Another reader asked the following:
As I am doing research for building a security operations center one of the things I am being asked to do is compare building things internally versus having an MSSP take on certain network monitoring functions. There is the suggestion that it is less expensive and more desirable to have a MSSP provide monitoring services for firewall and IDS devices. In addition the thinking is that the MSSP should provide log managment services for other logs that are being sent to our log managment platform (not sure what this service offering means).
I do not personally agree that this is the best approach. First of all they are planning on obtaining these services from a vendor we currently utilize that already is supposed to be providing some of these services and they don't appear to be providing anything useful. I've had discussions with a network security analyst that has been in this environment for quite some time and he said he routinely finds issues on his own that the vendor does not catch. (not surprisingly this is found with open source tools). I strongly believe in developing internal employees with business knowledge and relationships to do this type of work. If you asked me today who I would recommend to focus on network security monitoring I could easily pick individuals that have the mindset to do this type of work. I don't think an outside service provider could provide the same business value as a properly trained internal team.
Thoughts? [Obviously what I am describing is only one component of security operations, but it is the primary component that really doesn't exist here. I know from experience that ignorance is not bliss from my days at [company X] and the types of things we were finding on our network].
Last year I wrote Internall Security Staff Matters. I argued that, especially for large and complex organizations, the amount of business knowledge required for a security analyst to be successful makes internal security staff very important. In situations where no security monitoring happens, any assistance is welcome -- whether internal or external.
One could argue that certain functions are ripe for outsourcing. Device administration, usually for commercial gear, can often be done cheaply by outsiders. Certain triage and entry-level 24x7 functions can be done by outsiders, but I would argue that those jobs should not simply be tripwires. In other words, those workers should have clearly defined roles that do not result in every odd activity being escalated to the experts or ignored for reasons of insufficient experience.
For large organizations like mine I favor a small team of experts, each of whom brings a unique skill set to the group. For example, we have individuals specializing in NSM, advanced threats, live response, reverse engineering, logs, incident response planning and constituent relationship management, and so on. Beyond people we have high-fidelity NSM data, logs, and the growing ability to acquire live response and other host-centric evidence. I don't see an external provider being service-effective given the nature of our business. I also don't see an outsider being cost-effective, given the quotes we were cited earlier in our planning processes.
Richard Bejtlich is teaching new classes in DC and Europe in 2009. Register by 1 Jan and 1 Feb, respectively, for the best rates.