• Share
  • Email
  • Embed
  • Like
  • Private Content
Evolving Security 5 Reasons to Outsource Network Security Management in Today's Threat Environment
 

Evolving Security 5 Reasons to Outsource Network Security Management in Today's Threat Environment

on

  • 833 views

This white paper describes the reasons why companies outsource network security management in today’s threat environment. It includes an assessment of the overall threat landscape, and reviews five ...

This white paper describes the reasons why companies outsource network security management in today’s threat environment. It includes an assessment of the overall threat landscape, and reviews five key benefits of outsourcing.

Statistics

Views

Total Views
833
Views on SlideShare
833
Embed Views
0

Actions

Likes
0
Downloads
13
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Evolving Security 5 Reasons to Outsource Network Security Management in Today's Threat Environment Evolving Security 5 Reasons to Outsource Network Security Management in Today's Threat Environment Document Transcript

    • EVOLVING SECURITY5 REASONS TO OUTSOURCE NETWORKSECURITY MANAGEMENT IN TODAY’STHREAT ENVIRONMENTxo.com
    • Evolving Security5 Reasons to Outsource Network Security Managementin Today’s Threat Environment Contents Introduction 3 Network Security is More Complex Than Ever 4 Costs from Attacks are Increasing 5 The Need for a Collaborative Approach 5 1. Greater centralization of network security controls and policies 6 2. Deeper and broader coverage 7 3. Experience and competence 7 4. Increased responsiveness 8 5. Cost savings (operational and opportunity) 8 The Cost Implications of Network Security Attacks 9 Conclusion 10 About XO Communications 11 About XO Hosted Security 11 About StillSecure 112 Solutions you want. Support you need.
    • XO Communications Introduction This white paper describes the reasons why companies outsource security management in today’s threat environment. It includes an assessment of the overall threat landscape, and reviews five key benefits of outsourcing. Expanding use of Web 2.0 and Internet-based business applications creates new chal- lenges for businesses that need to keep malicious security breaches from entering their company networks. Next-generation security threats, including Advanced Persistent Threats, are menacing and increasingly difficult to detect. A single data breach could haveMany businesses no longer potentially devastating direct and indirect consequences such as fines, penalties or law- suits arising from a company’s failure to protect its private and personal customer informa-possess the in-house expertise tion according to industry standards. Security breaches also can result in huge financialor the resources to monitor, losses and lost revenue as a result of operational downtime, customer turnover, and dam-detect or mitigate today’s age to credibility and reputation.sophisticated security threats Many businesses no longer possess the in-house expertise or the resources to moni-from entering their networks. tor, detect or mitigate today’s sophisticated security threats from entering their networks. Outsourcing network security management to a ‘Security-as-a-Service’ or cloud-based delivery provider has become an attractive option for enterprises that need company-wide visibility of their Internet security gateways, Unified Threat Management, 24x7x365 moni- toring and management, and a stronger knowledge base of security best practices across a broad range of industries. Besides centralizing security controls and policies across the network, the cloud-delivery model of a ‘Security-as-a-Service” eliminates the need to buy and manage premise-based security devices at individual locations. Security-as-a-Service offerings that provide “clean pipes” capabilities help prevent unwanted or malicious traf- fic from entering the network through the Internet or data “pipe”, and permit legitimate or “clean” data traffic to get delivered across the network more efficiently. 3
    • Evolving Security Network Security is More Complex Than Ever News stories about high-profile brands being compromised by network security breaches are widespread. Because of the growing security threats, information security officers at U.S. businesses are more concerned than ever about security risks. In a survey of more than 2,000 small-to-medium business and enterprise security decision makers, the majoritySobering reports of network of respondents listed data security (88%) and managing vulnerabilities and threats (84%)security threats are a constant among their top priorities.1reminder that the threatlandscape has changed and Sobering reports of network security threats are a constant reminder that the threat land- scape has changed and become very complex. One security threat report predicted thatbecome very complex. cumulative, unique malware samples will have surpassed 75 million by year-end 2011. 2 What’s behind this surge in malware? A key factor is that hackers can more easily acquire software that they need to inflict dam- age. For example, exploits can be bought and sold on the black market for a few hundred dollars. The code for malware and worms is readily available over the internet for dupli- cation and manipulation. The code for the Stuxnet worm, one of the most sophisticated worms ever discovered, was effectively open sourced with point-and-click accessibility. As malware advances, it’s easier than ever for criminals to use it to inflict harm. In addition, there are new avenues that hackers can use to gain access to an enterprise network—particularly from social media, virtualized servers, cloud computing applications, wireless networking and smart phone applications. 1 Forrester Research, Inc., Security Futures: Selected Results from Forrsights Security Survey Q3 2010, presen- tation, September 23, 2010, slide 10. 2 McAfee Labs, McAfee Threats Report: Third Quarter 2011, page 64 Solutions you want. Support you need.
