Over the past few years we have seen a surge in IT security incidents. Major data breaches at companies like Target, Equifax, and Facebook, Distributed Denial of Service attacks organized either by hacktivist groups or nation states, millions of smaller campaigns spread through phishing, malware, or social engineering attempts – you name it.

On top of that, year over year, we learn about critical vulnerabilities in software that is utilized as building blocks of the Internet and systems that we were used to simply trust as bulletproof. You probably recall the panic that ensued after the Heartbleed Bug was announced.

It seems that taking at least minimal care of the security of your IT infrastructure should be a basic requirement for a healthy company, like washing hands is a basic mean of ensuring that your body stays healthy. But how can you make a stab at that if you don’t want to hire someone full-time or you can’t find a suitable candidate on the job market? One of the possibilities could be to look for a 3rd party provider that could answer your IT security needs or even guide you through the entire process of setting up your IT security operations.

Why would you outsource IT security?

IT security is a highly specialized chunk of the wider IT field, that usually requires multiple years of expertise and staying always up to date with the latest attack techniques and developments in the area. Afterall, it resembles an arms race between the malicious actors and the rest of the world.

One of the necessary skills is the ability to think like an attacker. Seasoned IT security professionals should not only try to defend your infrastructure but also point you at the weaknesses in your systems. They should be able to demonstrate you how these weaknesses could be exploited in the real life.

Typically, during any software development cycle one of the shortcomings is that the ready product is often tested only against “happy path” scenarios, that aim at demonstrating the business value. What is often left untested are these corner cases where someone doesn’t utilize the software in the ways that it was designed to be used. Rather than that, malicious actors try to see what would happen if they play around various settings and options that were left untested during the development phase. What if I change the “balance” parameter in the request to the payment service in the web store? How about this “role” option? What would happen if I change it to “admin”?

Security experts focus on these corner cases, “unhappy paths” so to speak, and test the systems behavior when the unexpected happens. Thanks to that they could ensure that when the real “bad guy” strikes, your system would be prepared and protected.

How IT security can be outsourced?

IT security services vary from one-off consultancy to long-term continuous engagements.

Consulting
One-off consultancy usually covers a well-defined IT security need. Here are the examples of such engagements:

• Network configuration audit, e.g. audit of your firewalls and network switches
• Cloud configuration audit, e.g. audit of users, roles and their assigned privileges in cloud
• services like Amazon Web Services, Google Cloud Platform or Microsoft Azure
• Audit of your employee offboarding process
• GDPR compliance support

These types of services span usually over a couple of days to several weeks, depending on the problem at hand. But once they are completed, there should be no need to repeat them, unless there was a major change in the way your IT infrastructure is organized.

Time-bound engagements
Another group of the IT security services are time-bound engagements, when you call in the team of security experts to help you over a pre-arranged period. Here, rather than focusing on a specific task, the goal is to cover as many possible scenarios as possible during the time of the assignment.

Typically, this type of engagements would be repeated, e.g. every half a year or every year. You could compare your results in between the subsequent occurrences to see whether your security posture has improved.

Such time-bound engagements include, but are not limited to:

• Tabletop exercises/wargames – your IT security outsourcing partner will guide you through a series of scenarios describing potential security incidents. The goal is to see how good you are at responding to these threats if they were to occur to your company in real life. The engagements usually last from a couple of hours to 2-3 days, depending on how deep you want to go with the simulation and the number of possible scenarios. IT security experts could also help you with designing your security incident response process, in the form of runbooks/playbooks, that clearly define the incident response steps.
• Penetration testing – here the goal is to find the vulnerabilities in your IT infrastructure or, if you are a software development company, in the software you are shipping. A team of pentesters will attack your assets and try to find a way in, e.g. to access sensitive information like personal information of your customers or financial data that you would like to keep private. Usually these types of assignments last about 1 or 2 weeks depending on the scope of the penetration test.
• Red Teaming/Blue Teaming – very similar in their nature to the penetration testing, but here, rather than just standing still and observing, your company could engage in actively defending against the incoming attacks. This could be a practical way of ensuring that the countermeasures devised during the tabletop exercises are working.
• Data breach response – when the unexpected happens, you can call in a team of experts to help you sort through the rubble. In case of a security breach at your company, they will help you to coordinate your response steps, stop the bleeding, run the forensics investigation on your infrastructure and work with your Public Relations team or help you coordinate with the local authorities, in case it is necessary.

Continuous engagements
In case you are considering a long-term outsourcing of your IT security services, you have a couple of options.

One model emerging in popularity in the recent years is to outsource completely all your security incident response tasks to a specialized unit often referred to as Security Operation Center (SOC). Such team will respond to any suspicious behavior detected in your infrastructure. They could help you with spikes of malware infections, phishing attempts, or even be the first responders in the cases of Social Engineering attempts (e.g. when the attackers are targeting directly your employees through phone calls or malicious advertising campaigns).

Apart from that, you may always rely on the outsourcing company to work hands-in-hand with your existing security team in the staff augmentation model. You can call in the additional help of IT security experts when you need to expand your team and cannot find a suitable candidate, or if you are experiencing a temporary staffing shortage. You could pick a specific talent to augment your team’s ability to respond to the security threats. That way, your team could level up in a specific area of the IT security, working alongside an expert from the outsourcing company.

Summary

Outsourcing of the IT security services seems to be a reasonable option if you are looking for the expertise in this specific field. IT security experts possess the necessary “think like an attacker” mindset and could help you either in one-off audit of your IT infrastructure, or more regular engagements like penetration testing or Red Teaming/Blue Teaming exercises. If you are looking for a long-term engagement with an IT security outsourcing partner, you could even consider completely outsourcing your IT security operations in the form of outsourced Security Operations Center.