In this post, I wanted to touch on a sensitive topic: what security capabilities outsource badly? Keep in mind that this post is Anton contemplating a topic, not a Gartner research position (BTW, I don’t slap this disclaimer on every post, but I feel that it is strangely appropriate here)
Let’s start: whole lot of companies would take on your perimeter NIDS/NIPS monitoring and management, but much fewer will do content-aware DLP using the same model. Think about this: there are very few managed DLP providers and even fewer managed network forensics (NFT) providers. Why is that?
Here is how I think about it (pardon my gross over-simplification here, but it serves the purpose):
Defense = know what to defend + know how to defend
(see On “Defender’s Advantage” for a longer discussion)
In more detail:
- know what to defend = your IT environment, business processes, assets, systems, application, personnel, company culture, mission and other knowledge of your IT, business and culture
- know how to defend = understanding threat actors, attacks methods, exploits, attacks, vulnerabilities, security architecture and other security domain knowledge.
To not completely suck with security [and we are talking about the very, very, very basics here], you need to have some idea of what to protect and some on how to do it. However – and this is the punch line! – the balance between #1 knowledge (about the lay of the land) and #2 knowledge (about techniques and methods of infosec) varies dramatically across different domains of infosec.
Intuitively, we all get it: anti-malware kills viruses without any requisite knowledge of your environment, while using a SIEM effectively requires a lot of it. Further, detecting insider fraud requires knowledge of how your business functions and how your people behave. And don’t even get me started on business logic flaws in web applications: to find business logic flaws you do need to know the logic of your business … duh!
So, answer this one – think of two security capabilities:
- security capability A requires 90% of #2 knowledge (security domain knowledge) and 10% of #1 knowledge (your environment)
- security capability B requires 90% of #1 knowledge (your environment) and 10% of #2 knowledge (security domain knowledge)
Which one will outsource better? OK, you got this one 🙂
Firewall configuration, anti-malware (whether AV or MPS), perimeter NIDS/NIPS, threat intelligence heavily rely on security domain knowledge and less on the knowledge of your IT and business. DLP (especially data discovery or DAR DLP), network forensics (NFT) for internal networks, user behavior monitoring require an incredible amount of “site knowledge” (some written and much unwritten and thus only present in some peoples’ heads). Security incident response presents a peculiar example: IMHO it requires a delicate balance of both (so when the IR ninja paratroopers drop in, they will require support from the indigenous forces aka your IT and BU personnel – otherwise the attacker wins again).
Where am I getting with this?
You can go to an MSSP, you can get consultants to help you, you can do staff augmentation, you can ask Gartner — but for some security capabilities that critically rely on the knowledge of your environment, you have to also play the game yourself!
Blog posts related to this research on MSSP usage: