Case Study: A UK Blue Chip Energy Organisation
A UK Blue Chip Energy organisation with global reach had a requirement to deliver security information internally which
would drive better management decisions and help the company achieve its objectives...
Read more >
Case Study: A Major UK based Telecoms Company
A major UK based Telecoms company had a requirement for improved security monitoring and management of its diverse multi-site infrastructure and to provide real time security awareness to security teams and support compliance programs...
Read more >
In-sourced, Co-sourced or Outsourced: Considerations for a Key Security Event Monitoring and Compliance capability
This paper considers the reasons why fully outsourced security monitoring and compliance solutions from MSSP’s may not provide the real benefits to organisations that they may have been expecting and offers insight on alternative solutions that should be considered when deciding how best to fulfil this business requirement.
Information Security is now a key element of an organisations IT strategy. Over the last few years’ corporate governance, data protection issues and compliance have forced it firmly onto the boardroom agenda.
In efforts to satisfy these requirements, many organisations have opted for fully outsourced solutions from Managed Security Service Providers (MSSP’s). This is an area which has enjoyed growth in recent times with the provision of security monitoring and compliance services being primary functions of most providers.
The security issues facing organisations of all sizes are often complex; ones which require multi faceted solutions which operate across different functional layers of both the digital estate and the business in general.
What this inevitably leads to in the current environment is the need to deploy numerous different security products, each fulfilling a specific duty in protecting assets and data.
What’s more the threat is a continuous one and in reality there is no one product or suite of security tools that will autonomously protect you against all of the threats, known or unknown and certainly not without some element of human expertise managing, maintaining and operating the chosen solutions. Outsourcing IT in general has already become commonplace and many organisations are now finding themselves considering whether or not to engage with an MSSP for their IT security requirements.
This is especially true for 24x7 security monitoring services which to some degree has quickly become somewhat of a default outsourced function.
However, this paper considers that outsourcing your security monitoring does not necessarily afford the benefits that may be enjoyed by outsourcing other more commodity-based IT services and in more recent times can be deemed a false economy.
It can introduce friction between internal and external units creating a blame culture that is counter productive. There is an inherent management overhead incurred in even the smallest engagement with an outsource provider and it involves transferring risks to third parties that often far outweigh any compensatory contractual arrangements.
The decision to fully outsource security monitoring functions or adopt a fully in-house solution or hybrid co-sourced model is one that has many different and important elements to consider. Feature rich, robust and scalable Security Information and Evenet Management Systems (SIEM) solutions are now available, affordable and thus viable to all organisations from SME’s to large Enterprises.
These systems offer the capability to better maintain a key IT function; that of security monitoring and compliance, within the organisation itself, where properly implemented, it may offer a better return on investment than the fully outsourced MSSP alternative.
Security Monitoring & the MSSP
So why is it that this very important and commercially sensitive security function has found such a widespread MSSP customer base and are organisations really getting the best return on their investment by adopting this approach?
The remainder of this paper will examine the
reasons why outsourcing security monitoring is
an appealing option and discuss some of the
positive and negative elements of a potential
MSSP relationship and also consider alternative
options to a fully outsourced solution that will
allow for more cohesion to be achieved and
overcome the shortfalls of outsourcing disparate
‘point solutions’ to the detriment of the wider
picture. The main focus will be the key IT security
function of monitoring and compliance.
The fundamental rationale for having a security monitoring capability in the first instance, distilled to its most base form is that an organisation should be seeking to monitor for two main reasons:
- Identifying malicious activity from both internal and external threats
- Auditing Compliance to both internal policies
The threat of a security breach is one which is not bound by any time constraints; it can happen at any time. Furthermore even with a comprehensive defence in depth deployment of the best security products on the market, how do you know what is happening within your estate at any given time and is it important to have this visibility on a 24x7 basis? Well the answer to the first part of the questions is Security Monitoring of course.
After all ‘you don’t know what you don’t know’ and if you’re not auditing your firewall and routerlogs or monitoring your Intrusion Detection System in real time how will you know when a security breach occurs or is even attempted? In this scenario it will be, when it’s too late.
The answer to the second part of the question is yes, 24x7 monitoring is required to be truly effective but there is more than one mechanism by which this can be achieved. The obvious way of course is via a 24x7 Security Operations Centre. The current trend is for this type of activity to be outsourced to an MSSP; a company well versed in general security technologies and geared towards around-theclock operation. This option is generally perceived as a cost effective solution that greatly reduces the burden placed upon the in-house team to support a specialist area of expertise 24x7.
This is perfectly true and in this sense it does exactly what it says on the tin. But simply looking at it from this perspective and a single lens is too one dimensional.
Few organisations would ever engage with an MSSP on the premise that they would be happy with a ‘tick in the box’ solution; one which offers a point solution with little value add to the overall security requirements of the organisation and no MSSP’s would ever attempt to win business supporting this notion.
