ISS works from the outside

Quietly, cautiously, from somewhere outside the firewall and security servers, a prescence gains access to the company’s network. As the intruder pokes into every corner of the system, it takes inventory of the the files and quietly tests the security measures that have been put in place to stop exactly the kind of activity being performed.

But unlike the assorted hackers, crackers and disgruntled employees who might be peforming this type of operation without proper authorization, the folks at Internet Security Services do so with the blessing of the system’s owners and managers.

The ePatrol Scanning Service from Atlanta-based Internet Security Systems (ISS) allows for remote and automatic assessment of perimeter systems via the Web, according to Allen Vance, Director of offer management with ISS’s e-services division.

“It has a system wrapped around it that has a variety of components – it has a Web-based front-end and it has a scheduling and database mechanism,” Vance explained. “And what that platform then allows us to do is to control multiple instances of the scanner system running on machines so that we can now provide this as a service to customers,” he said.

Everything is set up at the company’s secure network operations centre, he said, explaining that an e-mail is sent out to the authorized personnel, indicating when the scan is about to start and when it has been completed. A network manager can then go to the secure Web site to see what reports have been generated as a result of the scan, and can speak with an ISS consultant to discuss what, if any, measures should be taken.

The recent acquisitions of two companies, Netrex Secure Solutions and NJH Security Consulting, are what ultimately made this possible, said Vance.

“Netrex really brought ISS into the e-services business as we call it, really providing managed security services,” he said. “And they have about eight of those: remote firewall management, remote VPN management, authentication, buyer scanning…in other words, all operated as something we manage for the customer remotely.”

According to Vance, customers wanted another option for security, rather than having to buy software and perform security checks themselves.

“We are actually finding demand from lots of different vertical segments and lots of different sized companies,” he explained. “That’s the key thing: we’re offering a proposition that tells customers – small customers to large customers – that we can cost effectively deliver scanning and reporting and consulting so that you can improve the perimeter security of your organization, which is critical, particularly for e-commerce-type applications.”

The .com outfits are probably the companies that use this type of service the most, according to John Pescatore, research director for network security at the Gartner Group in Boston. But there are many others climbing on board, he said.

“We’re seeing a lot of larger, more established companies, kind of the brick and mortar companies that are moving into Internet-based stuff, using these types of services as a staff extension,” Pescatore said. “They may have a security staff, but that security staff just doesn’t have time to do this.”

According to Pescatore, “the pricing of these remote penetration testing services is pretty enticing, and for many companies I think it’s the way to go because they can’t maintain a large enough security staff where they can afford to have somebody be the penetration-type of person.”

At the lowest end, Vance said pricing for ISS’s new services would begin at approximately US$4,000 a year for a single device that needed to be scanned, such as a Web server. The price would include 12 monthly scans for the annual subscription, as well as up to five random scans available to the authorized personnel. A few hours of consulting are also available at that price range.

At the high end, such as in the case of “a complete class C or 256 address space range”, Vance explained customers can expect to pay approximately US$25,000. This price includes the same amount of scans, although more hours of consulting would be available in this range.

Vance noted that it is not necessary to have additional products from the ePatrol line in order to have this particular service.

“I think one of the important things to note is that one of the values of the service is you don’t need anything else at all…period,” Vance said. “I mean, you don’t need any physical gears set up on your side, you don’t need to change anything in your environment, you don’t need to train anybody, you don’t need to buy any hardware or software or anything.”

Pescatore said the managed security services area is growing. Last year there was growth in managed firewall services, and this year that’s continuing, along with more demand for managed vulnerability testing and managed intrusion detection services-which are “kind of two sides of the same coin,” he said.

“The prices are dropping because there’s more competition, but…to do something quarterly, you’re typically looking at US$12,000 to US$15,000 as what you’re going to spend,” Pescatore said. “You would spend a good third of that just in training your own person to know how to do this, and keep up-to-date with this each year.”

ISS in Atlant is at 1-800-776-2362.