In-Depth

Case Study: Outsourcing Threat Detection

With an increasing number of threats and limited IT staff resources, one company turns to outsourcing network monitoring

• By Mathew Schwartz
• 11/15/2005

Who’s watching your network?

Two years ago, Swift Energy Co. (SwiftEnergy), an independent oil and natural gas company based in Houston, kept tabs on its own network. Given the IT staff’s available time and resources, however, there were limits to what it could accomplish. For example, “in terms of intrusion and detection, we were not doing anything,” notes David Belkin, a senior network administrator at SwiftEnergy.

Seeing an ever-increasing number of threats hitting its network, the company wanted a better way to know when it was under attack or if malware had infected its computers so it could quickly address the problem. SwiftEnergy decided to outsource some of its security to Alert Logic, a Houston-based managed-security services provider (MSSP).

SwiftEnergy isn’t alone. According to a recent Forrester Research survey of 200 technology decision makers in North America, quickly detecting network security incidents is security managers’ primary security concern. Given the need for extremely rapid response times (to handle problems before they get out of control), many organizations are delegating at least incident detection to outside firms.

For example, of security managers surveyed, “Fifteen percent already outsource some security functions, and 30 percent are at least somewhat likely to outsource security functions in 2005,” says Forrester analyst Laura Koetzle. Still, not every company is embracing outsourcing: 52 percent say they’re “not at all likely” to outsource any aspect of their security.

Of companies interested in outsourcing, which aspects of security are candidates? Sixty-three percent of respondents specify penetration testing; 53 percent say network firewalls, and about half are considering outsourcing e-mail spam filtering as well as vulnerability scanning.

By contrast, most companies are avoiding outsourcing anything regulatory-related. “Unsurprisingly, only 11 percent of respondents were willing to surrender control over either regulatory compliance or incident response planning,” notes Koetzle.

The Economics of Outsourcing

The main outsourcing draw seems to be getting round-the-clock security talent companies couldn’t otherwise afford. According to Koetzle’s math, “assuming that a firm needs six people to provide one 24x7 full-time equivalent for security-system monitoring,” plus “security operations-center equipment, bandwidth, and software,” an MSSP can cost a third of an in-house network monitoring program.

Those economies were a factor in SwiftEnergy’s decision to outsource network monitoring, says Belkin. “Having outsourced monitoring is like having a dedicated security expert watching the WAN 24 hours a day. They never sleep or take a vacation, and it allows me and my team to concentrate on the day-to-day tasks of running the network without worrying about security intrusions.”

To monitor a company’s security, Alert Logic adds its own monitoring appliances (which it then maintains) to the corporate network, and charges a monthly subscription fee. Alert Logic can notify customers when it detects anything suspicious, and customers can also check network health via browser-based reports.

Belkin says the Alert Logic installation was straightforward, and ActiveWatch, the Alert Logic service SwiftEnergy subscribes to, proved itself a few months after installation “by notifying us of an infected host—that had a stealthy worm—long before the WAN was symptomatic.” That information “allowed us to isolate and sanitize the infected host in a timely fashion before any damage was done.”

The Alert Logic sensors at SwiftEnergy have detected a handful of incidents. For example, in May “a user connected to the Internet via modem, checked a Web-based e-mail service, and got infected with a worm that our antivirus software was not aware of yet,” says Belkin. The Alert Logic sensor “was smart enough to notice the worm-like activity,” and he immediately received an alert via cell phone. As a result, “I was able to unplug the infected host from the WAN and sanitize the computer before putting the machine back on the network.”

To better combat similar threats in the future, Belkin plans to implement network-access controls. “I am planning on upgrading my backbone in 2007 with the idea of taking advantage of the port-level containment and quarantining I can achieve with SNMP switching gear.”

Best Practices for Managing MSSPs

For companies considering outsourcing security to an MSSP, experts caution against just handing over some aspect of security and never looking back. Yet at least some companies overlook that advice. According to the 2005 Global Security Survey of financial services organizations’ security practices, conducted by Deloitte Touche Tohmatsu, “of the 74 percent of respondents who have chosen to outsource at least one function, only 73 percent have conducted regular assessments of the security outsourcer’s compliance with the respondent’s information security requirements.”

Outsourcing is not a panacea, but rather a supplement. “Done right, outsourcing to an MSSP means better security for less,” notes Koetzle. Yet “to reap these benefits, firms need firmly ensconced security chiefs, well-tested security policies, organizational stability, buy-in from executive through physical security, previous vendor management successes, and internal security acumen.”

Related Article:

Case Study: Energy Company Monitors IM
http://www.esj.com/Security/article.aspx?EditorialsID=1409