Skip to content

Page310

Third-Party Provided Security Services

Leveraging resources beyond one’s own organization has become commonplace in security. Given the importance, ever-changing nature, and scope of security, dependence upon third-party providers comes as little surprise. The degree of control, scope of work, and expectations of the third parties vary drastically. Virtually every organization avails itself of hardware and software developed by external providers, but increasingly organizations also employ third parties for ongoing security services. Although the phrase Managed Security Service Provider (MSSP) does not encompass all the varied third-party security service offerings in the marketplace, it serves as a good example of a commonly employed service.

Though the justification, rationale, and functions can vary widely, the basic idea of employing an MSSP is to bolster an organization’s security operations through leveraging a third party’s staff and operational maturity. Finding security professionals to fill open positions has long proven challenging. However, even organizations that consider themselves fully staffed often struggle to keep up with the cadence and operational workload required for effective security operations. Many organizations will look to MSSPs as a form of security staff augmentation or security operations force multiplier. While not exclusively used for this purpose, an incredibly common function for which organizations seek outside assistance from MSSPs involves providing robust 24 × 7 × 365 detection and response capabilities.

Honeypots

A honeypot is a system designed to attract attackers. This allows information security researchers and network defenders to better analyze network-based attacks. Honeypots have no production value beyond research.

Internal honeypots can provide high-value warnings of internal malware or attackers. While an internet-facing honeypot will be frequently compromised, internal honeypots should never become compromised. If this happens, it usually means that other preventive and detective controls, such as firewalls and IDSs, have failed.

Low-interaction honeypots simulate systems (or portions of systems), usually by scripting network actions (such as simulating network services by displaying banners). High-interaction honeypots run actual operating systems, in hardware or via virtualization.

Consult with legal staff before deploying a honeypot. There are legal and practical risks posed by honeypots: what if an attacker compromises a honeypot, and then successfully penetrates further into a production network? Could the attackers argue they were “invited” into the honeypot, and by extension into the production network? What if an attacker penetrates a honeypot and then successfully uses it as a base to attack a third party? These risks should be considered before deploying a honeypot.

Honeynets

A honeynet is a (real or simulated) network of honeypots. Traditional honeypots focus on offering instrumented decoy services or a single system. Honeynets involve an entire network of systems and services that lack any legitimate devices. As with the intent of the standard honeypot, the goal of a honeynet is to allow the organization to discover adversary activity. Honeynets can include a honeywall (honeynet firewall) that is intended to limit the likelihood of the honeynet being used to attack other systems.