Managed Security Monitoring Services vs In House Monitoring

Chuck Yerkes chuck+baylisa at snew.com
Tue Feb 25 17:53:20 PST 2003


But brain cycles are required to note unusualness and to
keep things up to date.

Outsourcing common for security things:  No companies I ever worked
at hired the security guards at the doors and walking around at
night.  I don't sit and watch my house alarm all the time; I hire
someone else to do that.

I CAN have pre-set, known secure incoming connections from Internet
these days (not so true in 1991 when I first started connecting
companies to the Internet).  Machines can be placed on your premises
and accessed remotely, securely.

Heck, Intrusion Detection Systems don't even need to SEND onto the
monitored network (I've clipped AUI connectors before).

If outsourcing means it will get done and maintained and even
thought about, that's ALWAYS better than an inhouse project that
languishes, whose logs and alerts get ignored and which dies off.
Much better security.

And if I can hire folks who think, dream and pee IDS and security
24/7, then I'll do better than when a motivated person decides one
day, to just shut off outbound port 53 cause he thinks it might
possibly be bad.  (that's happened).

Quoting alvin at maggie.linux-consulting.com (alvin at maggie.linux-consulting.com):
> On Tue, 25 Feb 2003, Jeff with The Big Yellow Suit wrote:
> > I'm working in an environment in which security is ..um..deficient,
> > and I'm going to be tasked with putting together a plan to
> > tighten things down, and I'm considering between outsourcing
> > the job of intrusion detection versus doing it in house.
> 
> by my definition,  an outsourced "security and ids" is already
> a breach of security ... period ..
> 	- unless that outfit carries e/o insurance for say
> 	enough to cover damages and losses from a breach
> 	from hackers and other un-permitted activities
> 	( insurance like what counterpane carries in the $xxxM 
> 	( when they do some security work
> 
> > The primary limitation in doing this is likeley to be brain
> > cycles.  Quite simply the staff is stretched far too thinly,
> 
> you really do not want "brain cycles" to do montioring ( very bad idea )
> 
> but you really do want brain cycles to define the security policy 
> and how people and machines get to do certain tasks
> 
> -- everything should be automated ... not brain cycles ..
> 	- brain cycles goes on vacation
> 	- brain cycles gets sick
> 	- brain cycles go home after 8 hrs
> 	- brain cycles gets distracted for other things
> 	- brain cycles are only as good as they wanna be
>  	...
> 
> - a good hacker/cracker just needs a few seconds/minutes
>   to do what they need ... ( but depends on what it is that
>   we're trying to prevent too vs receover from said activities )
> 
> > they are not historically very good at the daily care
> > and feeding of complex beasties.  I envision any sort of
> > inhouse system going in with a bang and then languishing
> > for lack of updates and passion.  I've seen it happen too
> > many times.
> 
> fairly easy to install host ids and network ids
> 	- lots of tools out there
> 
> 	http://www.Linux-Sec.net/IDS
> 	( similarly for auditing tools and monitoring tools )
> 
> 	-- i prefer my custom tools that md5 all the stuff
> 	i care about 
> 
> > For those reasons I'm leaning heavily towards outsourcing.
> > The obvious candidate is Counterpane, but I'd like to get
> 
> counterpane carries e/o for encryption technology etc
> and not sure if they also have the same for ids type of security
> 
> > people's feelings about this, and I'd also like to scare up
> > a list of services doing similar things.  Any help and or
> > horror stories would be appreciated.



More information about the Baylisa mailing list