Feed aggregator

Information Technology is a fast moving field, probably one of the most short-lived fields to be in ...(more)...

Well, today wasn't exactly a tough handler's shift so I thought I would look in my spam folder for s ...(more)...

Last Saturday we asked for leap ahead ideas that could change the rules of the game to f ...(more)...

Google has released their awaited browser, Chrome, in beta. So far it looks to be a Windows-only, bu ...(more)...

There is an e-mail that went out from GIAC to complete a survey. It uses an IP instead of a na ...(more)...

Wireshark 1.0 ...(more)...

Cisco Security Response: Cisco Secure ACS Denial Of Service Vulnerability A specially crafted R ...(more)...

Several news sources have been carrying a story about the DEFCON BGP hijack. While that trick ...(more)...

WiMax: Just Another Security Challenge?

Get Off My Cloud

>> Advertisement <<
Can you answer the ERP quiz?
These 10 questions determine if your Enterprise RP rollout gets an A+.
http://www.findtechinfo.com/as/acs?pl=781&ca=909

Blocking Traffic by Country on Production Networks

>> Advertisement <<
Can you answer the ERP quiz?
These 10 questions determine if your Enterprise RP rollout gets an A+.
http://www.findtechinfo.com/as/acs?pl=781&ca=909

An Astonishing Collaboration

Bad-Code Blues

Firing Up Browser Security

>> Advertisement <<
Can you answer the ERP quiz?
These 10 questions determine if your Enterprise RP rollout gets an A+.
http://www.findtechinfo.com/as/acs?pl=781&ca=909

Integrating More Intelligence into Your IDS, Part 2

Integrating More Intelligence into Your IDS, Part 1

Staying current, but not too current

News, Infocus, Columns, Vulnerabilities, Bugtraq ...

Starting again with a pile of Shellcode, one that the bad guys were even friendly enough to label as ...(more)...

I read Gunter Ollmann's post in the IBM ISS blog with interest today. Gunter is "Director Security Strategy, IBM Internet Security Systems," so he is undoubtedly pro-outsourcing. Here is his argument:

[S]ecurity doesn’t come cheap. While individual security technologies get cheaper as they commoditize, the constant influx of new threats drives the need for new classes of protection and new locations to deploy them...

If you were to examine a typical organizations IT security budget, you’d probably see that the majority of spend isn’t in new appliances or software license renewals, instead it’ll lie in the departments staffing costs...

This is at odds with the way most organizations normally deal with specialized and professional skill requirements... Just about every organization I deal with (including some of the biggest international companies) relies upon external agencies to provide these specialist services and consultancy – as and when required – it’s more cost effective that way.

With that in mind, why are organizations building up their own highly-trained (and expensive) specialist internal security teams? Granted, some of the security technologies being deployed by organizations are relatively complex, but do they really require a Masters degree and CISSP certified experts to babysit them full-time...

Nowadays you can tap in an incredibly broad range of expertise – ranging from hard-core security researchers capable of helping you evaluate the security of new products you’re thinking of buying and deploying throughout your enterprise, through to 24x7 security sentinels; so knowledgeable about the security product you’ve deployed that they’re capable of guaranteeing protection with money-back SLA’s...

Organizations should take a closer look at their security budgets and evaluate whether they’re getting the right value out of their internal teams and whether their skills investment meets the daily need of the business. (emphasis added)

By highlighting the focus on "security products," you can probably predict my response to Gunter's post. Sure, you can get hire experts that may (or may not) be cheaper than internal staff, and they may be smarter in individual products or even defensive tactics, but they are poor with respect to the most critical aspect of modern security: business knowledge. It does not matter if you are the world's greatest packet monkey if you 1) don't know what matters to a business; 2) don't know business systems; 3) don't know what is normal for a business... do I need to continue?

This is the biggest challenge I see for consultants, having been one and having hired them. It's easier to hire a consultant to help configure a security product than it is to figure out if that product is even needed, which to buy, how to get approval and business buy-in, how to support it operationally, and a dozen other decisions.

I agree that certain specialized tasks merit outside support. That list changes from organization to organization. However, beware arguments like Gunter's.Copyright 2003-2008 Richard Bejtlich and TaoSecurity (taosecurity.blogspot.com and www.taosecurity.com)noreply@blogger.com (Richard Bejtlich)