Managed Security Monitoring Services vs In House Monitoring

• Previous message: Managed Security - script kiddies
• Next message: Managed Security Monitoring Services vs In House Monitoring
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, Feb 25, 2003 at 03:08:21PM -0800, Jeff with The Big Yellow Suit wrote:
> I'm working in an environment in which security is ..um..deficient,
> and I'm going to be tasked with putting together a plan to
> tighten things down, and I'm considering between outsourcing
> the job of intrusion detection versus doing it in house.

Forget not, also planning your systems so that they can suffer the least
amount of damage, and so they have the least amount of volatility
(except for the data you are really feeding them, which of course you
have an active backup plan for, including checking the backups to make
sure they are recoverable).

Some sites have gone to having their webservers runn off of read-only
media;  either jumpered at the SCSU drive, or running off of CD, with
minimal volatile space, and a data drive that's seperate.  Combine with
logging kept elsewhere (maybe by sending it up a nulmodem to a server
which isn't really "on the net" at all) and you've got a lot less places
to go looking for holes.

You also have a well defined sense of what the given box is supposed to
*do* for a living, and that makes a less brainy person able to figure
out when it's "up to something wicked". 

> The primary limitation in doing this is likeley to be brain
> cycles.  Quite simply the staff is stretched far too thinly,
> they are not historically very good at the daily care
> and feeding of complex beasties.  I envision any sort of
> inhouse system going in with a bang and then languishing
> for lack of updates and passion.  I've seen it happen too
> many times.
> 
> For those reasons I'm leaning heavily towards outsourcing.
> The obvious candidate is Counterpane, but I'd like to get
> people's feelings about this, and I'd also like to scare up
> a list of services doing similar things.  Any help and or
> horror stories would be appreciated.
> 
> -jeff

I believe Addamark, who spoke for BayLISA in the last year or so,
manages huge volumes of logs in a way that's supposed to make looking
for the interesting stuff far less painful.

I believe you'll also want physical security measures, and plans 
about what to do when one of your own "goes rogue", and plans for
what to expect to fail if any given chunk of hardware goes south.

Bets in your quest :)

  . | .   Heather Stern                  |         star at starshine.org
--->*<--- Starshine Technical Services - * - consulting at starshine.org
  ' | `   Sysadmin Support and Training  |        (800) 938-4078

• Previous message: Managed Security - script kiddies
• Next message: Managed Security Monitoring Services vs In House Monitoring
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]