    • XO Communications Costs From Attacks are Increasing Attacks Grow in Number and Sophistication Costs associated with corporate network attacks are severe and growing. According to one security industry study, the cost of a data breach rose for five One cyber-security watch consecutive years from 2006 through 2010.3 Clean up costs that resulted from survey of 600 organizations damaging data breaches among the surveyed companies increased to $7.2 million found that: and cost an average of $214 per compromised record.4 In another security threat report that surveyed 50 corporations, malicious code, Denial of Service, and web- • 81% of respondents’ organi- based attacks were cited as the most costly types of threats for businesses.5 zations experienced a secu- rity event between the survey Unfortunately, IT budgets are struggling to keep up with the rise in costs to period of August 2009 and clean up after security breaches. While a sluggish economic recovery has put July 2010, compared to 60% downward pressure on security budgets, new and evolving technologies provide the year before corporate spies, cyber warriors, and other hackers with new avenues with which • Of the companies that expe- to exploit network vulnerabilities. As a result, Chief Security Officers (CSOs) and rienced an attack, 28% of Chief Information Security Officers (CISOs) face the nearly impossible challenge respondents saw an increase of having to strengthen network defenses within significant budgetary constraints. in the number of attacks • Cyber attacks from foreign entities doubled to 10% from The Need for a Collaborative Approach 2009 to 2010 6 As information security risks soar, it’s become harder for security professionals to dedicate the time and resources to everyday monitoring, management and responses that are necessary to combat the increased risks. As a result, many companies are selecting service providers to help them improve preparedness in the most cost-efficient manner, thereby freeing up in-house staff for other activi- ties, such as strategic planning and management. Why do enterprises hire a third party to manage network security? One survey of 1,400 small-to-medium business and enterprise security decision makers identi- fied the top motives. Respondents indicated said that it was important to them to improve the quality of protection, gain 24x7 coverage, reduce cost, gain greater competency or specialized skills, and to reduce complexity.7 3 Ponemon Institute LLC, 2010 Annual Study: U.S. Cost of a Data Breach, April 10, 2010; Overall Trends, page 5. 4 Ponemon Institute LLC, 2010 Annual Study: U.S. Cost of a Data Breach, April 10, 2010, Overall Trends, page 5. 5 Ponemon Institute, LLC, Second Annu al Cost of Cyber Crime Study: Benchmark Study of U.S. Companies, August 2, 2011, Page 2. 6 Software Engineering Institute CERT Program at Carnegie Mellon, Press release, “2011 Cybersecurity Watch Survey: Organizations Need More Skilled Cyber Professionals to Stay Secure” January 31, 2011, pages 1-2; survey by CSO, the U.S. Secret Service, the Software Engineering Institute CERT Program at Carnegie Mellon University, and Deloitte. 7 Forrester Research, Inc., Security Futures: Selected Results from Forrsights Security Survey Q3 2010, presentation, September 23, 2010, slide 10. 5
    • Evolving Security “ Many organizations don’t have the tools and in-house expertise to detect these ” threats, so attacks and security breaches go unnoticed.8 - Gartner Research, Inc. Undeniably more businesses value the benefits of outsourcing their security management to a service provider to deploy a more layered defense strategy across the entire network. Outsourcing helps companies simplify their infrastructure and costs, and also frees up their time to devote to core security functions such as strategic planning, governance and risk management, and regulatory compliance reporting responsibilities. The biggest benefits of outsourcing are greater centralization of network security controls and policies, deeper and broader coverage of security threat intelligence from experienced network security professionals, increased responsiveness, and considerable cost savings. Following is a more detailed look at these five core benefits. Benefits of outsourcing 1. Greater centralization of network security controls and policies Businesses with multiple locations, flat IT management structures, and fragmented approaches to security make easy targets for hackers. Enterprises that lack a cohesive security strategy and uniform, top-down security implementation open up vulnerabilities, often at network endpoints. When company-wide security policies and rules aren’t con- sistently updated on a centralized network firewall, problems can arise that can jeopardize the security of the entire network. In addition, if companies with Managed Security at the customer premise of an individual location fail to update the premise-based firewall at that location, it could open the door for hackers to gain access, which compromises the net- work. Security leaders who recognize these vulnerabilities increasingly turn to the Security- as-a-Service model, which centralizes and standardizes network security controls and policies across the organization. By definition, Security-as-a-Service models are typically delivered virtually using a cloud-based delivery model and may be referred to as network- based services. Beyond the benefits of centralization, the virtualized, cloud-based delivery model eliminates the need to buy and manage premise-based, security devices and appli- ances, and manage software updates at each location. 8 Gartner Research, Inc., Network Security Monitoring Tools for ‘Lean Forward’ Security Programs. February 1, 2011.6 Solutions you want. Support you need.
