Outsource Authorversion
Outsource Authorversion
Outsource Authorversion
http://ieeexplore.ieee.org/xpl/abstractAuthors.jsp?reload=true&arnumber=7396204
Abstract—Many organisations are outsourcing computer oper- standards in Section III. We provide more background on
ations to third parties, and the next logical step is to outsource incident management in Section IV, and present our results
management of computer security incidents as well. This paper in Section V. Section VI concludes the paper.
describes a case study where we have studied several organisa-
tions who are active in this space today. Our results indicate that
outsourcing of incident management is a viable security approach II. R ELATED W ORK
for many organisations, but that transitioning between providers
frequently is a challenge.
Index Terms—Outsourcing; incident response; security The term incident management refers to the actions and
mechanisms used to manage information security incidents.
I. I NTRODUCTION It is used to describe the collection of tasks involved with
Today’s evolving Information and Communication Tech- the incident response life-cycle. These tasks include plan and
nology (ICT) environment requires connecting not only new prepare for, detection and reporting, assessment and decision,
applications and devices, but also new providers and partners. responses, and lessons learnt to prevent future incidents.
As a result the ICT environment has been gradually outsourced Different standards, guidelines and frameworks have direct
to third parties, expanding the security perimeter. Some or- and indirect remarks on incident management. Those that
ganizations are moving their ICT infrastructure to the cloud, are most notable among the information security community
where the options for incident response are either null or de- are: NIST SP 800-61 [1], ISO/IEC 27035 [2], ENISA Good
pending on third parties, with legal and accountability issues. Practice Guide for Incident Management [3] and ITIL [4].
Moreover, attackers (motivated, skilled and well-funded) are These standards, guidelines and frameworks will be described
discovering new attack vectors, while defenders have to take in Section III.
care of multiple technologies and keeping them and themselves Siepmann [5] describes outsourcing as contracting out ser-
updated. vices, previously performed internally, to a third party. Both
Incidents will occur sooner or later, but the important thing the third party and the organization contracting out the services
is to detect, contain and eradicate the incident quickly and take part in a contractual agreement that involves payments,
effectively to reduce the impact to the organization. How- and exchange of services.
ever, organizations under-invest on prevention and suffer from A great amount of academic literature related to incident
scarcity of skilled personnel. An evolving threat landscape management and managed security services (MSS) has been
and the lack of expertise in many organizations require new published. Nevertheless, the literature focused on outsourced
strategies to balance the need to manage incidents effectively. incident management services is scarce. Siepmann [5] presents
Some companies provide outsourced monitoring and man- an analysis on security and privacy impacts when outsourcing
agement of security devices and systems. Outsourcing inci- Information Technology (IT) processes as well as recommen-
dent management services seems to be a cost-effective way dations on outsourcing preparation. Sherwood [6] studied the
to satisfy some organizations’ requirements. These kinds of concerns regarding security of information within outsourced
providers are able to see a big picture view, by using the settings. The study presents a strategy to manage information
knowledge acquired by their solutions as their advantage. security on outsourced technical services.
A. Participants The study performed by Tøndel et al. [7] on current prac-
The participant organizations is this study are transnational tices and experiences with incident management, identified the
organizations selected based on the managed security service practice of incident management in outsourcing scenarios as
provider’s (MSSP) market presence. Five large MSSPs con- one of the challenges for incident management. In accordance
tributed to the interviews. with their study, there is a need for improved understanding
of the challenges of incident response in outsourcing scenar-
B. Paper Structure ios particularly when several suppliers are serving the same
The remainder of this paper is structured as follows: We customer.
present related work in Section II, and elaborate on relevant Maj et al. [3] discuss the outsourcing of incident manage-
ment from the Computer Emergency Response Team (CERT1 ) • Containment, Eradication and Recovery.
point of view. They suggest hiring the right people to guide • Post-Incident Activity.
the outsourcing process since it is a challenging project that
should not be underestimated. Maj et al. recommend keeping B. ISO/IEC 27035:2011 Information security incident man-
control over the incident handling services and not outsource agement
those elements of incident handling that provide control such This standard [2] provides guidance to incident manage-
as incident reports, registration, triage (including verification ment. It offers a structured approach to deal with incidents
and classification) and the overall coordination of incident including planning, detecting, responding and thereafter ex-
resolution. Some of the reasons given to outsource incident tracting lessons learnt. ISO/IEC 27035:2011 presents five
management related services are [3], [8] : phases with recommended activities. These phases are:
• Cost. • Plan and Prepare.
