One reality of IT administration is the growing number of threats that can enter a corporation’s computer network. And the limited staff resources most firms have to address this pernicious menace often amplify this condition. If unchecked, such threats can cripple any network in virtually the blink of an eye. This is why, according to Forrester Security Analyst Laura Koetzle, “a growing number of corporations are outsourcing one or more security functions.”
One company, Swift Energy Co., an independent oil and natural gas company based in Houston, Texas, outsources its network monitoring. And it didn’t take company executives long to discover what a wise decision it was.
Until late 2003, Swift Energy monitored its network itself. But the small IT staff discovered there were limits to what it could do. “In terms of intrusion and detection, we were doing virtually nothing due to our limited resources,” says David Belkin, Senior Network Administrator.
With an ever-increasing number of threats hitting its network, Swift Energy needed a better way to know when it was under attack, if malware programs were infecting its computers, and if so, what needed to be done. The firm chose to outsource security threat detection to Alert Logic, a Houston-based managed-security services provider (MSSP).
The primary value proposition to such outsourcing is receiving round-the-clock security talent that many companies can’t normally afford, according to Koetzle. “Assuming that a firm needs six people to provide a 24×7 full-time equivalent for security-system monitoring, plus equipment, bandwidth, and software, an MSSP can cost roughly a third of an in-house network monitoring program.”
Getting the Most Bang for Their Security Buck
Past the several hundred thousand dollar savings realized in the first two years, other potential benefits were also compelling factors in Swift Energy’s initial decision to outsource network monitoring, according to Belkin. He says increased competencies and better work management make outsourcing “like having a dedicated security expert watching our wide area network (WAN) 24 hours a day. This allows our team to concentrate on the day-to-day tasks of running the network without worrying about security intrusions.”
To do the job properly, Alert Logic uses and maintains its own monitoring appliances on the client’s corporate network and charges a monthly subscription fee. Alert Logic then notifies clients when it detects anything suspicious, and those clients can check network health via browser-based reports anytime they wish.
“The biggest problem is that a lot of the traffic still makes it through intrusion prevention systems (IPS) appliances,” according to Misha Govshteyn, Alert Logic CEO. “They can only block traffic they are certain about, but a lot of the attacks are just possible attacks. Few can quickly know whether they are malicious attacks or valid business traffic.”
Belkin says the installation was easy with minimal intrusion. ActiveWatch’s Alert LogicTM service quickly proved itself “by notifying us of an infected host that had a stealth worm long before it would have impacted our network.” He adds the information allowed Swift Energy to isolate and sanitize the infected host quickly with no damage to the network.
Belkin notes the Alert Logic sensors at Swift Energy have detected a handful of other incidents since then. For example, a few months after installation, a user connected to the Internet checked a Web-based email service, and got infected with a worm that SwiftEnergy’s antivirus software was not aware of yet.
The sensor “was smart enough to notice the worm-like activity,” says Belkin; he immediately received an alert via cell phone. As a result, he was able to unplug the infected host from the WAN and sanitize the computer before putting the machine back on line.
Sharing Control: Gaining Peace of Mind
For companies considering outsourcing security to an MSSP, experts caution against cavalierly handing over some aspect of security and continuing on blithely.
Yet at least some companies overlook that advice. According to the 2005 Global Security Survey of financial services organizations’ security practices, conducted by Deloitte Touche Tohmatsu; “of the respondents who have chosen to outsource at least one function, only 73 percent have conducted regular assessments of the security outsourcer’s compliance with the respondent’s information security requirements.” The rest just “source individual tasks out with little direct oversight,” according to Forrester’s Koetzle.
Rather, she notes, security outsourcing is more a wise strategic supplement than a panacea. “If done properly, outsourcing to an MSSP means better security for less. Yet to reap the full benefit, firms need highly competent, internally respected security chiefs, well-tested policies, and a stable organization that ‘buys-in’ to the entire process from the executive level on down.”
Swift Energy is typical of a security outsourcing client, according to a Forrester survey of 200 technology decision-makers in North America. It reveals that quick and timely detection of network intrusions is security managers’ primary concern. This amplifies the need for rapid response times to quickly detect and correct these invasions before they get out of control and explains why many organizations now outsource security duties such as incident detection to outside providers, according to Koetzle.
“Fifteen percent of firms already outsource some security functions, and 30 percent consider themselves candidates to outsource security functions in the next year,” she adds.
And yet, both Deloitte and Forrester surveys reveal that about half the potential markets still avoid outsourcing anything security or regulatory-related. “This is why, and it comes as little surprise, that only 11 percent of respondents are willing to surrender control over either regulatory compliance or incident response planning,” adds Koetzle. “Giving up control over security is still a profound pain point.”
Belkin is not one of those, though. He plans to implement additional outsourced MSSP network-access controls in the coming months. “I want to upgrade my backbone in 2007 to take advantage of the more sophisticated port-level containment and quarantining features from AlertLogic.”
Lessons from The Outsourcing Journal:
- There are too many security issues for the staff of most firms to handle normally. Outsourcing some of them optimally leverages internal security assets.
- Outsourcing MSSP security makes it easier to discern actual incoming network threats from normal business traffic.
- Companies that consider outsourcing security functions are best served by not handing over some vital security aspect without diligence before and after the outsourced engagement. They must be continuously involved.