Faced with the growing complexity of networks and a threat that is becoming increasingly real, an increasing number of businesses and organizations are opting for a different approach to intrusion detection by outsourcing the function to managed security service providers (MSSPs). What has led to this trend? MSSPs offer the small to medium-sized company or organization with access to resources that they could not otherwise afford to maintain internally. While many companies feel competent to handle a multitude of security issues, they lack the overall skill necessary to implement an enterprise-wide security strategy. Intrusion detection is but one of the many components that is necessary in developing this security strategy. When combined with the increasing salary demands of security professionals and the overall lack of skilled specialists, outsourcing seems to be an attractive alternative.
According to the Gartner Group, by the year 2004, a total of 40% of security expenditures will be influenced by MSSPs (0.7 probability). The technological shift will be toward transaction-level intrusion detection for business transactions. Intrusion detection at the perimeter will move to managed service providers. The Yankee Group, a technology consultant, forecasted that the overall spending for managed security by large enterprises would increase from $140 million in the year 2000 to $1.7 billion by the year 2005. This represents a significant shift in how security is implemented and maintained.
Traditionally, the local area network (LAN) was viewed as a trusted network. Perimeter protection came in the form of a corporate firewall that was viewed as the cornerstone of protection from a threat that was deemed to be largely external. Coupled with an ever-increasing web presence, many businesses have seen the need to implement some form of intrusion detection to protect vital information assets, as well as their reputation. The proliferation of virtual private networks or VPNs resulted in an easy method of bypassing this protection.
For a number of years, corporations and organizations have been reluctant to outsource security because it entailed placing trust in an outsider and letting others see the inner workings of their operation. A reluctance to give up control in an area that was so critical stalled a process that may have come about much sooner. While there has been substantial growth, setbacks have occurred that may ultimately change the course of managed intrusion detection.
Pilot Network Services, a company that has provided managed Internet access and security services for 6 years, recently shut down its operations. Operating in six data centers all over the world, the company specialized in intrusion detection, remote firewall management, VPN management, and scanning for computer viruses. This was preceded by an estimated net loss of $11.2 million on a revenue of $9.7 for the quarter ending December 31st.
Smaller could potentially feel the repercussions that include a loss of trust when it comes to outsourcing critical services such as security to smaller unproven companies.
Many factors need to be taken into consideration before the decision is made to outsource intrusion detection to an MISSP.
Keep in mind that in some instances the intrusion detection function is best handled internally. In situations where the risk is relatively low and where automated response is not an option, routine inspection of IDS logs can be handled by existing security staff. Despite the hype, not all businesses are being actively targeted by hackers. Keeping patches up-to-detail will prevent most security incidents.
Never underestimate the capabilities of your existing security staff. They are often more familiar with the peculiarities of your network environment and can more readily address the many false positives that you will be receive. A little training can go a long way and can in some situations lead to a more cost-effective situation. Remember, security is all about risk management. Don't spend more money addressing a threat that doesn't exist.
Existing operations staff can often be leveraged to address issues that may arise outside of normal work hours. Even if this is not an option, it is still necessary to develop CIRT and incident response plan that can readily address any threat that is identified by the MSSP. The weak link in many incident response plans is often the interface between the MSSP and the point of contact that is responsible for addressing any security incidents that may arise. Make certain that your service provider is not merely providing a warm body that will call you periodically when your network is port scanned.
Confidentiality agreements should be drafted with MSSPs. From the time that discussions are first initiated, the MSSP is privy to confidential information that should not be disclosed. Drafting such an agreement ensures that both parties will arrive at acceptable solutions to security concerns.
By utilizing existing security expertise whenever available, an optimal working relationship can be established. This should include all stages from the initial proposal to negotiations and eventually to the day-to-day operations of the network environment.
 Bartlett, Michael. "Security Worth $1.7 Bil By 2005 - Yankee Group." May 22, 2001.http://www.newsbytes.com/news/01/166005.html?&_ref=1745144517
 Dejesus, Edmund X. "Managing Managed Security" Jan 2001. http://www.infosecuritymag.com/articles/january01/cover.shtml
 Gaspar, Suzanne. "Security Concerns Dominate NW500 Survey." May 7, 2001. http://www.nwfusion.com/research/2001/0507feat2.html?&_ref=650835007
 Davidson, Stephanie and Friedman, Rich. "Special Report: Outsourcing Update."Feb 28, 2001. http://www.itworld.com/Career/1875/ITW0228outsourrcing/
 Gartner Group, “Information Security in an E-Business World: Coping With the Threats.”
 Messmer, Ellen and Pappalardo, Denise. “Demise of Pilot Seen As Blow To Outsourcing.” May 7, 2001. http://www.nwfusion.com/news/2001/0507pilotcrash.html