    • XO Communications 2. Deeper and broader coverage By outsourcing network security management, businesses are able to significantly improve network security with proactive, 24x7x365 monitoring and alerting —without having to recruit, train, and manage additional internal IT staff. Many security service providers offer SSAE 16- audited Security Operations Centers that are staffed with professional analysts who have access to hundreds of security feeds, including those from the U.S. Computer Emergency Readiness Team (CERT), the FBI, and major software providers such as Microsoft®. When threats are identified, analysts are able to block attack pathways and send appropriate notifications. Since security analysts are monitoring around the clock, threats are addressed strategically—before or as they happen, in real time, and not just during business hours. 3. Experience and competenceBusinesses that choose to hirea third party to manage their Businesses that choose to hire a third party to manage their network security benefit fromnetwork security benefit from an immediate boost in quality as well as quantity of coverage. That’s largely because Security-as-a-Service providers focus exclusively on the detection, prevention and neu-an immediate boost in quality tralization of network threats. In-house security and IT staff, tasked with a wide range ofas well as quantity of coverage. responsibilities, typically cannot focus purely on information security. Many in-house secu- rity teams don’t have the same depth of knowledge that comes with specialization or the same degree of expertise in network analysis as a Security-as-a-Service provider. In a Global State of Information Security Survey of more than 12,800 executives in busi- nesses of 135 countries, 59% of respondents said that having an increased reliance on managed security services was important; and 43% said that economic realities caused them to reduce the number of security personnel.9 9 “Respected but still restrained: Findings from the 2011 Global State of Information Security Survey, by PriceWaterhouseCoopers, CIO magazine and CSO magazine, published September 15, 2011, page 17. 7
    • Evolving Security 4. Increased responsiveness With a singular focus on network threats, network security service providers offer a level of readiness that gives clients a considerable edge in terms of preparedness and overall miti- gation of risk. With daily access to hundreds of industry security alert feeds, Security-as- a-Service providers have an up-to-the-minute awareness of existing and potential threats, often far sooner than an in-house security team.Outsourcing network 5. Cost savings (operational and opportunity)security management can Outsourcing network security management can be an ideal solution for many enterprises,be an ideal solution for given today’s rising security threat environment and stagnant security budgets. Somemany organizations, given businesses whose industry compliance regulations are so complex that they require highly specialized in-house expertise and certified professional security professionals may prefertoday’s rising security threat to keep network security in-house. Yet for many other businesses, the Security-as-a-environment and stagnant Service model lowers operational and capital expenses by reducing the need to hire, trainsecurity budgets. and manage additional security staff, as well as the costs associated with location-based customer support, security appliances and software patch updates. There are other savings as well. Blocking unwanted traffic on a company network frees up bandwidth that can be shared with other locations on the network, thereby helping com- panies save on Internet costs. In this way, enterprises can ensure strong network security without degrading the availability or performance of their corporate network. In addition, the outsourced security model eases many information security officers’ con- cerns over control. Chief Information Security Officers (CISOs) and other decision makers realize the distinction between network security execution and control—and that outsourc- ing doesn’t mean that a company relinquishes control of security policies. On the contrary, even with an outsourced network security component, enterprises still set the rules that govern their security policies. In turn, service providers implement the management of these policies based on custom requirements. Leading security service providers collabo- rate closely with their clients to design, implement, and manage network security that’s appropriate for each business. In addition, security policies often need to be adjusted several times a day as new threats develop. A service provider can help the organization put the rules into place and monitor threats accordingly.8 Solutions you want. Support you need.
