Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
397
Views
9
Helpful
2
Replies

Outsourcing Insight

b.speltz
Level 4
Level 4

‎01-09-2003 09:08 AM - edited ‎03-09-2019 01:37 AM

My company is considering outsourcing our security services. Can someone who's done this before give me some feedback?

Labels:
0 Helpful
2 Replies 2

daveorenstein
Level 1
Level 1

‎01-23-2003 11:21 AM

First you need to define what services you require. They tend to fall into three categories. Testing (determine how deep the tests should penetrate), remediation (removing flaws in your security), and management (turning over your firewall, IDS, and other securty devices to an outside vendor). The first two are like shampoo ... test, remediate, repeat. The third is the hard one.

Many vendors can perform the penetration testing. Many can perform the remediation. Few can perform the management. Within that short list there have been many consolidations and some vendors have folded up their tents, so the list gets even shorter.

If you're going to attempt to outsource the management talk with their technical people. What tools do they use? Does the vendor write their own security signatures as they discover threats or do they rely on system and software vendors to supply them? Does the vendor perform in-band or out-of-band management? How secure is the management channel? Does the vendor use hardware or software IDS? Do they use appliances or software on a server platform?

What is their response time to a threat? At what point during a threat or attack does the vendor's responsibility end and yours begin? (Ultimately it's all yours.) How will they support the security of legacy systems?

How many of their staff are CISSP certified? How do they vette their people? Can you visit their NOC (or SOC)? Can they supply you with references? That last one is tricky since many of their customers don't want others to know how their networks are secured.

Finally you also have to weigh the cost of outsourcing against the cost of employing a full time security staff.

Good Luck!

abenn
Level 1
Level 1
In response to daveorenstein

‎06-11-2003 07:27 PM

Giday everyone

It was mentioned that there have been Outsource Security Management firms that have folded up recently, making the list of Security Management Outsource recourses even shorter.

Ques:- Is there any one reason for this?? or is it a combination of reasons?? or just a phase that industries go throu??

I imagine that the rate of security flaws and breaches is one, and maybe the rising cost of insurance too??

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents