3 Days left to Save $400 on SANS DFIR Summit

Intrusion Detection FAQ: Should we outsource monitoring?

Brian Varine
April 3, 2001

Itís early morning and youíve just taken a seat at your desk - just like you do everyday. Firing up your trusty computer, you take a look at the morning newsÖ.only today something really catches your eye. One of the local companies in your area was hacked into yesterday and theyíve made the news. Unfortunately for them, the hackers obtained all of their credit card information from their database. Now the hackers are holding the data ransom. You take a gulp of coffee and say to co-workers; "Check out what happened to Acme!!" Thatís when you realize it could have been you.

Could it have been you? You have firewalls and check the logs periodically but would you even know what to look for? Maybe you need to look into an Intrusion Detection System (IDS). Youíre probably thinking that IDSís are complex and you donít even have the time to look at the firewall logs; so how are you going to check yet another system? This is where a new type of business may be worth looking into. Managed Security Monitoring services. In this paper I will describe what some of the benefits are to outsourcing your IDS monitoring (and why getting a GIAC cert is still a good idea).

What is Managed Security Monitoring (MSM)? In a nutshell, MSM is an IDS monitor akin to a burglar system (like ADT or Brinks) for your computer network. When suspicious activity is detected, an alert is generated. At this point, a live analyst will be notified and they can take a look at the event that triggered the alert. If the event is suspicious, it will be logged. If the event is serious enough, the analyst will call the appropriate personnel and inform them of what is going on. Presently, I could not find a firm that would actually take charge and attempt to repel the attack (i.e., shutdown a web server or write a firewall rule) but I suspect someone will probably offer this in the future.

There are many advantages to going with an outsourced MSM. Intrusion Detection requires a skilled person to analyze what is happening on the network. Unfortunately many companies do not have nearly enough people to go around so it is rare to find a person whose sole responsibility is to monitor the network for potential intrusions. Most security administrators have a variety of responsibilities along with being the "IDS guy". If they are lucky, they may get an hour or so of "quality" time with the IDS. With an outsourced MSM, the network is monitored 24 hours a day/7 days a week. This means that at 2am, your network is being monitored. Sunday? Monitored. IDS guy is on vacation? Monitored.

Another advantage is the fact that with an outsourced MSM, they get to figure out what is an alert and what is a false positive. IDSís generate a lot of alerts, especially when first installed. This presents a problem for the security administrator. Management will certainly want their investment in an IDS to be working. This puts pressure on the security team to respond to the alerts that the IDS generates. It doesnít take very many "Ping Zero" alarms at 2am to cause the administrator to begin to either leave the pager at home or to disable a lot more alerts. Worse yet, if the administrator is continuously flooded with poor alerts, they may just turn the IDS off and never check it again! With an MSM, the call at 2am isnít going to happen unless a skilled person at the MSM thinks itís worth waking someone up for.

Advantage three is skill level. With an MSM, you have analysts that sit and monitor networks all day for signs of intrusion. Over time, this can have an enormous advantage. They get to see attacks on a variety of sources. They arenít limited to one network. This allows them to recognize attacks and patterns much better than a person who scans logs from one network for an hour each day.

The final advantage is the I&W advantage. I&W is used in the military to refer to Indications and Warnings. Those are things that lead up to an attack. Indications are things that, alone, seem benign but when coupled with other indicators, may indicate a possible attack. With the MSM monitoring a variety of networks, they may notice little things that an analyst on a single network would consider network noise or a random event. With the MSM, they can correlate these events and build a more comprehensive picture of what is happening. They may notice probing on ports that have typically been quiet. With that indicator they can investigate further and look for a reason why this is happening. If something is discovered, they can issue warnings. One would hope that these MSM companies would provide the rest of the world these warnings as well. The advantage to the subscriber would be an immediate notification vice having to wait to come into work and read it in E-mailÖ... six hours later.

Now that we have looked at some of the advantages, letís look at a few of the disadvantages are. The most obvious disadvantage is cost. MSMís are not cheap. Looking at a few MSMís (Brinks Internet Security and Counterpane) the cheapest price listed was in excess of $8000 per month (Brinks). Counterpane charges $12,000 per month. Obviously for some businesses this will be a considerable cost but for a small company this would not be a feasible option. Counterpane argues that the price is competitive with having your own in house monitoring. Looking at what a semi skilled administrator cost, they have a valid point, especially if you look at the fact that you have 24/7 monitoring. Still, for most companies, a recurring monthly cost of $12,000 may be a hard sell. Especially considering you still need to purchase an IDS (they monitor your IDS, they do not supply it).

Another caveat to look for in a MSM is who the company is. There are a few "MSM" services out there that claim to be an MSM but are merely a box they put on your network that sends out pages if something is detected (http://www.securityhome.com). This isnít any better than putting in your own IDS and having it send a page. The MSM you select needs to be a trusted partner. They will be the guardians to your network and you will trust them to protect your network. You canít be thinking about who is the cheapest solution, you need to think about who is the partner that you trust the most. For some organizations, no company will fit.

Some companies have gone to great lengths to ensure that they are a trusted entity. Counterpane has a secure facility where their operations center resides. They have video monitoring of every station and they make sure each analyst is bonded. If that isnít enough, they have two facilities on opposite coasts. Each facility can take over for the other in case it goes offline for any reason. Itís clear they take the issue of trust very seriously.

Ok, so if MSMís are so great, why should I bother getting a SANS certification? Well, just like with Physical Security, you still need someone "on premises". MSMís may sound the alarm, but someone still needs to respond. Itís going to help out your MSM and you a lot more if you both speak the same language. If your partner contacts you and says your network was just used as a Smurf attack amplifier, you need to know what a Smurf attack is. Sure the MSMís can take the time out to educate the administrator, but the response is going to be much quicker if the administrator knows how the attack works and what to look for. It will also help the administrator when dealing with the other administrators. Itís probably not going to go over well with your DNS team if you come in and say "Hey, our MSM just said you guys got hacked by an TSIG overflow attack" and you donít know what that is.

Another good reason is that with the price of these services, itís unlikely that you will be monitoring all of your points of entry. Itís similar to a home burglar alarm. Typically the front door and a few windows are monitored but what happens if the burglar enters from one of the windows that arenít monitored? The same thing applies to networks. Some companies have a lot of paths in and out of the network. If you canít afford to have the MSM monitor all of them, have them monitor the major ones. You can monitor the other points. In the worst-case scenario, you both monitor the same paths.

This is a basic overview of what Managed Security Monitoring is. If you think that this may be something for your organization, you need to consider a myriad of details before looking for a provider. I believe Managed Security Monitoring can be an asset to most companies should they decide to go with it.

Sources

IT World, November 13, 2000, "Outsourced Security: Consider it Carefully"
http://www2.itworld.com/cma/ett_content_article/0,2849,3412_3411,00.html

USA Today, April 3, 2000, "Net Security System Targets Cyburglars"
http://www.usatoday.com/life/cyber/tech/review/crh029.htm

Metases, "Intrusion Detection Systems: Proactive Security Management of the Network Enterprise"
http://www.metases.com/files/IntruD.pdf

Computerworld, March 12, 2001, "Zen and the Art of Intrusion Detection"
http://computerworld.com/cwi/story/0,1199,NAV65-663_STO58458_NLTs,00.html

Counterpane, "Innovative E-Business Insurance Protection for Customers of Counterpane Internet Security"
http://www.counterpane.com/pr-lloydswp.html

ZDNet, August 9, 1999, "Hack Attacks Drive Outsourced Security"
http://home.zdnet.com/eweek/stories/general/0,11011,411335,00.html