
difficult for any cosourcing MSSP to actually support such environment.
Most MSSPs therefore have procedures in place to verify and improve an
existing configuration prior to taking the devices into management. Also
from a liability point of view, this seems the most sensible thing to do
-- even when no guarantees are made on the actual security "outcome" of
the service.
Does anyone have any numbers available for when outsourcing a security
service is viable and when it should be done in house?
I don't think this can really be expressed in the amount of changes which
need to be performed to a rulebase. Cost associated with changes is very
different from one MSSP to even its closest competitors. Sometimes you
get a certain number of changes for free, in some cases there is at least
a batch of changes which can freely be requested, in other cases it
depends on the type of change.
The first question you should ask yourself is the reason why you are
outsourcing. Do you wish to outsource the complete security posture of
the perimeter devices, or are you looking for a logical extension of
internal security controls ? The latter is almost always the best
scenario, as it provides for management of the actual security posture
internally, while allowing for external verification and audit of proposed
changes. In the first scenario, a lot of decision power is left at the
MSSP level. This usually creates a lot more confusion, as many requests
will not be filtered on an organisation level prior to being submitted to
the MSSP. If no decent project management is in place at the organisation
doing the actual outsourcing, the overall outsourcing experience will
usually be less succesful. In general, such a situation will require an
additional "filtering" shell between the organisation and the MSSP.
In case it has been decided that internal security controls need to be
extended, the second question pops up. Is the most expensive solution to
have everything done internally or externally ? The answer to this
question depends on a number of items: (1) Number & attrition of internal
resources which are correctly trained to manage the security devices, (2)
Availability of those resources in comparison to the required management
levels -- an organisation which needs 24hr uptime and fast intervention
times will need to invest a lot more in resource availability than an
organisation which solely uses the managed devices to send and receive
e-mail during business hours, (3) Ability to interpret logs originating
from the devices versus the need to perform this type of analysis. Does
the organisation require threat modelling and risk management reporting ?
When this decision has been made, it's time to look at the pricing model
of the MSSP. This needs to be taken into account together with the amount
of expected changes. In general, the amount of expected changes can be
assessed quite correctly based on the nature of the organisation. If your
organisation generally requires quick turnaround on changes with
relatively few in-advance project plans being designed, make sure that it
is possible to have quick turn around on change requests. If yours is a
structured organisation where device changes usually take place after
testing and design of a project plan, you will have an easier time finding
a good deal, as MSSPs prefer changes which can be announced some time in
advance. It gives them the opportunity to do efficient resource planning,
and generally improves service levels. Being in the "incident handling"
business doesn't mean basic staffing/business laws don't apply.
Ofcourse the above is not an exhaustive list of things to investigate when
considering an outsourcing partner. I do believe they answer your basic
question of how to decide on whether going with a partner is a good idea
in a certain situation.
As a disclaimer, I cannot exclude a certain degree of subjectiveness as I
do work for an MSSP. Apologies in advance should this mail sound a bit
"vendorish". Tried my best to avoid that. Feel free to contact me
off-list should you wish to discuss this further.
Cheers,
Maarten
--
Maarten Van Horenbeeck, GCIA <maarten@daemon.be>
http://www.daemon.be/maarten
