EVOLVING SECURITY 5 REASONS TO OUTSOURCE NETWORK SECURITY MANAGEMENT IN TODAY S THREAT ENVIRONMENT

Transcription

1 EVOLVING SECURITY 5 REASONS TO OUTSOURCE NETWORK SECURITY MANAGEMENT IN TODAY S THREAT ENVIRONMENT xo.com

2 Evolving Security 5 Reasons to Outsource Network Security Management in Today s Threat Environment Contents Introduction 3 Network Security is More Complex Than Ever 4 Costs from Attacks are Increasing 5 The Need for a Collaborative Approach 5 1. Greater centralization of network security controls and policies 6 2. Deeper and broader coverage 7 3. Experience and competence 7 4. Increased responsiveness 8 5. Cost savings (operational and opportunity) 8 The Cost Implications of Network Security Attacks 9 Conclusion 10 About XO Communications 11 About XO Hosted Security 11 About StillSecure 11 2 Solutions you want. Support you need.

3 XO Communications Introduction This white paper describes the reasons why companies outsource security management in today s threat environment. It includes an assessment of the overall threat landscape, and reviews five key benefits of outsourcing. Many businesses no longer possess the in-house expertise or the resources to monitor, detect or mitigate today s sophisticated security threats from entering their networks. Expanding use of Web 2.0 and Internet-based business applications creates new challenges for businesses that need to keep malicious security breaches from entering their company networks. Next-generation security threats, including Advanced Persistent Threats, are menacing and increasingly difficult to detect. A single data breach could have potentially devastating direct and indirect consequences such as fines, penalties or lawsuits arising from a company s failure to protect its private and personal customer information according to industry standards. Security breaches also can result in huge financial losses and lost revenue as a result of operational downtime, customer turnover, and damage to credibility and reputation. Many businesses no longer possess the in-house expertise or the resources to monitor, detect or mitigate today s sophisticated security threats from entering their networks. Outsourcing network security management to a Security-as-a-Service or cloud-based delivery provider has become an attractive option for enterprises that need company-wide visibility of their Internet security gateways, Unified Threat Management, 24x7x365 monitoring and management, and a stronger knowledge base of security best practices across a broad range of industries. Besides centralizing security controls and policies across the network, the cloud-delivery model of a Security-as-a-Service eliminates the need to buy and manage premise-based security devices at individual locations. Security-as-a-Service offerings that provide clean pipes capabilities help prevent unwanted or malicious traffic from entering the network through the Internet or data pipe, and permit legitimate or clean data traffic to get delivered across the network more efficiently. 3

4 Evolving Security Network Security is More Complex Than Ever Sobering reports of network security threats are a constant reminder that the threat landscape has changed and become very complex. News stories about high-profile brands being compromised by network security breaches are widespread. Because of the growing security threats, information security officers at U.S. businesses are more concerned than ever about security risks. In a survey of more than 2,000 small-to-medium business and enterprise security decision makers, the majority of respondents listed data security (88%) and managing vulnerabilities and threats (84%) among their top priorities. 1 Sobering reports of network security threats are a constant reminder that the threat landscape has changed and become very complex. One security threat report predicted that cumulative, unique malware samples will have surpassed 75 million by year-end What s behind this surge in malware? A key factor is that hackers can more easily acquire software that they need to inflict damage. For example, exploits can be bought and sold on the black market for a few hundred dollars. The code for malware and worms is readily available over the internet for duplication and manipulation. The code for the Stuxnet worm, one of the most sophisticated worms ever discovered, was effectively open sourced with point-and-click accessibility. As malware advances, it s easier than ever for criminals to use it to inflict harm. In addition, there are new avenues that hackers can use to gain access to an enterprise network particularly from social media, virtualized servers, cloud computing applications, wireless networking and smart phone applications. 1 Forrester Research, Inc., Security Futures: Selected Results from Forrsights Security Survey Q3 2010, presentation, September 23, 2010, slide McAfee Labs, McAfee Threats Report: Third Quarter 2011, page 6 4 Solutions you want. Support you need.