• Difficulties in hiring, training and retaining staff. • Detection and Reporting.
• Services you might not want to provide yourself. • Assessment and Detection.
• Physically hardened facilities with latest infrastructure. • Responses.
• Enterprise-wide management of security strategy. • Lessons learnt.
• Access to threat and countermeasure information. ISO 27035 aims to assist organizations in satisfying the
• Global prosecution. requirements for establishing, implementing, maintaining and
• Service performance 24x7. continually improving an Information Security Management
There is a need for research on the topic of outsourced System (ISMS) specified in ISO/IEC 27001:2013 [10]. ISO
incident management services since related information is 27035 provides guidelines on the implementation of good
scarce [9]. Siepmann’s work [5] addresses management of practices on information security management presented in the
information security incidents but his comments are only standard ISO/IEC 27002:2013 [11].
considered on managing incidents in outsourcing settings and
C. ENISA - Good Practice Guide for Incident Management
not managed by a trusted third party outsourcing the services.
Sherwood’s study on management of security on outsourc- ENISAs guide [3] provides guidelines for security incident
ing contracts [6], does not have an assessment on incident management. It provides recommendations on the creation of
management. Tøndel et al.’s study on current practices and a CERT and assists on preparing its mission, constituency,
experiences with incident management [7] does not describe responsibility, mandate organizational framework and the type
any outsourced incident management experiences or practices. of services, in terms of the incident management process, that
The good practice guide for incident management published can deliver.
by Maj et al. [3] only addresses outsourcing of incident This guide highlights the incident handling process, and
management from the CERT’s perspective. provides related information on roles, workflows and policies.
ENISA’s guide pays no attention to the preparation phase and
III. S TANDARDS AND GUIDELINES focuses on the incident handling process composed by four
This section introduces some standards containing informa- phases: detection, triage, analysis and incident response.
tion regarding incident management.
D. The ITIL Framework
A. NIST Special Publication 800-61 The ITIL framework [4] is a source of good practice
This standard [1] aims to assist organizations in mitigating for service management that focuses on aligning IT services
risks from computer security incidents by providing guid- with the needs of the organization. The main goals of the
ance on establishing incident response capabilities. It includes incident management lifecycle are to reestablish a normal
guidelines on building incident management capabilities and service as fast as possible and to reduce unfavorable impact on
the interaction with external parties, such as vendors or Com- business operations. During the incident management process,
puter Security Incident Response Team (CSIRT). resources are assigned to different activities such as identi-
NIST SP 800-61 describes in detail the four major phases of fication, registration, categorization, prioritization, diagnosis,
the incident response life cycle. These phases are (see Fig. ??): escalation, investigation, resolution, recovery, and incident
• Preparation. closure, in order to mitigate and minimize the impact of
• Detection and Analysis. incidents. The incident management process can be triggered
by incident reports coming from diverse sources.
1 The term CERT was used for the first time by the Computer Emergency
Response Team Coordination Center (CERT-CC) at Carnegie Mellon Univer- IV. I NCIDENT MANAGEMENT
sity. Some teams around the world took the CERT term and other teams used
the term Computer Security Incident Response Team (CSIRT) to point out the There is a lack of consistency in defining incident manage-
task of handling computer security incidents instead of other technical support ment across the standards and guidelines as well as in the in-
work. The terms CERT, CSIRT, Incident Response Team (IRT), Computer formation security literature. The terms incident management,
Incident Response Team (CIRT) and Security Emergency Response Team
(SERT) have been used interchangeably in the literature to refer to teams that incident handling and incident response are in some cases used
aim to mitigate the impact of a potential major information security incident. interchangeably. However, these terms have a different scope.
is more convenient to use a third party to provide a particular
service. On the other hand, fully outsourcing incident man-
agement would be an option for those organizations that want
to focus uniquely and completely on their core services and
rather outsource anything else.