Wednesday, April 27, 2011

Using Managed Services and SaaS in your Information Security Strategy Makes Sense.

Over the last several weeks we’ve seen how big corporations have been hit by security incidents. Those who made the news were often because of incidents related to Data Loss, such as WikiLeaks or Episilon events. They show the need for security professionals in the enterprise is increasing. And there are other areas of concern like the current landscape of advance threats, internal threats from disgruntled employees or insider trading, or increase in usage of services like Dropbox, Skype, and mobile devices among others. And when solid Information Security vendors such as RSA and Ashampoo experience data security breaches, I just wonder if there is hope for the rest of us? I believe there is and it may not be inside your organization.

When it comes to information security I believe that you must hire the best resources that you can. Whether internal or outsourced this group must have the skills, knowledge and access to do what they need in order to preserve your company’s data, which should be one of the most valuable assets of the organization. And hiring partners in the form of SaaS and Managed Service Providers, MSP, makes sense because hiring your own resources with those skills will certenly be very costly.

We are a small team of two and half that is responsible for Network Infrastructure and Security for an eight offices, 400 employees law firm. None of us is a full time Security Professional dedicated to the area and that is why I have been making strategic alliances with our Security Vendors that can help us built a strong security team. For years we have partnered with DELL SecureWorks, one of the world’s strongest Security MSPs. Although all of us are very good security engineers with security certifications and strong skills, we just don’t have the manpower to dedicate a FTE to be watching firewall logs and alert us of possible incidents. The superior work that SecureWorks does led me to grow our relationship by also outsourcing two areas that are important to any security program, especially when regulations like HIPAA for example, are part of the conversation, such as IDS/IPS and Log Retention. They add value to our team by tackling the biggest challenges that these technologies present: keeping up with the logs and alerting when suspicious behavior is present. We still have to do our part, which is reacting to the alerts and mitigating the threat, but we have been able to react and pull machines out of the network or close a whole within minutes. Even if we had a dedicated resource for this area, I don’t think that we would be able to react and take action that quickly.

We’ve also hire SaaS companies to help us secure other areas of our network perimeter, specifically email spam, malware, and DLP filtering, and also Web Content Filter. We are currently transitioning our email edge security to Proofpoint, which has immediately added value to our security program with its very strong DLP engine. There are two things I like in particular about this vendor; one is that we don’t have to maintain the DLP dictionaries, something that most vendors would defer to you. The other one is that the appliances which are not in our premises, would attempt to make a TLS connection to the peer email server(s) and if it can’t and there is sensitive information, then it would send a secure message to the recipient. We still need some folks to look through logs and take some actions but less is required from our team. This setup is becoming kind of the standard on today’s email security practice.

At the web browsing edge we have merged from a complex in-house solution composed of three different vendors to another SaaS solution with ZScaler. Since merging to it, the Malware infection in our machines has decreased by 60%. We filter through many gateways in Zscaler’s private cloud by putting a PAC file in the machine’s web browser and the user then filters through the closest gateway to her. This is generally kind of pre-set when the user is in the office because we would always hit the closet gateway to our data center, and will fail over to the next closest one if the one goes down. Now we also have the ability to protect our laptop users when they are outside our offices. In that case, the Zscaler’s Geo-Location feature kicks in and the user browses through the closest node to her, whether she’s in her house, California, or Europe she will always hit the closest gateway available and proper security policies will be applied. The only time when we get involved is when a website is blocked and it someone needs access for business reasons. Many other capabilities are available with this engine, such as throttling bandwidth for media streaming or file transfer, which we use, DLP, which we are testing, or ability to prevent users from posting to media sites such as Facebook or Twitter. It can also block web access from pre-determined browsers, such as old IE, or Firefox for example.

Our team is still responsible for managing areas such as Anti-Virus and Malware, securing network gear, Server and Workstation patching, some areas of physical security and soon HDD and Media encryption, which are all candidates for outsourcing as well. However, we are much more effective by working with trusted MSPs and Security SaaS vendors than if we did it all in-house because. First of all, proper staffing to achieve the same goals would be costly and today is simply out of reach, and second, they can help us keep up with the ever changing and developing threat landscape while reacting to real attacks in a much faster and effective way. In addition, I can now concentrate in developing Policies and Procedures, Incident Response, as well as the other operation areas that me and my team are responsible for. It just makes sense to go this route as opposed to investing on in-house skills.

No comments:

Post a Comment