5 XO Communications Attacks Grow in Number and Sophistication One cyber-security watch survey of 600 organizations found that: 81% of respondents organizations experienced a security event between the survey period of August 2009 and July 2010, compared to 60% the year before Of the companies that experienced an attack, 28% of respondents saw an increase in the number of attacks Cyber attacks from foreign entities doubled to 10% from 2009 to Costs From Attacks are Increasing Costs associated with corporate network attacks are severe and growing. According to one security industry study, the cost of a data breach rose for five consecutive years from 2006 through Clean up costs that resulted from damaging data breaches among the surveyed companies increased to $7.2 million and cost an average of $214 per compromised record. 4 In another security threat report that surveyed 50 corporations, malicious code, Denial of Service, and webbased attacks were cited as the most costly types of threats for businesses. 5 Unfortunately, IT budgets are struggling to keep up with the rise in costs to clean up after security breaches. While a sluggish economic recovery has put downward pressure on security budgets, new and evolving technologies provide corporate spies, cyber warriors, and other hackers with new avenues with which to exploit network vulnerabilities. As a result, Chief Security Officers (CSOs) and Chief Information Security Officers (CISOs) face the nearly impossible challenge of having to strengthen network defenses within significant budgetary constraints. The Need for a Collaborative Approach As information security risks soar, it s become harder for security professionals to dedicate the time and resources to everyday monitoring, management and responses that are necessary to combat the increased risks. As a result, many companies are selecting service providers to help them improve preparedness in the most cost-efficient manner, thereby freeing up in-house staff for other activities, such as strategic planning and management. Why do enterprises hire a third party to manage network security? One survey of 1,400 small-to-medium business and enterprise security decision makers identified the top motives. Respondents indicated said that it was important to them to improve the quality of protection, gain 24x7 coverage, reduce cost, gain greater competency or specialized skills, and to reduce complexity. 7 3 Ponemon Institute LLC, 2010 Annual Study: U.S. Cost of a Data Breach, April 10, 2010; Overall Trends, page 5. 4 Ponemon Institute LLC, 2010 Annual Study: U.S. Cost of a Data Breach, April 10, 2010, Overall Trends, page 5. 5 Ponemon Institute, LLC, Second Annu al Cost of Cyber Crime Study: Benchmark Study of U.S. Companies, August 2, 2011, Page 2. 6 Software Engineering Institute CERT Program at Carnegie Mellon, Press release, 2011 Cybersecurity Watch Survey: Organizations Need More Skilled Cyber Professionals to Stay Secure January 31, 2011, pages 1-2; survey by CSO, the U.S. Secret Service, the Software Engineering Institute CERT Program at Carnegie Mellon University, and Deloitte. 7 Forrester Research, Inc., Security Futures: Selected Results from Forrsights Security Survey Q3 2010, presentation, September 23, 2010, slide 10. 5

6 Evolving Security Many organizations don t have the tools and in-house expertise to detect these threats, so attacks and security breaches go unnoticed. 8 Undeniably more businesses value the benefits of outsourcing their security management to a service provider to deploy a more layered defense strategy across the entire network. Outsourcing helps companies simplify their infrastructure and costs, and also frees up their time to devote to core security functions such as strategic planning, governance and risk management, and regulatory compliance reporting responsibilities. The biggest benefits of outsourcing are greater centralization of network security controls and policies, deeper and broader coverage of security threat intelligence from experienced network security professionals, increased responsiveness, and considerable cost savings. Following is a more detailed look at these five core benefits. Benefits of outsourcing 1. Greater centralization of network security controls and policies Businesses with multiple locations, flat IT management structures, and fragmented approaches to security make easy targets for hackers. Enterprises that lack a cohesive security strategy and uniform, top-down security implementation open up vulnerabilities, often at network endpoints. When company-wide security policies and rules aren t consistently updated on a centralized network firewall, problems can arise that can jeopardize the security of the entire network. In addition, if companies with Managed Security at the customer premise of an individual location fail to update the premise-based firewall at that location, it could open the door for hackers to gain access, which compromises the network. Security leaders who recognize these vulnerabilities increasingly turn to the Securityas-a-Service model, which centralizes and standardizes network security controls and policies across the organization. By definition, Security-as-a-Service models are typically delivered virtually using a cloud-based delivery model and may be referred to as networkbased services. Beyond the benefits of centralization, the virtualized, cloud-based delivery model eliminates the need to buy and manage premise-based, security devices and appliances, and manage software updates at each location. - Gartner Research, Inc. 8 Gartner Research, Inc., Network Security Monitoring Tools for Lean Forward Security Programs. February 1, Solutions you want. Support you need.

