I've been following this discussion with interest. This is due that
I am going through this process. So these are my thoughts;
1. IDS tools are important. What is actually needed is a judgement
Vs cost call. I view them as my eyes of what is occurring on the network
and a way to ensure that the security policy is adhered to. An interesting
book I am half way through at the moment is Network Intrusion Detection, an
Analyst's Handbook by Stephen Northcutt (I purchased this over the web at
fatbrain.com). I have dealt with Stephen before via another mail list and I
feel he has no particular barrow to push.
2. With using the external people like KPMG, Ernst&Young etc I see
as a way of providing an external, independent view of where the security is
at. ie review of policy, vulnerabilities etc.
Both areas you can do yourself. The external monitoring services
is the installation of IDS software and all they do is let you know when an
alert is activated.
To me that is IDS. You don't really need that external party to let
you know. You can hire a security administrator for that. Most IDS
software can be set to send an e-mail or ring you - that is the service that
the external monitoring companies are offering.
John Taylor
From: Frank Knobbe <[EMAIL PROTECTED]> on 24/08/2000 11:12
To: [EMAIL PROTECTED]@SMTP@Aus Exchange, Frank Knobbe
<[EMAIL PROTECTED]>@SMTP@Aus Exchange, [EMAIL PROTECTED]@SMTP@Aus
Exchange
cc:
Subject: RE: Online Security Services and Continous Risk
Management
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]] Sent: Wednesday, August 23,
> 2000 7:38 PM To: Frank Knobbe; [EMAIL PROTECTED] Subject:
> RE: Online Security Services and Continous Risk Management
>
> OK, let's then put into your thinking then. Manufacturers:
> vendors who
> make firewalls, IDS, virus protection, etc
> Installers - high end to low end consulting services that install
> and configure them (rack and stack ) Consulting - verify that
> everything looks and smells ok, the alarm trips when the door is
> locked type of thing. (Don't really do to much). Monitoring
> companies - 24 x7 if the alarm trip they call or page you.
>
> OK, so where does online security services come in, mind you
> the category I
> am talking about is very ill-defined, especially when they
> advertise they
> are a one-stop security solution but they are just going
> after replacing
> the Consulting piece stated above.
I would say they fit the Monitoring companies. Back to your
question,
though: Are they worth it.
I think that can be answered by comparing them to traditional
security monitoring companies (A*T etc). Are they worth it?
Shouldn't
alarm bells and whistles be enough? Hardly, because by the time you
return from vacation your stuff is gone. Does a monitoring company
help? My personal opinion is no because when they show up, my stuff
is gone already.
Now reflect that to IT security monitoring. If they monitor and send
me an email saying that around 2am on Sunday something strange
happened what appears to be a break-in, then they're worthless
because I'll find that out on Monday when I review my logs (or check
my email etc).
If they show up Monday, it's too late.
If a security monitoring company could be on site immediately to
catch the intruder and prevent damage, start forensics and have a)
my
data saved from the evil hackers, and b) evidence or at least a
report for me on Monday, then I think they would be worth an
appropriate amount of money.
Are they worth it? Only if they can prevent damage or minimize it. I
don't think they are worth it if they just let me know I have been
hacked.
So the question becomes: What service can they offer that really
help
my company and its data? Just being a watchdog and bark is not
enough. They oughta be able to bite the intruder.
If they are so cheap that I don't need a network admin capable of
reading log files, than this might be another reason to contract
them
(Saves me from setting up/getting a log analyzer/IDS system). Money
is the deciding factor in that case and I doubt that the security
consulting companies are as cheap as A*T.
Another question is: Does my company want to take the risk and
responsibility of trusting such a contractor? How do I explain my
shareholders that my alarm system failed because the contractor
failed.
> >The problem I see is that pretty much everyone wants to do it
all,
> >trying to present themselves as a one-stop security shop.
>
> The one stop solution model stopped working a while back, it
> is more of a
> partnering type of ASP, MSP type architecture these days.
> Not one company
> can do it all,and what end it ends up doing is confusing
> CIOs, CEOs on who
> to go with. The biggest result for each security dollar spent.
Yet we still find companies that acquire instead of
partnering/outsourcing. I know of a press announcement due next week
that fits this shoe perfectly. And I think everyone has seen
company's A stock dip when they acquired company B to add to their
portfolio of services offerings because the market does not believe
that company B's line of business fits in company A real of
expertise.
Sorry for drifting off topic there for a minute...
Regards,
Frank
-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.5.1
Comment: PGP or S/MIME (X.509) encrypted email preferred.
iQA/AwUBOaR2e0RKym0LjhFcEQIjcwCg/g/eH1ieb5ooJE4p9XcS8FksHcIAnRfB
oJHuK1E6cAdyqRP91DwfBD3a
=1/On
-----END PGP SIGNATURE-----
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
