Many organizations have found that outsourcing their vulnerability management (VM) services helped reduce headcount, administrative overhead, and equipment and personnel expenses. But before getting too excited about what outsourcing vulnerability management could do for your organization, keep in mind that how well you set expectations upfront will determine, in part, how successful the project is. Outsourcing veterans know that creating clear and direct service level agreements (SLAs) and ensuring all the contractual "T"s are crossed and "I"s are dotted can help prevent after-the-fact confusion, such as escalation snafus and accountability mishaps. But what may be overlooked is who will control access to and sharing of the collected data. Let's examine approaches organizations can use to bring together the security information gathered by VM outsourcers and managed services providers with the data gathered from internal tools, such as vulnerability scanners (Nessus) and network intrusion detection systems (Snort), to create a more complete security assessment.
SEIM and compliance reporting
The old adage "knowledge is power" applies quite nicely to the world of security event and information management (SEIM) and compliance reporting. All SEIM type solutions require data, such as log files and system information. This holds true for data repositories with home grown rules, log aggregation tools (i.e., LogLogic) and COTS SEIM products (i.e., ArcSight or eSecurity/Novell). Without that data, it would be impossible to make an assessment of the environment's current security state.
Security event and information management tools -- whether managed by the outsourcer or the end user company -- consume log and event information from a number of products and devices, including firewalls, antivirus gateways and network intrusion detection systems (IDS). One way that organizations use vulnerability management data from outsourcers is to link the information from the vulnerability assessment scans to the output from the IDS. This provides context and allows organizations to link specific IDS alerts to successful attacks.
The vulnerability management data gathered can be of great value to organizations, especially for audit purposes. Many VM tools create inventories of the devices and servers they manage. Alternately, some VM service providers use asset data provided by the managed client. Vulnerability management tools also capture up-to-the-minute images of a host or server's current state of health. For example, what operating system is the host running? What services are live on that system? What is the current patch level? All of this information can be of great use to SEIM and configuration reporting and management tools. In fact, many auditors will specifically request a current inventory list of devices on the network and their patch levels. And a SEIM that provides alerting to, for example, a worm traveling through a portion of the network, would have a better data set from which to prioritize the potential threat if the devices and patch levels on that section of the network are known.
Working with an outsourced VM service
Here are a few recommendations for working with an outsourced vulnerability management service:
- Have transparency into the data being collected by the outsourced VM service. Before signing on the dotted line, confirm with your outsourcing firm that you will have near real-time access to the data collected during scans of your site.
- Check with the vendor to confirm which product(s) they are using and how the information is shared. Is it available in a CSV file or via XML? Will your SEIM or compliance tool be able to read the log and alert information natively? Ideally, you would be able to connect your SEIM or compliance tool directly to the outsourced VM tool for immediate sharing of collected data. A corollary is to negotiate how the outsourcer plans to handle data collected for process improvement. For example, certain tasks that are done on an on-going basis can be optimized for efficiency. If a record of false positives is maintained, the baseline data can be refined so administrators will not have to investigate the same alerts again and again.
- Some of the VM data collected, such as time to complete patching, can be used as a key performance indicator (KPI) and show improvement over time. Bottom line: if the outsourcer will not allow you access to your own, very valuable, scanned data, think twice about signing up with them.
The information gathered via the outsourced vulnerability management tool has critical information about the current state of your devices and patch levels. Even if you think you're already capturing this data internally, having an alternate pair of eyes (or audit logs) to compare that information against provides a confirmatory check. So while you're discussing uptime and coverage with your VM vendor, don't forget to ask about ability to access and use the collected data. It's your information -- make sure you can make use of it to complete your network security assessment picture.
About the author
Diana Kelley, Service Director of Security and Risk Management Strategies for Burton Group, has more than 15 years of experience creating secure network architectures and business solutions for large corporations. Her experience includes holding the executive security advisory position for CA's eTrust, manager in KPMG's Financial Services Consulting practice, vice president of security technology for Safe3W, senior analyst for Hurwitz Group, and general manager at Symantec Corp. Kelley is a frequent speaker at leading industry events like Information Security Decisions.