In today’s connected world, there are just two kinds of organizations – those that have been compromised and those that don’t know that they have been compromised. Over the last few years, the threat landscape has changed significantly as both the volume, sophistication of attacks have increased.
- Threat agents are not opportunistic. They have definite motives: financial gains, personal data theft, intellectual property theft and intelligence gathering for states.
- Dissolving network perimeter as well as the increased manifestation of attacks that target endpoints and client side software have blurred the lines between external and internal threat agents.
- Zero-day vulnerabilities market has matured. Vulnerabilities are exploited much before vendors are aware of their existence. Hence, signature based threat detection / prevention systems fail miserably.
- Often organizations that are targeted are not the ultimate target themselves; they are used as a conduit to access/target other connected organizations.
Most organizations have the standard suite of security technologies ranging from firewalls and intrusion prevention systems to data leak prevention solutions. To counter emerging threats, organizations continue their excessive focus on preventive mechanisms by deploying technologies like advanced threat mitigation systems. This continued emphasis on preventive controls has diminished the incremental returns on additional investments in prevention oriented technologies. Reports from security product vendors themselves indicate the importance of enhanced continuous detection mechanisms:
- 2014 Ponemon Cost of Cyber Crime Study sponsored by HP, indicates that it takes 170+ days to detect a cyber-crime. Attacks involving malicious insiders with access to the network took even longer; 259 days!
- M-Trends report from Fireeye, says it takes on average 209 days to discover a security breach or compromise.
M-Trends report also indicates that 67% of the attack is detected by a third party. This shows the lack of inherent mechanisms and skills to detect advanced threats by in house team.
Information security is one of the most dynamic areas within the technology domain requiring continuous skill and knowledge update. It is also imperative to stay ahead of dedicated hackers to protect the organization. It is often difficult to recruit and maintain such a talent base within an organization. Organizations find significant value in outsourcing security judiciously. Information Security domain in organizations consist of two broad functions – Security Governance and Security Operations (Security Device Management, Security Process Management and Security Monitoring)
Traditionally, organizations tend to outsource security operations while retaining the governance layer. IT Services organizations cater to outsourcing requirements under the service umbrella of Managed Security Services.
Managed Security Services – What and Whom to Outsource
Organizations that outsource their security operations to Managed Security Services players overlook few aspects.
- Security devices are managed by the same team that performs security monitoring violating segregation of duty principle. Often security monitoring identifies issues that point to lapses in security device management, due to which there is no incentive to report detected issues to clients.
- Since the device management takes priority, people who provide Managed Security Services have predominantly device management skills. However security monitoring requires different set of skills – a mind-set of a hacker to detect attack attempts
While outsourcing entire security operations to one single organization reduces vendor management complexity, it significantly dilutes the overall security effectiveness due to the above mentioned conflict of interest. It would be more prudent to outsource security management to one organization and security monitoring to another entity to enhance the overall security posture.
This not only addresses the requirements pertaining to the segregation of duties but ensures that the organization gets best of breed for two different requirements.
Irshadh Abdul Rasheed K A, Senior Manager, Risk Advisory Services has also contributed to this article.