Panic at the pass: an argument for outsourced network security
A clearer approach can smooth the rocky road for network security outsourcers, suggests Bruce Schneier
Schneier: Outsourcing of network security, done well, is cost-effective and essential for customers
More companies are outsourcing their network security. This trend is driven by one truism: there is no other way to deal with the shortage of skilled computer security experts, the increasing requirements for businesses to open their networks, and the evermore dangerous threat environment.
For the internet to succeed as a business tool, security has to scale. Outsourcing is the way to achieve that.
But if the decision to outsource network security is difficult, the decision of precisely what to outsource seems impossible.
Managed security service companies can monitor customer networks, manage customer security devices, scan customer networks, implement customer security policies, install customer security devices, and more.
Other companies offer similar services, often tied to particular products or suites of products. And sometimes outsourced network security comes in a package with other outsourced network services.
On one hand, the promises of outsourced security are rather attractive: the potential to increase network security without hiring six people or spending a fortune is hard to ignore. On the other, handing over your network security to another company feels risky.
In reality, hiring a specialist organisation to handle network security can be less risky than building your own expertise inside your company. And it most definitely can be both cheaper and more effective.
You already understand why; you just might not have thought of it in terms of network security.
Arguments for outsourcing
The primary argument is financial: a company can get the security expertise it needs much more cheaply by hiring someone else to provide it.
Take monitoring. Successful security monitoring equals vigilance: attacks can happen any time of day and any day of the year. While companies may build detection and response services for their own networks, it’s rarely cost -effective.
Staffing for security expertise 24 hours a day and 365 days a year requires five full-time employees — more, if you include supervisors and escalation personnel with specialised skills.
Even if an organisation could find the budget for all of these people, it would be difficult to hire them in today’s job market.
If you think hiring them is difficult, retaining them is even harder. Security monitoring is inherently erratic: six weeks of boredom followed by eight hours of panic, then seven weeks of boredom followed by six hours of panic.
Attacks against a single organisation don’t happen often enough to keep a team of the needed calibre engaged and interested.
This is why outsourcing is the only cost-effective way to satisfy the requirements.
Compare the example of outsourcing in medical care. Everyone outsources healthcare, in the sense that almost no one hires a private personal doctor.
Certainly, cost is a factor in our decision to outsource our medical care – but there’s more to it than that. I may only need a doctor twice in the coming year, but when I need one I may need him or her immediately, and I may even need specialists.
Out of a hundred possible specialties, I may need two of them — and I have no idea beforehand which ones. I would never consider hiring a team of doctors to wait around until I happen to get sick, so I outsource my medical needs to my clinic, my emergency room or my hospital.
Similarly, it makes sense for a company to outsource its network security needs to a variety of experts.
The benefits of security outsourcing are enormous. Aside from the aggregation of expertise, an outsourced monitoring service has other beneficial economies of scale.
We can more easily hire and train our personnel simply because we need more employees and we can build an infrastructure to support them.
We can learn from attacks against one customer, and use that knowledge to protect all of our customers. And from our point of view, attacks are frequent.
Vigilant monitoring means keeping up to date on new vulnerabilities, new hacker tools, new security products, and new software releases. We can spread these costs among all of our customers.
To return to our medical care analogy, you get better medical care from a doctor that sees patient after patient, learning from each one.
To an outsourced security company, network attacks are everyday occurrences and its experts know exactly how to respond to any given attack, because in all likelihood they have seen it many times before.
What should or could be outsourced
There are limits on what customers should outsource. The bottom line is that they won’t outsource everything, because some things just don’t outsource well.
Things that don’t outsource well are often too close to the business, too expensive for an outsourcing company to deliver efficiently, or simply don’t scale well. Knowing the difference is important.
Think about healthcare again. We all know what aspects of medical care we like: the ambulance picks us up quickly, sometimes in minutes, and rushes us to the hospital; a team of medical experts spares little expense running tests to figure out what’s wrong and then doing what it takes to cure us.
And we all know what aspects we don’t like: ill-equipped and ill-staffed hospitals, medical officers telling us that we can’t have that particular test or that a specialist isn’t warranted in this case.
Aspects of outsourced healthcare we like involve immediate access to experts. Any medical emergency requires experts, and the faster they can pay attention to us, the better off we’ll be.
The aspects of outsourced healthcare we don’t like involve control of the process. Our healthcare is our responsibility, and we don’t want someone else making life and death decisions about us.
Network security is no different. Outsource expert assistance: vulnerability scanning, monitoring, consulting, forensics. But customers should not outsource control of the process.
An IT specialist can monitor networks. It can manage firewalls, IDSs, and IPSs and provide vulnerability scanning, email scanning, and ‘clean-pipe’ internet connections. It has the expertise to deal with compliance issues. It can build a whole new security infrastructure for customers from the ground up.
In short, an outsourced IT specialist can take the problems of network security off the backs of a corporate IT department and let them focus on their strategic decisions.
What you cannot do is determine how an organisation’s IT security interacts with its business.
For example, when a hacker is inside a corporate network, only the organisation can define the business ramifications of different responses.
An IT specialist can detect an insider attacking your network and find out what they are doing, but you won’t know whether he or she is malicious or performing authorised testing.
Outsourced experts work best when they work with their customers, combining expertise with their knowledge of the business processes.
How customers choose a service provider
Choosing an outsourcing partner is difficult, because it’s hard to tell the difference between good computer security and bad computer security. By the same token, it’s hard to tell the difference between good medical care and bad medical care.
If we’re not health experts ourselves, we can sometimes be led astray by bad doctors that appear to be good.
I choose a doctor or hospital by asking around, getting recommendations, and going with the best I can find. Medical care involves trust; I need to be able to trust my medical care providers.
Security outsourcing is no different; you should choose companies you trust. Talk to others in your industry or ask analysts.
Go with an industry leader. In both security and medical care, you don’t use a little-known maverick unless you’re desperate.
Beware of conflicts of interest. Some outsourcers both sell products and offer managed security services. This worries me. If the service provider finds a problem with one of its products on my network, will it tell the customer, or try to fix it and hope no one notices?
If a service provider discounts its services to sell products, for whom does their services division really work?
In any outsourcing decision that involves an ongoing relationship, the financial health of the outsourcer is critical. Customers should look for companies that are leaders in their fields, have a strong history of security services, and don’t try to do everything.
The future of outsourcing
Modern society is built around specialisation; more tasks are outsourced today than ever before. We outsource fire and police services, government (that’s what a representative democracy is), and food preparation (restaurants).
In general, we outsource things that have one or more of three characteristics: they are complex, important, or distasteful.
In business, we outsource tax preparation, payroll, and cleaning services. Outsourcing security is nothing new: all buildings hire another company to put guards in their lobbies, and every bank hires another company to drive its money around town.
Computer security is all three: complex, important, and distasteful.
Its distastefulness comes from the difficulty, the drudgery, and the 3am alarms.
Its complexity comes out of the intricacies of modern networks, the rate at which threats change and attacks improve, and the ever-evolving network services.
Its importance comes from this fact of business today: companies have no choice but to open up their networks to the internet.
Doctors and hospitals are the only way to get adequate medical care. Similarly, outsourcing is the only way to get adequate security on today’s networks.
Bruce Schneier is chief security technology officer at BT