7 XO Communications 2. Deeper and broader coverage By outsourcing network security management, businesses are able to significantly improve network security with proactive, 24x7x365 monitoring and alerting without having to recruit, train, and manage additional internal IT staff. Many security service providers offer SSAE 16- audited Security Operations Centers that are staffed with professional analysts who have access to hundreds of security feeds, including those from the U.S. Computer Emergency Readiness Team (CERT), the FBI, and major software providers such as Microsoft. When threats are identified, analysts are able to block attack pathways and send appropriate notifications. Since security analysts are monitoring around the clock, threats are addressed strategically before or as they happen, in real time, and not just during business hours. Businesses that choose to hire a third party to manage their network security benefit from an immediate boost in quality as well as quantity of coverage. 3. Experience and competence Businesses that choose to hire a third party to manage their network security benefit from an immediate boost in quality as well as quantity of coverage. That s largely because Security-as-a-Service providers focus exclusively on the detection, prevention and neutralization of network threats. In-house security and IT staff, tasked with a wide range of responsibilities, typically cannot focus purely on information security. Many in-house security teams don t have the same depth of knowledge that comes with specialization or the same degree of expertise in network analysis as a Security-as-a-Service provider. In a Global State of Information Security Survey of more than 12,800 executives in businesses of 135 countries, 59% of respondents said that having an increased reliance on managed security services was important; and 43% said that economic realities caused them to reduce the number of security personnel. 9 9 Respected but still restrained: Findings from the 2011 Global State of Information Security Survey, by PriceWaterhouseCoopers, CIO magazine and CSO magazine, published September 15, 2011, page 17. 7

8 Evolving Security 4. Increased responsiveness With a singular focus on network threats, network security service providers offer a level of readiness that gives clients a considerable edge in terms of preparedness and overall mitigation of risk. With daily access to hundreds of industry security alert feeds, Security-asa-Service providers have an up-to-the-minute awareness of existing and potential threats, often far sooner than an in-house security team. Outsourcing network security management can be an ideal solution for many organizations, given today s rising security threat environment and stagnant security budgets. 5. Cost savings (operational and opportunity) Outsourcing network security management can be an ideal solution for many enterprises, given today s rising security threat environment and stagnant security budgets. Some businesses whose industry compliance regulations are so complex that they require highly specialized in-house expertise and certified professional security professionals may prefer to keep network security in-house. Yet for many other businesses, the Security-as-a- Service model lowers operational and capital expenses by reducing the need to hire, train and manage additional security staff, as well as the costs associated with location-based customer support, security appliances and software patch updates. There are other savings as well. Blocking unwanted traffic on a company network frees up bandwidth that can be shared with other locations on the network, thereby helping companies save on Internet costs. In this way, enterprises can ensure strong network security without degrading the availability or performance of their corporate network. In addition, the outsourced security model eases many information security officers concerns over control. Chief Information Security Officers (CISOs) and other decision makers realize the distinction between network security execution and control and that outsourcing doesn t mean that a company relinquishes control of security policies. On the contrary, even with an outsourced network security component, enterprises still set the rules that govern their security policies. In turn, service providers implement the management of these policies based on custom requirements. Leading security service providers collaborate closely with their clients to design, implement, and manage network security that s appropriate for each business. In addition, security policies often need to be adjusted several times a day as new threats develop. A service provider can help the organization put the rules into place and monitor threats accordingly. 8 Solutions you want. Support you need.

