The recent wave of network outsourcing is causing some business people, and not just technical staff, to turn their attention to a seldom-mentioned aspect of outsourcing -network security. Security has become enough of an undertaking that outsourcing it rather than committing the internal resources can make great sense. When seen as a long-term relationship between partners, rather than a commodity sold between companies, security outsourcing can be one of the most profitable business strategies in decades.
When your organization is providing e-commerce, converging voice and data services, or expanding remote access services for employees, security threats are most likely increasing. Given the increasing threats and their associated security risks, organizations need more than just a firewall guarding them; they require round-the-clock network monitoring, security auditing, and misuse and intrusion detection systems. With more crackers and script kiddies attempting to punch holes in your firewalls and plant hostile code in the bowels of your operating systems, it isn’t enough anymore to plop down a firewall at your network perimeter.
And these attacks aren’t just imaginary. According to information security specialists ICSA (www.icsa.net), there are four times as many hacker attacks a day in North America then there were just a year ago. And the attacks are getting more high profile and widespread: the distributed denial-of-service attacks on Amazon, CNN and Yahoo in February boosted awareness – and business – for intrusion detection technology, which basically acts as a burglar alarm for the network. But should you install an intrusion detection system or any security mechanism, you need someone there to monitor it 24 hours a day, seven days a week. As a CIO, you have two options: dedicate several individuals to patrol the network or outsource the job to security specialists.
Doing the task in-house is difficult because it is time-consuming, labour-intensive and – as skilled security managers become increasingly difficult to find – very expensive. Staffing poses a problem for businesses wanting to keep intrusion detection in-house. The IT labour shortage has been especially painful in the security market. The shortfall in skilled security professionals has prompted companies to outsource security tasks such as firewalls over the past few years. But the recent attacks on major Web sites such as Amazon, E-Trade and Yahoo heightened the need for around-the-clock monitoring and analysis. Network security specialists are in high demand these days, especially given these recent high-profile denial-of-service attacks. Not only is there a shortage of experts in intrusion detection, but they don’t want to work 24×7!
While most IT administrators could probably manage network security themselves, very few have the time. Due to the shortage of security specialists, the hiring, training and retaining of security managers is becoming increasingly difficult as well as expensive. In the States, for example, if you could hire staff, you would have to pay two security managers at least $60,000 each, plus benefits (all amounts in U.S. dollars). A managed security service package, including intrusion detection and vulnerability testing, costs about $60,000 a year.
And, the demand is indeed high for IT professionals specializing in security. According to Meta Group research, one in five IT positions involves networking professionals, and budgets for security are growing 25 percent each year, a trend that will continue for at least the next three to five years. The Meta Group also reports that the average network security manager earns $90,000 per annum.
It’s 2 a.m. and your intrusion detection sounds an alert. Your security staff scramble to find the source of the suspicious traffic hitting your network. Once they trace it back to the source, your security staff phones the IT department of the company running the suspect machine. It turns out the unauthorized traffic wasn’t an attack, but a misconfigured SNMP device. False alarms unfortunately are all too common for intrusion detection technology. Companies can’t rely on the software alone to determine whether, for instance, Internet Control Message Protocol traffic hitting a router is carrying legitimate messages to the device or instead is a denial-of-service attack.
The main difference between managing your own intrusion detection and hiring an outsourcer is manpower and expertise. When intrusion detection is handled in-house, the alarms can be overwhelming. When an alarm sounds, no one knows what to do with it. The advantage of a service provider acting as a security guard is that it can analyze all of the traffic that gets logged by the intrusion detection system, something many enterprise IT departments just don’t have the time or resources to do.
So the choice may seem to be whether to staff 24×7 security staff of your own or opt for an outsourcer. However, many businesses that run intrusion detection tools typically do a combination of in-house and outsourced security. The risk is high enough, so why not have a second pair of eyes.
