So you're planning on outsourcing some enterprise security
Should you keep your in-house crew? What's your plan...
It makes sense to have a solid collection of security expertise within your organisation. And in fact most of us do: security is so core to most of what we do in IT that it’s a standard part of the syllabus for all the courses we do on, say, router configuration or Windows administration.
These courses always have security elements to them, whether it’s a basic instruction to change all the default admin credentials or how to make your Active Directory installation secure and resilient.
But can you make your security function entirely an in-house affair? It would be unwise to believe that you can do absolutely everything without looking to third parties for assistance or facilities.
If you’ve not been asleep for the last year or so you’ll have heard of the Mirai malware that infects Internet of Things (IoT) devices and uses them as a botnet to perpetrate Distributed Denial of Service (DDoS) attacks. DDoS is a genuine and significant threat, particularly with the marked ramp-up in Internet speeds available to the average home in recent months and years. (Ookla just measured my home upload speed at 93.52MbPs, for example – you don’t need too many of those to whack someone with a DDoS attack.)
The problem when you’re on the receiving end of a DDoS is that it’s going to do one of two things. If you’re lucky (relatively speaking), it’ll overload one of your internet-facing servers and render it unavailable. If you’re unlucky it’ll eat up all the bandwidth on your internet connection and render your entire installation unavailable.
To protect against DDoS you need to look upstream and engage with your service provider, because it’s the only way you can protect against someone soaking up the bandwidth of your internet connection.
What other external services can you use?
So you’ve bought a DDoS service from your service provider so they’ll block nefarious traffic on their high-speed infrastructure in order that it can’t get onto your lower-speed Internet connection. But there’s a shedload more you can do to protect yourself against attacks by inbound traffic.
The first one to check out is email protection. Although you’ve probably got anti-malware software on your email server, why not go for a “defence in depth” model and sign up for an external service on top of it? The more defences you throw in front of inbound data streams the higher the chances of one of them spotting and dealing with unwanted content – which could mean malware but could equally mean anti-spam filtering.
Go the whole hog?
And if you’re using one of more filtering services out there on the Internet, why not look outside for your various Internet service hosting? Makes perfect sense to let someone else’s tech team deal with patching and fettling your systems, and with fending off attackers determined to nobble their infrastructure. But if you do, it’s important that you remember two things.
First, just because you’ve moved your services to, say, the Microsoft or Google cloud, this doesn’t mean you shouldn’t hop back to the previous section and consider augmenting the cloud systems with third party services as an extra layer or two. Yes, Amazon have a vast team of security specialists looking after their infrastructure. And yes, Microsoft’s Office 365 infrastructure has loads of tools that let you protect yourself against spam, data leakage and the like.
But in the case of a general cloud provider such as Amazon or Google, there’s nothing to prevent you implementing some insecure nonsense on top of their nice secure infrastructure. And Office 365 is an excellent, wide-ranging service – which means that it’s very good at everything but not perfect at any one thing. So augment your cloud services with specialist apps to give depth to your defences.
Control and reporting
When you layer on security services that are hosted outside your world, visibility is key. No security service is entirely devoid of false positives – instances where it reports a problem but in fact the traffic was valid. Hence you need to be able to see what it’s reporting and take action if you’re convinced that a legitimate communication has been blocked.
Similarly you need to be able to report on the correct operation of the various services. You should focus even more strongly on the control and reporting facilities of your outsourced services than you do on your in-house ones, because the external offerings are less accessible and you don’t have the option of retrospectively lifting the lid and retro-fitting scripts and other tools as you would with your own system.
The other area of security you’ll want to outsource – at least to some extent – is your security incident response facility. You simply won’t be able to cater for every eventuality in the event of an attack, and if you’ve done even a vaguely decent job of implementing security in your infrastructure you’ll have little or no experience of incident response, forensic investigation or any other aspects of dealing with an attack. The wide variety of external organisations that can help you out here, on the other hand, will all have extensive experience of both protection and response.
But retain your expertise
So in answer to the original question of whether you can do your security entirely in-house: that’ll be “no”. Unless, perhaps, you’re GCHQ or IBM. Which of course you’re not. But always remember that having a critical mass of security expertise within your team is absolutely essential.
When you acknowledge that you need third party to support your in-house security, you also need to acknowledge that you need both the expertise to understand which options to go for, how far to outsource (the list of services is verging on endless) and how best to make the elements work together as a coherent whole rather than just a collection of parts.
And of course: don’t forget you’ll need to train the in-house team to manage all those out-of-house toys you just rented.