9 XO Communications The Cost Implications of Network Security Attacks The longer it takes to clean up after a network security attack, the greater the financial impact. According to one 2010 study, it took companies an average of 14 days and an average of $247,744 to clean up after an attack. 10 A year later, respondents to the 2011 study report that it takes them an average of 18 days and an average of $417,748 to clean up after an attack. 11 The study also found that 40% of the external costs to an organization for cyber crime were attributed to information theft, and that 28% were due to business disruption and lost productivity. 12 Many IT departments, particularly those whose funding is tied to corporate profits, either cannot currently afford or cannot count on having the resources to pay for dedicated analysts to monitor their systems 24x7. Without expert around-the-clock coverage, these organizations tempt a costly fate. $23, days 40% Cost of a Network attack per day, according to one industry survey. The average length of time it took to clean up after an attack in 2011, according to respondents of a benchmark survey, compared with 14 days in of the external costs to an organization for cyber crime were attributed to information theft, according to one industry research study. 10 Ponemon Institute LLC, Research Report, Second Annual Cost of Cyber Crime Study: Benchmark Study of U.S. Companies, published August 2011, Executive Summary, page Ponemon Institute LLC, Research Report, Second Annual Cost of Cyber Crime Study: Benchmark Study of U.S. Companies, published August 2011, Executive Summary, page Ponemon Institute LLC, Research Report, Second Annual Cost of Cyber Crime Study: Benchmark Study of U.S. Companies, published August 2011, Executive Summary, page 2. 9

10 Evolving Security Conclusion The benefits of outsourcing: greater centralization, greater depth and breadth of coverage, greater experience and competence, increased responsiveness, and greater cost efficiency reduce the strain on information security professionals at U.S.-based businesses. According to Gartner, Inc, a leading information technology research and advisory company, the cost of mitigating a data breach is likely to be vastly greater than the cost of preventing the breach beforehand perhaps by a 70-to-1 margin in High profile attacks against government agencies and large corporations make us all cognizant of the threat potential from hackers and cyber anarchists. These episodes have prompted new and expanding regulatory frameworks that, paradoxically, have increased the strain on in-house security resources. This all comes at a time when economic pressures and uncertainties strain even the most competent information security professionals at U.S. enterprises. Fortunately, the benefits of an outsourced Security-as-a-Service model help resolve these issues with greater centralization; greater depth and breadth of coverage; greater experience and competence; increased responsiveness; and greater cost efficiency than traditional, premise-based approaches at individual sites. 13 Gartner Research, Gartner Predicts 2011: Infrastructure Protection is Becoming More Complex, More Difficult and More Business-Critical than Ever, November 16, Solutions you want. Support you need.

11 XO Communications About XO Hosted Security Hosted Security is a Security-as-a-Service offering that gives companies more flexibility to deploy and manage comprehensive network-based security. XO Hosted Security is a Security-as-a-Service offering that gives companies more flexibility to deploy and manage comprehensive network-based security. The solution provides high-speed, unified threat management capabilities and advanced technology, and supports customers 24/7 through a certified security partner, StillSecure. XO Enterprise Cloud Security includes one or more next-generation network-based firewalls; intrusion detection and prevention, including Distributed Denial of Service (DDoS) protection; secure web and content filtering; and secure remote access to the company network. Since all of the security applications reside in the cloud, organizations with widely distributed operations can implement robust security services without having to manage and maintain the equipment and infrastructure at each location. Hosted Security is fully integrated with the awardwinning XO MPLS IP-VPN intelligent networking service. For more information, visit www. xo.com/hostedsecurity. About StillSecure StillSecure, a technology partner for Hosted Cloud Security, delivers comprehensive network security that protects organizations from the perimeter to the endpoint. Offering both products and managed security services, StillSecure enables customers to affordably deploy the optimal blend of technologies for locking down their assets and complying with security policies and regulations. StillSecure customers range from midmarket companies to the world s largest enterprises and agencies in government, financial services, healthcare, education, and technology. For more information visit Copyright XO Communications, LLC. All rights reserved. 11 XO, the XO design logo, and all related marks are registered trademarks of XO Communications, LLC.

12 About XO Communications XO Communications is a leading nationwide provider of advanced broadband communications services and solutions for businesses, enterprises, government, carriers and service providers. Its customers include more than half of the Fortune 500, in addition to leading cable companies, carriers, content providers and mobile network operators. Utilizing its unique combination of highcapacity nationwide and metro networks and broadband wireless capabilities, XO Communications offers customers a broad range of managed voice, data and IP services with proven performance, scalability and value in more than 85 metropolitan markets across the United States. For more information, visit For XO updates, follow us on: Twitter Facebook Linkedin SlideShare YouTube Flickr Copyright XO Communications, LLC. All rights reserved. XO, the XO design logo, and all related marks are trademarks of XO Communications, LLC. XONSWP-0412