Security is serious business – and big business. The market for security consulting should reach $14.8 billion by 2003, up from $6.2 billion last year, said David Tapper, an International Data Corp. researcher. IDC also reports that the overall market for managed security services is expected to reach more than $2 billion worldwide by 2003, up from $512 million in 1998. Therefore, the potential worldwide market for network security services is growing as well – at an average annual rate of more than 34 percent between 1998 and 2003, according to International Data Corp. Frost & Sullivan, another research company, values the 1999 European Internet security marketplace at $489.9 million and predicts it will reach $2.74 billion by 2006. Managed security services is poised for huge growth.
So the market is growing, but why should you outsource your security services? First, you can pass to the security service the tasks of researching, selecting, implementing, and maintaining the hardware and software. This can save your organization in terms of IT salaries and training. Other expenses include the costs of compiling periodic security status reports for the network, as well as the testing and implementation of new software and upgrades.
The larger your organization is, however, the less likely you are to rely exclusively on outsourcing services for your network’s security. In part, this is because a larger company likely has IT personnel in place already, and security is one of their on-going information technology concerns. If nothing else, your in-house staff will want to determine the outsourcing service that is best for your organization, which requires detailed knowledge of security hardware and software and how they fit into the organization’s networking strategy and infrastructure. A security service can help by analyzing the network to determine its security requirements and assist with purchasing and putting security systems in place.
And like anti-virus software, network managers have to keep intrusion tools up-to-date with the latest threats. They can’t just install the software and forget about it. That’s the advantage of going with a security services provider responsible for keeping the software updated. If you buy it off the shelf, install it and forget about it, you are going to get no value from it.
Intrusion detection software itself has a long way to go before it’s truly automated. An intrusion detection service must be customized to protect a company’s internal applications such as accounts payable so its security software can defend against any attacks on that application. Even with all the potential automation for intrusion detection tools, you still require human interaction – professionals with the requisite expertise – to ascertain the difference between a real attack and a misconfigured SNMP device. You can never take the human element out of security.
Recognizing not only the need to guard against such attacks but also their lack of expertise to provide that protection, businesses have begun to outsource network security. One sign of this growing phenomenon is that security and network management firms have been forming specific professional units targeted to providing such services. Some security companies, such as Axent and Network Associates, have even been buying firewall, encryption and anti-virus companies. While security vendors offer a variety of services, you must pick and choose to match your needs. Here’s a list of some of the most common services:
q Auditing or vulnerability assessments: Services provider scans the network to identify potential vulnerabilities and recommend fixes. The service provider normally performs these scans or tests at a point-in-time, they are not continuous. The scan or test is based on known profiles or vulnerability. An organization would typically pay a monthly fee for this service, which the service provider may perform daily, weekly, monthly or quarterly.
q Intrusion detection: Services provider monitors the network for suspicious activity and prevents attacks from occurring. The trend is toward a hybrid network- and host-based solution. Intrusion detection services come with around-the-clock outside experts who collate and sift through all of the information, important or not, generated by intrusion detection sensors sitting on the network. And they manage all the hardware and software tools, too. Companies typically pay a monthly fee for such services.
q Managed services: Services vendor builds a virtual private network or provides a firewall to secure the privacy of data communications between sites. These services also might include virus, vandal and Web site blocking services that filter data and control Web site access. The vendor maintains the data files for viral signatures, hostile IP addresses or offending URLs. The service provider builds and maintains a secure environment for the organization.
q Management of security policies and procedures: Services provider performs continuous review of systems and networks. The service is based on corporate compliance; that is, ensuring the organization is in compliance with its policies, standards and procedures, laws and regulations. Most services providers offer this service at a point-in-time, but some vendors are offering services on a continuous basis.
q Risk modelling: Vendor helps with an assessment of risk within the organization and then continuously updates the model with information from network monitoring and intrusion and misuse detection systems. There are providers offering this using the managed service provider model. They maintain the algorithms and data, and provide access to the analysis or use it with another service, such as policy management.
Outsourcing security can buy you peace of mind, but you want to be sure you know what you’re getting yourself into. Starting slowly is important because it not only establishes trust, but can also help you gauge whether or not your provider can scale to handle all your requirements. It’s one thing for a company to come in and put in a solution, but you need to make sure that where a security problem affects all of their customers at the same time, that they can scale their response team and handle all of their customers’ needs.
