Last month's column, "IDS: Alarms, not Walls," incited some interesting responses.
Fortunately, we can report that nobody told us we were wrong about the pressing need for intrusion detection systems (IDS).
To recap, even large companies are waking up to the need to evaluate the effectiveness of their current IDS. We quoted an expert managed security provider and gave some specific pointers about effectively operating intrusion detection services.
Understandably, most enterprise security operations managers are wary of speaking to anybody who might pose the risk of publication. Some companies talked in-depth with us, others were guarded.
Based on our conversations, labor requirements and outsourcing alternatives are becoming problematic issues for enterprise security operations managers. We've also found that there is a real difference between most service provider security management capabilities and those of enterprises. The difference is in performance management, which is becoming critical to any meaningful resolution of security issues.
IDS Drives a Difficult Labor Decision
In making key choices, the number one issue for security managers right now is defining changing labor requirements. We constantly run into this discussion with enterprise managers who have implemented the various systems for firewall, anti-virus and intrusion detection, and now must decide how they will assign personnel to monitor and manage these systems. It's work enough to find people with certifications to manage the infrastructures, including firewalls, but now, most enterprises treat these labor costs as a known quantity.
Different entirely is the decision to hire people to watch and respond to the kind of security issues that an IDS raises. Putting that difference into words is difficult, but the number can be higher.
Side-by-side employee costing is a start, but it may not really help us define what is different. Adding IDS seems to precipitate a key issue: Should a company hire full-time employees, or expert consultants of some kind?
This is the perennial question for IT at any mid-to-large size enterprise. Managed security service providers offer expertise that is typically very expensive to hire and retain in the form of full-time employees. On the other hand, to the extent some enterprises are biased in favor of keeping everything in-house, we are hearing that this decision is difficult to sell to top managers in the company. They ask, "Why outsource, when we'll end up pulling it back in-house?"
Giotto, with service provider background, would find it simple to chalk these choices up to simple market confusion between "outsourcing" and "managed services." This, we maintain, is like the proverbial comparison between apples and oranges. The labor-versus-outsourcing confusion about security services can cut both ways, though. Some enterprises favor outsourcing for network management in particular, and from these types of companies we hear the (sometimes shocking) admission that there really isn't any integration between the enterprise security operations center and the third-party network management outsourcer and data services providers.
What would be shocking, but typical? For one, a security operation at a very large enterprise that can't really deploy a network IDS because it can't even discover where its routers are. In that hypothetical case, not only are the network assets heterogeneous, but also they are being managed by an outsourcer who isn't about to give customers enough control to make their own mistakes.
This is part of the reason that some security managers fear outsourcing. In their experience, it amounts to total loss of control. These security managers are certainly very capable and astute about the technical potential for IDS. However, for reasons familiar to anybody in IT at a large company, they often live in a politically bounded world where technical priorities are set elsewhere.
At these companies, the practical security approach seems to be in hard-wiring the network where possible and not opening it up to as many of the type of risks that require sophisticated intrusion monitoring.
Still, although it's clear that the labor equation is changing with the implementation of IDS, in addition to other security systems, it's hard to pinpoint a real strong reason why, just basing it on the existing spreadsheet for full-time employee headcounts.
Security Must Integrate with Network Performance Management
Like computers and networks, the human part of enterprise processes is systemic. The argument in favor of managed security services (assuming it makes sense in a given case) is in the need for systemic integration. Without integrating different element-management components of IT security, the human systems needed for responsive security processes will flounder.
Meaning what, exactly? Okay, we will rephrase that in concrete terms, and like a true "State of..." speech, we will follow up with a bold policy pronouncement.
A big difference between enterprises and service providers is the degree of integration between operational systems for security and performance management. Although the current dialogue about these issues tends to be focused on new products for 'security information management' in the marketplace, most enterprises are just beginning to see the need for them. We have talked with both enterprises and service providers, though, and can already state that in each case, the requirements for security and those for performance management clearly overlap - they are NOT apples and oranges, but rather, apples and apples.
The network is down, or slowed to a crawl. Quick, is it a security event, or something else? This is the essence of the argument in favor of integration, and many of you can come up with a list of examples. Repeatedly, we're hearing that the day-to-day events of security operations require managers to look at the performance and configuration of individual elements.
Managing the problem is becoming increasingly acute, especially for enterprises that define these issues solely in terms of labor-versus-outsourcing requirements. Costing firewall management according to labor requirements isn't the same thing as costing IDS labor because of the very different process levels these jobs imply. Firewall management is complex, but is generally limited to the task of configuration of elements based upon expert analysis and policy-setting. A clean line of demarcation can be made between the responsibilities of professional services and in-house employees.
In comparison, IDS is different. The actual task of watching and responding to events, which requires sitting on top of a stream of high-volume data, is a different one. The associated level of integration and information management required is also different. The qualitatively and quantitatively different information management requirements of IDS will continue to raise the needed level of operational integration between security and other systems.
Here is where we discover the strongest argument in favor of services. Some enterprises will remain incapable of internally justifying the integration of management capability - perhaps limited fiscally or just politically, but in other cases, due to reliance on outsourcers for big chunks of their infrastructure management operations. Service providers offer these enterprises an outstanding option.
Managed service providers, intent upon bundling security services with network management and customer issue resolution, have been busily developing the operational support systems they need to deliver them effectively.
For other enterprise operations, the decision to manage all aspects of security as an internal service may indeed remain the best choice. However, it would be a mistake to define the alternative in the fashion of a straight outsourcing contract for leasing and labor for the infrastructure-level management. This would ignore the 'special sauce' component, the operational integration most managed security providers offer, in addition their ability to deliver expertise with security processes.
Barton Taylor is a partner with Giotto Perspectives, an industry analysis firm researching security and policy management services. He can be reached at firstname.lastname@example.org.
Read Taylor's previous article: "IDS: Alarms, Not Walls" at www.infosecnews.com/opinion/2002/01/16_02.htm.