Maksim Kabakou - Fotolia
Security Think Tank: A risk-based approach to security outsourcing
What critical security controls can be outsourced and how do organisations, SMEs in particular, maintain confidence that they are being managed effectively and appropriately?
Let’s start by saying this: All security controls can be outsourced. In fact, many organisations do exactly this, outsourcing the security operations centre (SOC) and all its preventative and detective controls to security management companies. Or, they outsource antivirus and anti-malware, or intrusion detection and response.
However, responsibility for those controls will still lie with the business – which means no matter how much you outsource, you still need enough oversight and visibility to understand how those controls are managed, and whether the service you are getting from the provider is appropriate for your organisation.
For large organisations this can be challenging in terms of numbers of suppliers, understanding what is managed by whom and even just what data is available. But for small and medium-sized enterprises (SMEs), without sufficient in-house staff to validate controls, understand metrics and logs, and challenge service levels, you may need to rely on the third party at all levels, from defining the service to delivery and assurance.
Build a risk register
A useful approach to begin with is to build a risk register, because managing controls that do not align to a risk your business faces is ultimately counterproductive. Even the smallest of SMEs should have a risk register, and there are enough templates online to give you a starter for 10. These should range all the way from minor glitches to major incidents that could destroy the company.
An example at the extreme end for a small organisation could be that an attacker gains access and destroys all customer account data. While this may appear to be unlikely for your organisation, there is always a chance that it could happen, and so it is worth assessing. If the assessment shows your company would go out of business due to this, then various controls are available to mitigate the risk, including intelligence, intrusion detection, perimeter controls, incident response, and on and offline backups, to name just one from each of the US National Institute of Standards and Techonology (Nist) Cybersecurity Framework areas: identify, protect, detect, respond and recover.
You should also be looking at data leakage prevention services, as fines under the General Data Protection Regulation (GDPR) are much bigger than they were under the Data Protection Act 1998. Can you manage this in-house?
Each of those five control areas mentioned are available as outsourced services, and each has a scope and key indicators to help you understand how effective they may be, and whether they will do what is required. For example, a firewall – the key perimeter defence against attackers – is still a necessary defence. However, it won’t help you spot phishing attacks against your staff, so you may also need to consider protection from malicious links or code in emails, which is where anti-malware and anti-phishing services come in, along with awareness training, and so on.
Define security metrics
But the challenge in outsourcing is understanding how well these services mitigate the risk. What do you need? The large corporates I have worked with have often had hundreds of metrics defined for security, and the outsourcing of a service just required that these metrics were provided by the third party, along with some additional ones indicating the third party’s security status. That is obviously going to be difficult for an SME, so an appropriate approach is to look at the metrics available. One should consider, are they:
- Configurable – you should be able to define alerting thresholds;
- Automatable – to ensure they are provided to you predictably and regularly;
- Relevant – they support the security of your organisation;
- Actionable – if you or the third party cannot do anything about a particular metric, it may not be useful;
- Timely – it is much less helpful to learn about an intrusion that happened last year.
Many security services are now at commodity levels, so pricing for a simple firewall, for example, can be relatively cheap. That said, firewall management is often simple enough that an SME can install and manage one themselves. Intrusion detection, however, has a relatively low cost of installation, but high overheads in terms of tuning and maintaining effectiveness, so is a prime candidate for an SME to outsource.
The same applies for many of the “identify, detect and protect” services – providers of these may have multiple clients across the country or the globe, and therefore are in position to spot trends early, and may even provide protection before attackers makes their move. Controls in the “respond” category tend to be more internal – these tend to align with business processes and personnel response, so may not be best placed for outsourcing. “Recover” is another area where third parties provide cost-effective services, including multi-location backups, hot-swap hardware or even Hot sites, if needed.
Taking something like distributed denial of service (DDoS) protection as an example – a service that is almost always outsourced – typical metrics I would expect to see include response times, degradation of service, peak bandwidth, available capacity and trending over time. Any provider that cannot give this data leaves you with an unknown risk: is that service actually protecting you?
Because at some point, your auditor, or a regulator, may ask that exact question – and if you don’t know, that’s your fault.