WHILE OUTSOURCING even part of an IT security operation still draws qualms, organisations are being forced to recognise that the level of in-house security expertise needed to run a full-time business is too difficult and costly to acquire and maintain. As a result, many are placing more trust in MSSPs (managed security service providers).
"There certainly was a lot of hesitancy. I wasn't too comfortable about the whole idea of outsourcing [ security]," said Daniel Kesl, information security officer for Denver-based Newmont Mining. "But as we went further with the processes and controls in place, it's not as terrifying as I once viewed it."
A few months ago Newmont Mining signed on with Massachusetts-based Guardent, an MSSP, to help the gold-producing company manage firewalls across different time zones and provide IDS (intrusion detection system) services at its seven global sites. Newmont locations outside the United States include South America, Indonesia and Asia.
Newmont initially considered building its own year-round security operations centre. But cost considerations and a dearth of in-house security skills led the move toward managed security.
"We're a mining company. It really came down in the end that it was much more cost effective to go with an MSSP than try to do it our-selves," Kesl said.
In keeping with what analysts describe as a trend among MSSP deals, Newmont opted to keep control over lighter duty anti-virus and content filtering security products already in place at its larger sites.
For MSSPs, market consolidation, mounting pressure to fend off security-hungry telecom players, and a new breed of selective, tech-savvy customers mean there is more pressure than ever to perform at optimum levels.
Last week, Symantec completed its acquisition of Riptech, gobbling up the MSSP for $US145 million in an effort to augment its own managed services, rattling an already mercurial market with another consolidation, said Kelly Kavanagh, senior analyst at Gartner (US).
Kavanagh said customers are in the process of identifying the stronger players in the MSSP arena that are expected to be more capable of meeting SLAs.
Riptech customer Willard Evans Jr, vice president of information technology services at Chicago-based People's Energy, said he hopes Symantec can integrate its new security offerings into a services package.
"As a purchaser of services, I like the fact I can go to one place where hopefully all the products can work very well together in a bundled [form]: firewall, IDS, anti-virus," Evans said. "That's really exciting for the marketplace and I think something it needs."
However, Gartner's Kavanagh said Symantec may encounter difficulty unifying its products and services.
"Symantec is primarily a product company. How does Symantec convince customers that they can manage competitors' products as well as their own? That's a challenge," the analyst said.
Evans of People's Energy said his company employs an MSSP not only for protection but also to sift through mounds of information pouring in from multiple devices across his network. Harsh lessons learned from past large-scale attacks have helped increase the demand for security expertise.
MSSPs can help with scalability, monitoring, managing, and keeping firewalls up to date. Intrusion detection is also driving interest in security outsourcing as companies wrestle with tuning, investigating, and responding to alerts generated by off-the-shelf IDS solutions.
RedSiren customer Nancy Power, vice president of IS operations at the Orange County Teachers Federal Credit Union in Santa Ana, California, thinks managed security should not be seen as a way to off-load security responsibility from either side of the relationship.
"We had another vendor prior to RedSiren, but they very rarely called us. We didn't get many notifications from them, and we thought, 'Either we're better than we thought or they're not as good as we thought,' " Power said.
RedSiren, based in Pittsburgh, monitors the Credit Union's Internet and network traffic and provides IDS and policy alerts.
Finally, despite their ailing fortunes, telecommunications companies could also have a big impact on the MSSP landscape. Telecom players are scooping up security solutions to bolster their own services and retain customers' trust.
"If [end-users] trust someone to manage their network, they probably trust them to manage security elements as well," Kavanagh said.
Reed Harrison is CTO of Rockledge, Florida-based e-Security, which sells security software to MSSPs, telcos and enterprises. He said telcos will be forced to reckon with managed security-services battles because of their wide-ranging networks and connectivity prowess.
"Companies looking to outsource security are looking for disciplines and the best practices that have been in place," Harrison said. "The telcos and large systems integrators have offered that for years."
SIDEBAR: Can Security Services Really Deliver?
It was a disappointing end to an interesting buildup. A security company, after springing for lunch, told me about all the wonderful things their service could do to expose vulnerabilities. The only problem was, it wouldn't work with my network. Worse, it won't work with many enterprise networks that don't involve the weird things we do here in the lab. The reason is obvious: If you've set up your network correctly, it should be almost entirely invisible from outside.
And that's the problem with security services. The services that can support your network from outside can only see what's visible from outside. This means that you'll be able to get reports about the security of your Web servers, for example, but not for anything behind your network firewall.
Because of this obvious issue, companies that do vulnerability assessments, as well as other types of data security outsourcing, are moving to a new idea: providing an agent inside your network that reports out to the service provider.
Lately, that agent comes in the form of an appliance that resides on your network and watches the traffic, and then reports on what appears to be traffic resulting from threats. The appliance will send that report to the security service, which will evaluate it and advise.
Of course, companies that sell security services and products typically also sell consulting services.
Foundstone (www.foundstone.com), for example, offers a full set of services to go with its vulnerability assessment software. Qualys ( www.qualys.com ), which only provides vulnerability assessment services to your external network, can give you a list of consultants to help with the problems of assessing your internal network (along with pretty much anything else you want).
So, you can see the problem with security services. On one hand, you might have to hire your own security experts to perform a complete threat assessment, which would include the vulnerability assessments provided by Web-based services. This would be expensive, and the bulk of the work would happen up front, so you'd have to figure out what to do after most of the work is completed.
On the other hand, pure services really can't do much for you, and what they can do doesn't always provide a complete picture. When you add agents, such as an appliance to monitor internal traffic, you also add to the complexity and risk on your network. And without skilled professional services, you still may not really learn what you need.
The best course of action for companies that can't afford to hire their own security experts is to find a company such as TruSecure ( www.trusecure.com) to start the process with a real threat assessment, and then use the vulnerability assessment services to keep tabs on things after all the heavy lifting is done.
With your threats accounted for and minimised, you can make sure nothing important changes, and if it does, ask for another threat assessment. That will keep your threats and your vulnerabilities in the proper perspective.
-- Wayne Rash