Saturday, September 06, 2008

Internal Security Staff Matters

I read Gunter Ollmann's post in the IBM ISS blog with interest today. Gunter is "Director Security Strategy, IBM Internet Security Systems," so he is undoubtedly pro-outsourcing. Here is his argument:

[S]ecurity doesn’t come cheap. While individual security technologies get cheaper as they commoditize, the constant influx of new threats drives the need for new classes of protection and new locations to deploy them...

If you were to examine a typical organizations IT security budget, you’d probably see that the majority of spend isn’t in new appliances or software license renewals, instead it’ll lie in the departments staffing costs...

This is at odds with the way most organizations normally deal with specialized and professional skill requirements... Just about every organization I deal with (including some of the biggest international companies) relies upon external agencies to provide these specialist services and consultancy – as and when required – it’s more cost effective that way.

With that in mind, why are organizations building up their own highly-trained (and expensive) specialist internal security teams? Granted, some of the security technologies being deployed by organizations are relatively complex, but do they really require a Masters degree and CISSP certified experts to babysit them full-time...

Nowadays you can tap in an incredibly broad range of expertise – ranging from hard-core security researchers capable of helping you evaluate the security of new products you’re thinking of buying and deploying throughout your enterprise, through to 24x7 security sentinels; so knowledgeable about the security product you’ve deployed that they’re capable of guaranteeing protection with money-back SLA’s...

Organizations should take a closer look at their security budgets and evaluate whether they’re getting the right value out of their internal teams and whether their skills investment meets the daily need of the business.
(emphasis added)

By highlighting the focus on "security products," you can probably predict my response to Gunter's post. Sure, you can get hire experts that may (or may not) be cheaper than internal staff, and they may be smarter in individual products or even defensive tactics, but they are poor with respect to the most critical aspect of modern security: business knowledge. It does not matter if you are the world's greatest packet monkey if you 1) don't know what matters to a business; 2) don't know business systems; 3) don't know what is normal for a business... do I need to continue?

This is the biggest challenge I see for consultants, having been one and having hired them. It's easier to hire a consultant to help configure a security product than it is to figure out if that product is even needed, which to buy, how to get approval and business buy-in, how to support it operationally, and a dozen other decisions.

I agree that certain specialized tasks merit outside support. That list changes from organization to organization. However, beware arguments like Gunter's.

18 comments:

Anonymous said...

I would not expect anything different from a company that has both an MSSP and security consultants. Hmmm, if you buy into his argument he also has the ability to help you out. I know that all consultants are not like that, but I have met more than my share that are (i.e. All the Big 4).

Anonymous said...

I stopped taking ISS seriously in 2003 after having a July vacation ruined by their "hacking contest" hoax.

Anonymous said...

I read Gunter's posting earlier and felt the same way. I kept thinking he about to slip in a link to the MSSP offering of IBM (what used to be ISS).

Ben said...

That's funny... and very consistent with their talk at RSA this year (along with Oracle and RSA)... "security is dead - so buy our security products!" Kind of amusing...

Keydet89 said...

Ben, remember that ISS positioned itself as a security product company for the longest time so that it could get purchased...

Even as a consultant myself, I have to agree with Richard...the most technically proficient consultant isn't going to help if they don't take a company's business operations into account. However, I have also seen my share of the opposite...internal IT staff that "does" security in isolation of other internal departments, such as Legal Counsel, HR, Communications/PR, etc. Organizations like this can expose (have exposed) themselves to more risk through their own internal IR procedures that the incident did in the first place (ie, think PCI).

Rocky DeStefano said...

The idea of external entities supporting the business and even centralized internal security team supporting other internal business needs is one of the most difficult problems to solve. It has everything to do with business context. I constantly run into this question and we do our best to try and provide advice on which route to take based on what we can learn about the business environment. Even in the Government/Military sector meeting the tactical needs of the local business while meeting the strategic requirements of the entire organization is a delicate balance that seems to require a lot more political backing than technical expertise.

I agree with Richard that consultants can provide value in many areas and it is tough to extract value on a short term basis from any entity external to the core business. I do think that an external team can learn and provide value over a longer period of time as it learns more of the business influences and require ments and how they continually evolve, but that basically means the external entity is completely internalized and part of the team.

All in all I'm starting to think that the hardest battles we face as Security Professionals are not the technical issues we always find a way to solve those - it is the political/business/partnership questions that we struggle with the most.

Anonymous said...

Geez! One slight nod to product and everyones panties get all up in a wad.

Stick to the first aid analogy and I think this guy has a point.

