Security's Best Friend ? - Outsourced security services

posted onJuly 17, 2001
by hitbsecnews

Over the years, the option of outsourcing has worked its way into every IT function, including those formerly considered too vital and proprietary to be trusted to a third party, such as database management, application development, and even storage. Every function, that is, but one: security.

"I'm a firm believer that security should be kept in-house whenever possible," says Jeff Hormann, director of information security for Metromedia Fiber Network Inc., a provider of optical networking infrastructure in White Plains, N.Y. Hormann, who has 20 years of experience as a felony criminal investigator for the U.S. Army, created and commanded its Computer Crime Investigation Unit. His background--not uncommon in the IT security business--makes him extremely suspicious of letting someone else watch the store. "The downside to outsourcing is that you have to give away some of the keys to the castle," he says....

Security's Best Friend

Companies are outsourcing IT security to cut costs of around-the-clock surveillance. But some doubt the risk is worth the savings.

By George V. Hulme (ghulme@cmp.com)

Hormann's hard-line attitude about IT security may be fairly typical among security chiefs, especially at the largest and more conservative companies. But in the past year, the option of outsourcing IT security--through a new kind of consulting firm known as a managed security service provider--has emerged as a legitimate choice for many companies. Though MSSPs initially appealed mostly to smaller companies that lack the budget for sophisticated security technology or sizable security staffs, large companies now are giving them a closer look. A June survey by Hurwitz Group found that as many as a quarter of companies with more than $10 billion in annual sales are using or considering handing over some of their security, such as firewalls, antivirus software, virtual private networks, or intrusion detection, to a managed security service.

The reason is economics. "When decisions to outsource security are made, it's generally done by the CFO and is based on cost savings," says Bruce Peck, information security manager at St. Vincent Hospital & Health Services, a network of eight hospitals in Indianapolis.

The numbers appear to be adding up for MSSPs. The Yankee Group forecasts that companies will buy $1.7 billion in security services by 2005, up from just $140 million in 1999. That kind of growth potential has caught the attention of the investment community: To date, startup managed security firms have scooped up more than $1 billion in venture-capital investment.

To reach their potential, MSSPs will have to overcome the bias many IT managers have against letting someone else run their security. Many consider it too critical a function to outsource if there's any way they can afford to keep it in-house. The same Hurwitz survey that showed a fourth of big companies are open to some outsourcing found more than 25% who say they'd never consider it for critical elements such as firewalls or intrusion detection. Also, the MSSP industry, like most nascent technology markets, has its share of startups flying by the seats of their pants and newcomers looking to cash in on a hot trend. That's why some security chiefs consider managed security a low-cost--and low-quality--option. "You won't find many security officers in favor of outsourcing security and having some-one else do that job," St. Vincent's Peck says.

It's 2 a.m. and the phone at Linda Donner's home rings. At that hour, it's a safe bet the news is probably bad. She answers and the voice on the other end of the line is a technical analyst at the Unisys security command center. The analyst is talking about a potential security problem regarding the network at First American Bank, where Donner is VP of project management. The analyst has detected suspicious activity but hasn't been able to isolate and identify the source of the trouble. If the problem isn't solved soon, the network will have to be shut down as a security precaution. Donner gives the OK to shut down the network.

Shortly after, from Unisys' secure operations center in Blue Bell, Pa., the security analyst determines that a malicious attack didn't occur after all. The problem is network interference, caused by the local phone company, affecting the bank's Internet service provider. But Donner doesn't mind the early-morning alarm. "Nothing can hurt a bank faster than a security breach," she says. "Better safe than sorry."

Donner's experience, and the reasons the Fort Dodge, Iowa, community bank went with managed security service from Unisys, exemplify how and why the market is taking off. Donner, a 20-year veteran of IT, first considered managed security when the company started looking to the Internet in 1999. "We felt we needed a partner to help put a plan together," she says. "Being a community bank, we didn't have the staff or experience to totally understand what it meant to be on the Internet."

Her first call went to Unisys, because First American had a longstanding relationship with the company as the bank's hardware provider. Unisys did a three-day security assessment, inventorying the bank's IT systems, discussing growth plans, talking about existing network security, and evaluating everything from network firewalls and intrusion-detection systems to how the bank set up employee logons and changed passwords. After the assessment was completed, Donner compared the cost of outsourcing with the price of an in-house, round-the-clock network-monitoring operation, and Unisys came out on top. But the comparison didn't matter too much, because Donner faced a staffing crunch that many security operations run up against--except geography made hers worse. "I'm in the middle of Iowa," she says. "Where would I find anyone with the required knowledge and experience?"

Managed security providers span a wide range of sizes and services. There are newcomers such as OneSecure Inc., which launched in January with $92 million in funding, and stalwart technology names such as Unisys, which has offered its e-@ction Security Solutions since October 1999. Leading the way are companies such as Internet Security Systems Inc., which started managing security remotely in 1995. ISS sells services direct to customers and also resells services through consulting firms, including PricewaterhouseCoopers, and telecom carriers such as BellSouth Corp. Many hosting companies also offer security services, generally through a reseller agreement with a managed security firm. The services MSSPs offer also vary widely, from companies specializing in one piece of the security puzzle, such as managed antivirus protection, to a full menu that includes round-the-clock monitoring.

