In-house IDS may make sense

Intrusion detection, at the best of times, involves long hours of repetition and boredom broken up by periodic bouts of security jousting, as system defenders try to thwart the moves of a cyberattacker.

Due to the budgetary constraints felt by most companies today, the move to outsource intrusion detection system (IDS) monitoring has become a partial solution to the growing preoccupation with network monitoring. Most companies cannot justify the cost of conducting round-the-clock system monitoring since it is more or less equivalent to having a highly paid, highly trained night watchman. The latter was outsourced long ago while the former is feeling increasing pressure.

But outsourcing IDS monitoring is not for everyone. The decision to do so should not be based solely on ROI, since there are other factors to be considered. One that can play heavily into the outsourcing decision is the desire to protect a corporate image. Some companies cannot afford, from a branding perspective, to outsource IDS monitoring, since to do so could be perceived as being security weak. Most of Canada’s large financial institutions fit into this category, as does Bell Canada.

Bell Canada monitors all of its own networks, both internally and on the periphery. Bill O’Brien, Bell’s associate director of corporate security systems in Ottawa, admitted part of the reason Bell chooses to do so is to ensure the company is viewed by potential customers as security savvy. Since Bell outsources security services and network access it needs to be able to show clients it can protect its own house, O’Brien said.

“If we are going to provide a high level of trust to clients that come to us for networks, we have to clearly show that we know what we are talking about when it comes to (those) networks,” he said. “The only way you can get that is to work in it day in and day out.”

Bell’s dedicated staff monitors its own networks 24/7.

Martin Dion, vice-president of technology with Boisbriand, Que.-based Above Security Inc., said this same logic spills over into the financial industry. “Outsourcing means you cannot do it internally and since the mission is to secure the money of your customer, then it means you are lacking somewhere,” he said.

Dion, whose company works with large Canadian corporations and offshore financial institutions, said he would wager that most large Canadian financial institutions do not outsource this service. The Royal Bank Financial Group would not comment on who monitors its systems, keeping with its tradition of giving nothing to potential hackers.

For the thousands of Canadian companies which do not need to worry as much about their security image, outsourcing IDS monitoring is a viable alternative.

There are two basic types of outsourcing solutions. The first is to have the monitoring company contact you when an intrusion occurs and let you deal with it. The second solution lets the outsourcer actually stop the attack. Above Security offers the latter service.

Using a combination of internally developed technology and open-source software, Above Security can have an IDS monitoring system up and running in about two months, Dion said. Half of the installation time is used to adapt and adjust the IDS to the particularities of a given network.

If an attack occurs, Above Security has a layer in their implementation that allows them to actually block a connection, and thus an attack. But do customers worry about Above Security having access to their networks? “To be honest, it has not been a big issue,” Dion said.

The outsourcing threshold is 80 IDS monitoring devices, Dion explained. This means if a company needs 100 devices to monitor its entire network it is probably cheaper to do it in-house. For smaller implementations, though, the savings can be substantial.

For example, if a company needs to roll out 30 worldwide IDS systems, the cost to do so, including all staff, hardware, consulting and training, is about $6.6 million for five years, Dion said. The list price with Above Security is $4 million.

“So you basically save half-a-million a year for the exact same service,” Dion said.

Cupertino, Calif.-based Counterpane Internet Systems Inc. works using the monitor and contact model. If Counterpane detects a legitimate intrusion a company representative contacts the customer. This solution is popular with customers since the vast majority of IDS warnings are false.

John Bruce, executive vice-president of sales and marketing for Counterpane, explained that of the 300 billion events it has monitored, 220,000 were suspected attacks that needed addressing. And of those, around 20,000 were actual attacks in progress.

Both solutions also offer the advantage of accumulated knowledge. All attacks monitored and defended help the IDS outsourcers create more sophisticated solutions, benefiting all customers.