It's makes sense for a company to keep a physician's assistant or an RN type skill on the internal staff. Although not a full MD or surgeon, these types could provide 1) an understanding of what matters to the body (the business) 2) knowledge of what type of specialist is needed to address the different body (business) systems (i.e. vascular, skeletal, neurological, etc.) 3) Based on proximity and time with the patients (employees, biz context) understand a normal baseline for this group.

Gunters point is that with a few lower priced PA's and RN's and organization can provide reasonable protection if the appropriate specialists are on retainer. A company cannot afford to have a brain surgeon (packet monkey), vascular surgeon(e-discovery), and anesthesiologist (malware reverse engineering, etc.) on staff. This may fit the Military, but not the marketplace.

IT security, like medicine, depending on how critical; is really about specialization.

Look at an NFL team. The players a multi-million dollar assets, but the team usually on keeps a only a generalist doctor on retainer, but mainains connections to the best Orthopedic specialists in the country.

Alex Tan said...

Working for an MSS provider, I want to just make a point that I think all my clients should have CISSP or a Masters in IT security or some other professional certification.

Plenty of IT Managers in my country think they know security but don't. They outsource so many things that they couldn't even tell if a particular IP address is active within their company! This is no way to run an internal IT Team and if they had some security foundation, at least they'd know how to evaluate what MSSP's are offering them so they don't get conned!

I think we should sell only to clients who have a CISSP, not the other way around ;)

Anonymous said...

Thanks for pointing that one out. Some of the biggest hogwash I've heard lately. Par for the course with the big providers. One of the things that they want to overlook is that their code comes from third parties that have dubious track records. Additionally, they don't allow review of their code. Keep up the good work, R.... 'TAO' is not just a concept, it's a state of being.

Best, Hal

oleDB said...

MSSP's are a complete joke. Anyone that has had first hand exposure to the world of MSSP SOCs, knows this to be the case. Maybe 1 or 2 experts spread across a hundred clients and a full staff of unmotivated monkeys responsible for protecting you. That doesn't inspire confidence to me, nor should it for you. That's not to say they're aren't good MSSP's out there, but they are few and far between. The bottom line is that they are employed because they are cheaper then the alternative and more importantly shifts risk to an external entity. As long as no punitive action is taken internally for when incidents occur, this will continue to be the trend.

ntokb3 said...

I disagree with oleDB's comment that MSSP's "shift risk to outside entities."

Security risk cannot be "shifted" or "transferred" to third parties. External organizations can be used to help mitigate risks, (i.e. lessen their impact or likelihood) but at the end of the day the risk to the organization still belongs to it. For example, if I hire an MSSP to monitor my network perimeter and a breach is discovered... my reputation is still damaged. The rep of the MSSP will likely be damaged as well but it doesn't necessarily lessen the overall impact on what my company cares about. The only effective ways to transfer risk are through insurance and by divesting functions/assets.

Anonymous said...

Outsourcing is not shifting risk, it's shifting blame. The risk is still internally owned. With all due respect to the author of that blog entry, with all the available opinion on security policy and strategy, I think managers would be best advised to ignore the views of anyone who has a visible conflict of interest--it's hard enough to suss out bias in situations containing invisible conflict as it is. Granted, I'm not a believer in altruism where money is involved.

Anonymous said...

I've been using their managed service for a year and I'm not very impressed. They haven't found a single actual virus infection, we've had 4 false alarms and one access of a suspicious website.

I did a lot better with my old Snort box but it couldn't be monitored by me 24/7 so we had to get a managed service for compliance reasons.

oleDB said...

Security risk cannot be "shifted" or "transferred" to third parties

Maybe decades of research has been suddenly ignored, but last time I checked Risk Transference was an accepted form of dealing with risk. You can accept it, mitigate it, or transfer it. Did some new "guru" shift the paradigm? (Thats sarcasm :-)) And yes your are technically correct, it is more about shifting blame. I just tend to take a more real world look at things vs an academic approach. When the s hits the fan, everybody talks blame, not risk. That's definitely wrong, but its the world we live in.

jlewis said...
This comment has been removed by a blog administrator.
~Ben said...

Amen to that. I think a lot of IT Managers think they can just buy security like they buy a server. You may be paying a lot for outsourced security while decreasing your overall security. If you hire an expensive professional they could use open source products to offset the cost of their salary. This would be beneficial because they would know the business better than some third party.

Anonymous said...
This comment has been removed by a blog administrator.
Richard Bejtlich said...

In some areas, we have outsourced too much. We plan to "insource" capabilities like aviation component manufacturing and software development. These are the things we will be working on in Michigan. This will make us faster and more competitive over the long term.

http://online.wsj.com/article/SB124603518881261729.html