So what kind of guarantees do security firms offer? Like most IT service sectors, security companies don't promise 100% reliability, so companies looking for financial peace of mind need to buy hacker insurance. Most security firms operate under service-level agreements that focus on performance. For example, Elad Yoran, co-founder and CFO of Riptech Inc., says a typical intrusion-detection SLA sets a standard for Riptech to spot a problem and notify the customer, usually in 15 minutes.

ISS is the largest independent MSSP, with $195 million in revenue last year and 1,183 employees. The Atlanta company says it can set up and monitor security on a 250-user network on a single T1 (1.5-Mbps) Internet gateway for about $75,000 a year, excluding hardware. Doing that in-house would mean similar hardware costs, plus at least $240,000 in annual compensation to hire three full-time specialists, based on data from InformationWeek's most recent Salary Survey (informationweekresearch.com/advisor).

That's assuming you can find trained staff to hire. Staffing shortages are the No. 2 reason companies turn to managed security, after economics. But there's a third reason that's growing in importance: the difficulty of keeping up with the latest security threats.

Howard Berkis, a director in charge of infrastructure security for CIBC World Markets in the U.S., says financial savings and staffing challenges are two reasons CIBC has used ISS for more than a year to run round-the-clock intrusion detection. But equally important is ISS's expertise on the latest intrusions. CIBC World Markets is the investment and merchant banking arm of the Canadian Imperial Bank of Commerce, which has about $180 billion in assets, and isn't about to skimp on quality. "Myself and my staff, we have a general knowledge of security and security measures," Berkis says. "You ask [ISS staff] a question and they can fire away answers at you very quick, or they have the answers at their fingertips." Time is critical when it comes to intrusion detection, he says. "To know that there was an intrusion three days ago is useless to me."

Keeping up to date on the latest threats becomes more difficult as the number of new vulnerabilities rises. The federally funded CERT Coordination Center, operated by Carnegie Mellon University to track Internet security statistics, recorded 171 new vulnerabilities in 1995, a figure that reached 417 in 1999. Last year, that number hit 1,090, and in just the first three months of this year, 633 new vulnerabilities were reported.

Click here to continue reading this excellent and detailed article

Source

Tags

Networking

You May Also Like

Other Articles In This Section

Recent News

Tuesday, July 9th

China's APT40 gang is ready to attack vulns within hours or days of public release
AI-Powered Super Soldiers Are More Than Just a Pipe Dream
The president ordered a board to probe a massive Russian cyberattack. It never did.
Massive car dealer ransom attack is mostly over after 2 weeks of work-arounds

Wednesday, July 3rd

“RegreSSHion” vulnerability in OpenSSH gives attackers root on Linux
Two of the German military’s new spy satellites appear to have failed in orbit

Friday, June 28th

Indonesian Airports, Data Centres Hit By Worst Cyberattack in Years
Cisco Talos warns of wider security implications following Snowflake breach

Thursday, June 27th

I Wore Meta Ray-Bans in Montreal to Test Their AI Translation Skills. It Did Not Go Well
Researchers upend AI status quo by eliminating matrix multiplication in LLMs
YouTube tries convincing record labels to license music for AI song generator
Critical MOVEit vulnerability puts huge swaths of the Internet at severe risk
Julian Assange to plead guilty but is going home after long extradition fight

Thursday, June 13th

Hackers show off jailbroken checkm8-vulnerable iPad and Apple TV running iPadOS 18 & tvOS 18 respectively
One of the major sellers of detailed driver behavioral data is shutting down
Turkish student creates custom AI device for cheating university exam, gets arrested

Wednesday, June 12th

Chinese-Made Biometric Access System Has 24 Vulnerabilities
Apple and OpenAI currently have the most misunderstood partnership in tech
Adobe to update vague AI terms after users threaten to cancel subscriptions
China state hackers infected 20,000 Fortinet VPNs

Tuesday, June 11th

Russia Is Targeting Germany With Fake Information as Europe Votes
Apple announces macOS 15 Sequoia with window tiling, iPhone mirroring, and more
Apple integrates ChatGPT into Siri, iOS, and macOS
British police to scan 480,000 Formula 1 fans’ faces at Silverstone
Hackers steal “significant volume” of data from hundreds of Snowflake customers

Friday, June 7th

7,000 LockBit decryption keys now in the hands of the FBI, offering victims hope
FCC pushes ISPs to fix security flaws in Internet routing
Can a technology called RAG keep AI models from making stuff up?
How to Lead an Army of Digital Sleuths in the Age of AI

Thursday, June 6th

Mystery object waits nearly an hour between radio bursts
Apple refused to pay bug bounty to Russian cybersecurity firm Kaspersky Lab
Ex-Microsoft security expert torches Windows' new 'Recall' feature
The Age of the Drone Police Is Here

Wednesday, June 5th

Ukrainian Systems Hit by Cobalt Strike Via a Malicious Excel File
TikTok Hack Targets ‘High-Profile’ Users via DMs