Yet it has been known for organisations to
outsource its security monitoring of systems such
as IDS and comprehensively fail to provide the
chosen MSSP with enough supporting information
or capability to properly understand their
networks, systems and as importantly, their
business and its internal process and functions.
This scenario will lead to an unsatisfactory view
of the service being provided by the MSSP, unless
the organisation is willing to accept the fact that
it was designed to yield limited results.
Your IT Security may not be considered core business but it is important to fully understand the interfaces between the core business and the IT operation in order to be able to align security functions with a prioritised risk profile. This brings us on to the subject of risk. What are your risks and asset priorities and which ones are you willing to make your MSSP partly or wholly responsible for (but ultimately not accountable)?
Then there’s the all eggs in one basket situation.
If there is an issue with your MSSP downstream
and you want to change your approach, how
much of what you have already invested or plan
to invest will be retained by your organisation
upon separation or curtailment of service
provision?
You must look ahead for these potential scenarios
and plan what your strategy will be over the
medium to longer term for ensuring that your
security monitoring requirements continue to be
met in-line with your corporate governance
standards and your organisations appetite for
risk.
Outsourcing also has a tendency to introduce
friction into the day to day operational
workspace. Unless very well managed by both
parties and backed up by well defined and
practised responsibilities a ‘them and us’ scenario
can be created which proliferates a blame culture
between the different areas of responsibility and
ownership.
At this point having considered some of the
issues surrounding MSSP engagement it is worth
stating that for many organisations outsourcing
this type of function undoubtedly affords
seemingly quick and relatively painless wins in
terms of project deadlines, deliverables and the
timing of budgetary decisions for implementing a
security monitoring capability.
But this shouldn’t mean that it becomes the default application of security monitoring investment, especially in today’s policy and standards driven business operation where compliance features ever more increasingly in any fully-rounded security monitoring solution.
There are so many different factors to consider in taking the decision of engaging with an MSSP and each organisation must weigh up the pros and cons of this decision path whilst balancing their own specific needs and objectives.
There is no one size fits all when it comes to
implementing a key function such as security
monitoring and compliance, and truly effective
solutions will require smart deployment of best of
breed products, contextual knowledge and
understanding, skilled analysis, effective workflow and integration into a defined incident
management process. Thus careful consideration
should be given to all of the options that can
satisfy your requirements, which may include
different levels of outsourced, co-sourced and
in-sourced capabilities.
No one should be choosing a level of service from
a pre-defined and inflexible list and making
internal process fit around it – quite the opposite,
the solution must be flexible, sustainable and fit
with your business process and functions and
continue to grow and evolve in line with
emerging business operations and performance
targets.
SIEM and Solutions Flexibility
Whatever your preferred sourcing arrangements at the outset, when it comes to security monitoring and compliance the only competent and effective solutions will employ some form of Security Information and Event Management (SIEM) system.
This is true whether the security monitoring function is to be carried out by an in-house resource pool or, at the polar opposite, fully outsourced to an MSSP.
This requirement is what lends this type of activity to open up the possibilities for a more tailored approach to security monitoring which involves a more controlled, directly responsible and ultimately more efficient and effective output. In this context we are talking about the varying degrees of in-house provision, from completely in-house or in-sourced to partially in-house or co-sourced models of operation.
The basic premise of any SIEM technology is to collect and process data from disparate security devices, products and applications and through flexible correlation, configuration, reporting and workflow, generate meaningful and actionable information about the security status of digital assets.
MSSP’s rely on SIEM technology (or Security Information and Event Management – SIEM) to be able to offer a multi-vendor supported, scalable platform which must service the needs of numerous clients simultaneously.
For the most commercially successful MSSP’s this has been achieved using proprietary SIEM platforms. These tools are vitally important to any outsourced provider and if deciding whether or not to engage with any MSSP you would be well advised to investigate how much they invest in their own technology platforms and where their technology roadmap is heading.
It is also important to highlight that different MSSP’s handle your data in different ways in terms of data separation (processing and storage of different client data) and physical/ geographic data processing and storage. Some MSSP’s transport collected data across national boundaries for processing within their proprietary platform to a central location, which may be geographically disparate from that of origin.
For some organisations this is not acceptable and comes back to regulatory compliance issues and their risk profile.
MSSPs are also merely processors of data and not custodians, therefore responsibility for data storage and retention may become a thorny issue.
There are of course numerous commercially available SIEM products that any organisation can adopt to provide a capability to rival the MSSP’s. Purchasing a COTS SIEM product isn’t the complete answer, it won’t perform effectively without skilled personnel to implement, configure and maintain the system and then there’s the need for the system to operate around-the-clock.
The simple formula to consider is:
Solution’ is an oft overused but key word in the above formula, a product is simply that until it becomes a part of the everyday modus operandi of an organisation. Only when the workflow, escalation, compliance reporting and processing capabilities are ingrained within the company can the product be termed a ‘solution’ that offers real, tangible benefits to the business.