As you might expect, there are valid arguments against outsourcing. First among them is the issue of control. By farming out your network’s security, you are placing it in the hands of IT people who not only aren’t part of your company, but who are, in fact, working with other companies as well, perhaps your competitors. A related aspect is the loss of in-house expertise. For many this is a relief and a major selling point in favour of outsourcing, but for others it’s an abdication of responsibility.
There’s no silver bullet in security. There are no panaceas. Even where a company goes with an intrusion detection service provider, there are no guarantees its security tools and experts will catch every unauthorized PING or Trojan horse. Intrusion detection tools can’t actually stop a denial-of-service attack, but they can at least give a heads-up when one is infiltrating a network. Intrusion detection shouldn’t provide a false sense of security. There are still many attacks and events that aren’t captured.
A final argument against outsourcing is the cost. Technology keeps dropping in price, a factor you should take into account when negotiating monthly fees of a security service.
The point is that outsourcing is an increasingly important consideration for your network security needs, and you’ll need to do some research to determine the best solution for your organization.
Some well-known security experts have recently had an epiphany. They belatedly have come to the conclusion that security is a process not a product. You have to suspect that this is because they come at security from a technical rather than from a business background. Or it might be that they are selling a point product; for example, a firewall. If you are trying to sell firewalls, then you are going to try to convince or leave prospective clients with the impression that a firewall is all they need to protect their organization. When you have a hammer, everything looks like a nail. Unfortunately, this behaviour probably leads to more problems then it solves.
Security is a journey – a process; not a place in time or a product. The processes you put in place determine how well you avoid risk. Avoiding risk is a continuous task; there is some amount of risk you can accept, some you lay off, and some amount you can’t. Since history proves that you can’t keep ahead of the crackers and attackers, the trick is to reduce your risk regardless of your hardware or software. So due care means the only reasonable thing you can do is to reduce your risk as much as possible.
Security processes are not a replacement for products; they’re a way of using security products more effectively. Almost everything on your network produces a continuous stream of audit data: firewalls, routers, switches, controllers, intrusion detection systems, servers, and printers. While most of the data is irrelevant, some of it contains valuable information. Analyzing all the data is an essential process, because one device might pick up an attack that another missed. When you have a process in place to watch the audit data, you’re more likely to catch the intrusion in progress.
Read the popular press – including this very magazine – and you will learn that crackers, data diddlers, security professionals, vendors and scientists are discovering new security vulnerabilities in operating systems, server software, applications, firewalls and other devices every day. With vendors releasing major upgrades of operating systems annually, it is unlikely that these products will get more secure in the near future. Again history proves that if anything, the increasing complexity of applications and operating systems is driving them towards being even less secure. In this environment, you need specialized and dedicated help with detection and response.
1. Do business with someone you trust.
2. Start off slowly to build on the trust with your partner.
3. Ensure your provider uses commercial-off-the-shelf software; you might want to repatriate the service some day.
4. Augment your prevention products with their detection and response service.
5. Consider complementing your security services with managed security services.
6. Work with someone who understands your business, not just your technology.
7. Clarify roles and responsibilities and requirements before signing a contract.
8. Senior IT security management and corporate executives must review any contracts.
Your Gaff Glorified
You’ve read the news stories. Web sites for corporations, government agencies, and not-for-profits broken into. Password files exposed on the Internet. Zombies causing distributed denial of service attacks. Chances are a cracker will compromise your environment when effective security controls, including intrusion and misuse detection systems, are not implemented.
If a cracker does break into your site, don’t worry should you not see it. Someone will be kind enough to make a mirror of the site for perpetuity. Check out www.2600.com or www.attrition.org to see some of the unfortunates.
Peter T. Davis is President and COO of The Anvil Group, Inc., a security company specializing in crisis avoidance and managed security services. You can reach Mr. Davis at email@example.com.