    • XO Communications The Cost Implications of Network Security Attacks The longer it takes to clean up after a network security attack, the greater the financial impact. According to one 2010 study, it took companies an average of 14 days and an average of $247,744 to clean up after an attack.10 A year later, respondents to the 2011 study report that it takes them an average of 18 days and an average of $417,748 to clean up after an attack.11 The study also found that 40% of the external costs to an organization for cyber crime were attributed to information theft, and that 28% were due to business disruption and lost productivity.12 Many IT departments, particularly those whose fund- ing is tied to corporate profits, either cannot currently afford or cannot count on having the resources to pay for dedicated analysts to monitor their systems 24x7. Without expert around-the-clock coverage, these organizations tempt a costly fate. $23,200 18 days 40% Cost of a Network attack The average length of time of the external costs to per day, according to one it took to clean up after an an organization for cyber industry survey. attack in 2011, according crime were attributed to respondents of a bench- to information theft, mark survey, compared according to one industry with 14 days in 2010. research study. 10 Ponemon Institute LLC, Research Report, Second Annual Cost of Cyber Crime Study: Benchmark Study of U.S. Companies, published August 2011, Executive Summary, page 2. 11 Ponemon Institute LLC, Research Report, Second Annual Cost of Cyber Crime Study: Benchmark Study of U.S. Companies, published August 2011, Executive Summary, page 2. 12 Ponemon Institute LLC, Research Report, Second Annual Cost of Cyber Crime Study: Benchmark Study of U.S. Companies, published August 2011, Executive Summary, page 2. 9
    • Evolving Security ConclusionThe benefits of outsourcing: According to Gartner, Inc, a leading information technology research and advisory com-greater centralization, pany, “the cost of mitigating a data breach is likely to be vastly greater than the cost of preventing the breach beforehand—perhaps by a 70-to-1 margin in 2011.” 13greater depth and breadth ofcoverage, greater experience High profile attacks against government agencies and large corporations make us alland competence, increased cognizant of the threat potential from hackers and cyber anarchists. These episodes haveresponsiveness, and greater prompted new and expanding regulatory frameworks that, paradoxically, have increased the strain on in-house security resources. This all comes at a time when economic pres-cost efficiency reduce the sures and uncertainties strain even the most competent information security professionalsstrain on information security at U.S. enterprises. Fortunately, the benefits of an outsourced Security-as-a-Service modelprofessionals at U.S.-based help resolve these issues with greater centralization; greater depth and breadth of cover-businesses. age; greater experience and competence; increased responsiveness; and greater cost efficiency than traditional, premise-based approaches at individual sites. 13 Gartner Research, Gartner Predicts 2011: Infrastructure Protection is Becoming More Complex, More Difficult and More Business-Critical than Ever, November 16, 2010.10 Solutions you want. Support you need.
    • XO Communications About XO Hosted Security XO® Hosted Security is a Security-as-a-Service offering that gives companies more flex- ibility to deploy and manage comprehensive network-based security. The solution providesHosted Security is a high-speed, unified threat management capabilities and advanced technology, and sup-Security-as-a-Service ports customers 24/7 through a certified security partner, StillSecure. XO Enterprise Cloudoffering that gives companies Security includes one or more next-generation network-based firewalls; intrusion detection and prevention, including Distributed Denial of Service (DDoS) protection; secure web andmore flexibility to deploy content filtering; and secure remote access to the company network. Since all of the secu-and manage comprehensive rity applications reside in the cloud, organizations with widely distributed operations cannetwork-based security. implement robust security services without having to manage and maintain the equipment and infrastructure at each location. Hosted Security is fully integrated with the award- winning XO MPLS IP-VPN intelligent networking service. For more information, visit www. xo.com/hostedsecurity. About StillSecure StillSecure, a technology partner for Hosted Cloud Security, delivers comprehensive network security that protects organizations from the perimeter to the endpoint. Offering both products and managed security services, StillSecure enables customers to affordably deploy the optimal blend of technologies for locking down their assets and complying with security policies and regulations. StillSecure customers range from mid- market companies to the world’s largest enterprises and agencies in government, financial services, healthcare, education, and technology. For more information visit http://www.stillsecure.com.© Copyright 2012. XO Communications, LLC. All rights reserved. 11XO, the XO design logo, and all related marks are registered trademarks of XO Communications, LLC.
    • About XO CommunicationsXO Communications is a leading nationwide provider of advanced broadband communicationsservices and solutions for businesses, enterprises, government, carriers and service providers.Its customers include more than half of the Fortune 500, in addition to leading cable companies,carriers, content providers and mobile network operators. Utilizing its unique combination of high-capacity nationwide and metro networks and broadband wireless capabilities, XO Communicationsoffers customers a broad range of managed voice, data and IP services with proven performance,scalability and value in more than 85 metropolitan markets across the United States. For moreinformation, visit www.xo.com.For XO updates, follow us on: Twitter | Facebook | Linkedin | SlideShare | YouTube | Flickr© Copyright 2012. XO Communications, LLC. All rights reserved.XO, the XO design logo, and all related marks are trademarks of XO Communications, LLC. XONSWP-0412