Fascinating Webex

philz1982

I am sitting on a conference call with a Fortune 100 client and they are discussing using a MSSP (Master Security Services Provider). No wonder large enterprises are getting hacked. They are outsourcing first touch security to service providers who have no vested interest in the organization's success.

Outsourced Security, Fascinating...

the_Grinch

Funny you say this. When I first started in college one of my professors had said security was the way to go because it stood the least chance of being outsourced. Fast forward to today and I see everything completely outsourced. Physical equipment in the US, but the entire operation run overseas. Scary...very scary.

philz1982

the_Grinch wrote: »

Funny you say this. When I first started in college one of my professors had said security was the way to go because it stood the least chance of being outsourced. Fast forward to today and I see everything completely outsourced. Physical equipment in the US, but the entire operation run overseas. Scary...very scary.

I mean its almost comical. Fortune 100 companies that don't have InfoSec policies and extremely immature cyber practices. So what do they do? Outsource cyber... Why go and actually develop your cyber security practice.

dave0212

I don't find this odd at all, it was an inevitability, TBH outsourced security has been around for a while, you host your services on AWS you are outsourcing elements of security, bringing in Penetration Testers you are outsourcing security skills, platforms like FireEye Threat Analytics Platform are Security as a Service.

Given the state of the InfoSec skills market, companies are going to outsource to specialist companies to oversee this as trying to build teams with these skills is challenging, now while overall responsibility cannot be outsourced functions can be.

the_Grinch

I'm also seeing a lot of contracts for people to come in and design a security/compliance program then leave. I'd much rather see that then rely completely on some outside firm to do it all. I work as a regulator and being in this realm has definitely opened my eyes. In the same breath, I know exactly how to design a compliance program now haha

Itrimble

This very question/top was posed at a Security course I took at Coursera. The question read: Should outsourcing and/or offshoring be viewed as potential threats to cyber security?

The answered were varied. Most were against the idea of offshoring a companies' security needs.

philz1982

But yet many large Fortune 500 companies are off-shoring/out-sourcing security...

the_Grinch

The problems faced with IT security personnel definitely mirror finding nurses. There was a nursing shortage so schools started pumping out nurses and students were getting jobs. After sometime they realized it wasn't a shortage of nurses, but actually a shortage of experienced nurses. With IT security they keep saying "we have a shortage", when they actually mean a shortage of experienced IT security people. Ideally, I would see a company outsourcing while developing an in-house program and once ready bringing it in completely in-house.

5ekurity

It takes time and money to find, hire, train and to continue educating skilled InfoSec workers. The MSSP approach is a 'good enough' in the sense of it's a finger to point when there is a breach, a check box on a questionnaire, and to the board of directors and shareholders - better than saying they have nothing.

I agree, it's almost comical. That's like saying "WELL WE HAVE AV, HOW DID THE VIRUS GET IN" - like because you have AV, you are impervious to all malware. I answer that question about once a week, on average. My other favorite is application whitelisting - is Flash an allowed process? Yes? Well then that's how your system was infected by that advertisement. Not to mention your patching process is awful.

the_Grinch

Nailed it 5ekurity! Just get that checkbox and move on, that is the goal is just about every case.

philz1982

I once saw the mystical patching pony, it was beautiful, it galloped throughout my org's IT department patching machines and shutting down old machines that were still running Windows 95. Then I woke up and browsed to my corporate network on IE 6...

cyberguypr

Came here to touch on the "checkbox" point 5ekurity discussed. Spot on. While I was searching for my first official Infosec job last year I was extremely picky to avoid running into "checkbox" type places that relegate the security function. I was fortunate to land a gig at a risk-averse organization that errs on the side of caution and doesn't play the checkbox game. These seem to be scarce.

dave0212

cyberguypr wrote: »

Came here to touch on the "checkbox" point 5ekurity discussed. Spot on. While I was searching for my first official Infosec job last year I was extremely picky to avoid running into "checkbox" type places that relegate the security function. I was fortunate to land a gig at a risk-averse organization that errs on the side of caution and doesn't play the checkbox game. These seem to be scarce.

Unfortunately I hit the opposite although it didn't translate into the interview, my previous employer very much started as a check box company but over time I managed to ingrain security in IT, Operations and Finance before I left. Was a massive learning experience for me dealing with SMT push back and overcoming the shortsightedness, which definitely helped me develop my career with a good foundation of dealing with upper management.

discount81

philz1982 wrote: »

I am sitting on a conference call with a Fortune 100 client and they are discussing using a MSSP (Master Security Services Provider). No wonder large enterprises are getting hacked. They are outsourcing first touch security to service providers who have no vested interest in the organization's success.

Outsourced Security, Fascinating...

We've done this for a while.

Instead of all of our North American sites having separate firewalls, we outsourced our network to a MSP who takes care of all our MPLS routing, supplies the equipment and routes our internet traffic through their firewalls.

We still manage the firewall rules, QoS etc through a dashboard.

We've had 85% less viruses since we did this, and saved 30% less bandwidth due to better restrictions on wasted apps.
Also we've reduced our surface target, instead of having 20+ potential site targets to attack, we now only have 2, both of which are higher grade firewalls than we used ourselves, that are penetration tested daily by another firm.

It probably isn't the right solution for every company, especially a Fortune 100 who can afford high grade security.

BlackBeret

First, the companies are going to learn the hard way that they can outsource the work, but they can't outsource the responsibility. When something goes wrong as long as the provider is in compliance with its SLA the company can't do anything. If the provider is in violation of the SLA they can attempt to be compensated, but you can never fully repair the reputation.

I agree, this seems an insane idea to me and I honestly thought that after the past year everyone would be ramping up their internal security programs. On the opposite side of the coin, if their program is that immature, at least they're trying to increase it the best way they know how... Throw money at another company to do the work.

philz1982

Problem is I see a lot of the Fortune 500 doing this.