| Should I choose one vendor to perform both my managed security services and vulnerability scanning? |
|
In order to answer this question properly, it is important to understand the objective of the financial institution. Does the institution want to test vendor responsiveness to an external scan or does the institution want to evaluate the risk of its’ Internet-facing devices? Let’s explore the pros and cons of each approach. Vendor Responsiveness The most common comment I hear from clients is: “I want to have a vulnerability scan in order to see if my managed service vendor is responsive to a vulnerability scan.” This line of thinking misses the purpose of what a vulnerability scan provides and how the scans are treated by a managed service provider. Over the last several years, there has been a large increase in the volume of rogue scanning activity on the Internet. Most of this volume is due to the increased virus and worm activity. These viruses and worms have been designed to scan across wide blocks of IP ranges before attempting to compromise a host. It is not uncommon for security analysts to see hundreds of scans across a single client’s network in a day. For this reason, most managed service vendors will not pick up the phone to call a client every time a simple scan is run. However, scan data is still critical for identifying an attack. Most managed service providers utilize it as part of larger correlation sets to identify more targeted attacks. External Risk Analysis The second and more logical motivation for performing a vulnerability assessment is to gain an understanding of the risk exposure to your Internet-facing devices and IP space. In this scenario, using one vendor has a clear cut advantage. The true purpose of a vulnerability assessment is to identify vulnerabilities on all devices, including those beyond the direct control of your managed service vendors. These devices typically include (but are not limited to) mail servers, DNS servers, e-commerce sites, or Internet service provider (ISP) equipment. Since your managed service vendor does not have direct control over these devices, it limits their ability to understand the true risk to your network. For example, what if someone in the organization mistakenly plugged in a server that bypassed the physical configuration of the firewall? Or what if the organization is not keeping current on their system patching? These events cause increased exposure that cannot be seen by an IDS/IPS or firewall device alone, but this critical information can effect the assessment of the security analyst classifying the events. In addition, regulatory guidelines call for financial institutions to implement a comprehensive information security program that:
Conclusion Creating a comprehensive information security program requires a layered approach to security or a defense in depth model. Both of these phrases refer to the need to have multiple security solutions working together to maximize risk mitigation. By combining managed services and vulnerability scans under one vendor, you achieve this layered approach. When a single vendor performs both services in a layered approach model, scan data results can be utilized within the managed security platform to perform advance correlation against threats. In this situation, a security analyst will be able to identify if an attack is occurring on the client’s network, but more importantly whether the attack being carried out on a vulnerable system within that network. The layered approach enables an analyst to make a more informed assessment of the risk of the event. An attack without scan data to support it may be classified as a medium/low event, but with scan data might now be quickly escalated to a critical alert because of the depth of information provided through the combined services. If your motivation for performing a vulnerability scan is to test your managed service provider’s responsiveness, then you would benefit from having two vendors. However, even if this is the case, I would recommend a penetration test rather than a vulnerability scan since this is more likely to simulate a true attack in the eyes of your service vendor and generate the response you desire. However, if your objective is to build a comprehensive security program and meet regulatory guidelines, combining managed services and vulnerability assessments will result in maximum risk mitigation. In this layered approach, the use of one vendor to perform both services is not only a good idea, it is a critical for maximizing the value of your outsourced services. Tom Neclerio, CISSP VP of Security and Compliance Perimeter eSecurity |
