We got a great question from Matt, he attended our last webinar, and I thought it would be great to share his question and Eric Kitchens' answer. If you have more questions, please send them to us at info@thegarlandgroup.net and we will continue to help!

Question - I have customers that outsource firewall management, IPS / IDS, content filtering, log collection, and log monitoring for the perimeter security devices. I have customers that maintain their own firewall and outsource IPS / IDS only.

Do you feel a mixed management environment is best or, is this contingent on the technical abilities of the personnel? What are your thoughts?

Hi Matt,

Great question, and one that I think effects the majority of the financial institutions out there. Outsourcing Firewall and IDS Management and monitoring, log monitoring and correlation is fine- there's nothing wrong with that. But what the institutions need to understand is that they really can't outsource it and wash their hands of things. Regardless of the skill set of the institution, they need to be involved with the services they've outsourced. It is understandable that an institution that doesn't believe they have the skill set to review system logs and Firewall events wants to give all of that headache to their vendor. I think the examiners will be looking for the situations where they've done just that.

Ideally- an institution is going to have several data sets that they will need to correlate, that (generally) their vendor will not have access to or experience with. Their fraud monitoring tools, CIF records, internal help desk metrics (hey I said ideal didn't I?) reports from other outsourced services such as online banking. The examiners are going to want to see that none of that information is looked at in a vacuum. Correlating suspicious originating IP's from a failed online banking attempt with IP's that originated NMAP scans against the perimeter a week earlier.

That's why I consider a "mixed management" environment better- The banker has the insight on specific datasets, their outsourced vendor has information on others- The two need to be correlated as best as they can be. With that said, if a financial institution has contracted with a vendor to provide that correlation from A to Z, (that's a pretty unique situation by the way) I don't think there's anything wrong with that, given that *policies and procedures* are documented and followed and that the activity is subject to the oversight of the several responsible parties within the institution.

I say that's a pretty unique situation because really- if that's being done "right" it's going to be a time consuming process for the vendor and expensive for the institution, and I've never seen it done to that extent.

Hope this answers your question Matt, If you think of any others, please let us know! info@thegarlandgroup.net