A properly configured SIEM can reduce the need
to have a team of skilled analysts ‘attached’ to
the console around-the-clock reviewing incoming
security event data to identify malicious activity
that is taking place in as near to real-time as
possible. Which challenges the MSSP operational
model and key selling point of providing
dedicated analysts deployed 24x7 to look after
your security in a cost effective manner.
If you examine this provision very closely then it could be argued that the reason the MSSP has a secure operations centre full of analysts working 24x7 is because they are needed to absorb the burden of monitoring across tens or more clients of differing scale.
Another often overlooked or quickly passed over issue with MSSP’s is just how experienced and skilled their front line analysts are.
What you don’t want as an informed buyer is to hand your security over to a team which although may be able to provide more effective 24x7 coverage, staff the front line function with analysts of lesser or comparable experience or expertise in digital security than your own teams are capable of providing.
The difficulty of recruiting and retaining good quality analysts to work in Security Operations Centres on a 24x7 basis should not be under estimated.
Even if an MSSP can attract the people with the right skills in this area they are often not prepared to work unsociable shift patterns.
Therefore you may find that the MSSP will staff the front line with relatively inexperienced IT Security practitioners and layer on top of this, second and third line backup support from people with more experience and expertise that are working the same “normal” daytime period, as your in-house staff.
One inherent problem with this approach is that if the front line analysts misinterpret events or fail to recognise an attack, the second and third line experts may never get to know about it in a timely manner, or your manager is awoken at 3am for a false alarm.
Add to that if the MSSP manages the full end to end security monitoring function up to the point that it alerts someone or some body within your organisation of a potential threat or attack, how confident can you be that you will ever know about these background operational issues?
In terms of the different lines of operation this may sound a pragmatic model to adopt, and one which is utilised in other more general IT areas such as helpdesk support, but is that what you want from a specialist organisation in security and compliance activities?
In reality there is no dedicated analyst provided with the MSSP model and your organisation will get a share of that pool of analyst resource on shift or on call at any given time.
They are dependent on a SIEM capability to extract relevant information from huge volumes of data and generate alarms as appropriate for different clients as a mechanism for prioritising what get attended to and in what order.
A crucial determining factor that deserves full consideration then is that this is a model that most companies could very realistically adopt themselves when deploying a monitoring and compliance capability within their organisation.
Correctly implemented and configured a SIEM technology can become your front line, something that you and your organisation control, and something that really is an investment in the governance of your organisation and not simply expenditure. It will work in the same intrinsic way as an MSSP deployment and will inevitably be more effective in the adherence to policy and standards and working arrangements with key internal functions, with better access, process alignment, control and ownership driving this.
An efficient operational staffing model will afford a better ‘dedicated’ monitoring capacity to that which your organisation can expect from an MSSP.
Reports can be customised to suit all monitoring and compliance requirements across many different business areas and groups.
Multiple dashboards/views can be configured to present only relevant data to those individuals and teams that require it.
Notifications can be set up to deliver alerts from the SIEM to the support teams who will be involved in the decision making, remediation and incident management process.
Workflow and ‘trouble ticketing’ can be provided fully by the SIEM itself or the appropriate details can be exported from the SIEM to an in-house operations management system allowing remediation and incident management to be tracked using established tools and reporting mechanisms.
Of course any discussion of internal operation, no matter how viable and compelling the case may be, is tempered by the capital expenditure considerations of pursuing this route.
The good news is that there are many different vendors ensuring that there is a solution to fit any organisational requirements and the market has matured sufficiently for effective SIEM providers to offer flexible, cost efficient procurement methods; SIEM providers with an independent approach able to provide best of breed solutions and not just sell a product but also offer the expertise and understanding of how to implement, configure and effectively integrate SIEM into the fabric of the organisation.
There are different ways in which the SIEM
provider can assist the organisation with its
requirements and the best providers will be
completely flexible in their approach. From
supporting a mainly in-house operation where
perhaps the SIEM solution provider will assist in
the choice of platform (and SIEM helper products
and services such as IDS, Vulnerability
Management for example), procurement and then
initial implementation, through to a more
co-sourced arrangement whereby the SIEM
solution provider will engage in on-going support
of the deployed solution ensuring its continued high performance and quality of deliverables
in-line with the business requirements.
In Summary
There are numerous factors to consider between the various options; in-source, co-source and out-source. For security monitoring and the role it plays in compliance this capability is no longer only effectively implemented via a fully out-sourced MSSP solution.
The choice, flexibility, scalability and reliability of commercially available SIEM products has opened up the debate and offers a truly viable and arguably more desirable alternative in-house capability to meet the complexities of todays’ business drivers for security monitoring and compliance objectives.
Partnering with solution-based companies that are independent in nature and can provide the necessary business integration skills will ensure the buyer is receiving the best advice, product and process improvement for their organisation.