[unisog] Outsourcing security scanning (internal and external)

Isac Balder piis8 at yahoo.com
Fri Oct 7 21:07:50 GMT 2005


I am coming from BIG corporate to University and at my
last position we had an outsourced scanning operation
and an internal operation.  The cost to benefit ratio
for the outsourced side was very low.  

Your core issue is, What do you want the outsourced
scanning to provide?  And what is it that they
actually deliver without effort from you?

>From my expierence the majority of the work involved
in proper scanning and the subsequent follow-up
(verification of vulnerabilities, remediation of
vulnerabilities, verification of remediation, insert X
political hurdles) is going to fall on your lap as the
asset owner at the end of the day.  If you expect the
vendor to provide more than the scan and a nice
interface to track progress, trends, and metrics you
are going to have a very big price tag to contend
with.  Even with most scan offerings you still have to
tell the vendor (or their interface) what business
unit owns what system and who can see which reports. 
What I am trying to say is even with a "managed
service" scan offering someone local to your company
still has to manage the interface.  

At the end of the day I would suggest trying to prove
the need for another 60K for a perm position and
manage the operation on your own.  

With all that said I am not current on the vendor
price lists and most managed scan offerings (last time
i looked) still want to charge you per-node so the
size of your network will directly affect the cost.  

Hope this helps.

--- Greg Francis <francis at gonzaga.edu> wrote:

> We are currently considering whether or not to
> outsource penetration 
> testing from off-campus such that testing will be
> done frequently 
> (monthly?) versus a periodic audit which we have
> already outsourced in the 
> past. We're also considering outsourcing the same
> functionality except on 
> the inside of the firewall.
> At present, we do some scanning with NMAP and Nessus
> but there are 
> concerns from management that our efforts are
> inadequate and our 
> reliability is low. We are making improvements but I
> question how much we 
> should focus into that area if it's going to be
> outsourced anyway. Our CIO 
> thinks that outsourcing both tasks may be more cost
> effective and appease 
> management more.
> Are there any schools out there that have outsourced
> either external 
> scanning? If so, how frequently is the scanning
> done? Do you have a vendor 
> that you recommend and what is their general cost?
> Any input is highly appreciated.
> Thanks,
> Greg
> -- 
> Greg Francis                                Gonzaga
> University
> Sr. System Administrator                    Spokane
> Washington
> francis at gonzaga.edu                        
> 509-323-6896
> _______________________________________________
> unisog mailing list
> unisog at lists.sans.org
> http://www.dshield.org/mailman/listinfo/unisog

Yahoo! Mail - PC Magazine Editors' Choice 2005 

More information about the unisog mailing list