[ISN] Last Boom in Town: Demand Still Grows for Online Security

From: William Knowles (wkat_private)
Date: Wed Apr 18 2001 - 12:49:18 PDT

  • Next message: InfoSec News: "[ISN] How Hackers Hack"

    April 18, 2001
    Like many people, Aviel D. Rubin recently received an e-mail message
    purporting to offer him a picture of the tennis star Anna Kournikova.
    Mr. Rubin, a computer security researcher at AT&T Labs-Research in
    Florham Park, N.J., knew too much about the risks of rogue software to
    open the attached file, which was in fact a program that would damage
    the recipient's computer and copy itself to everyone on the user's
    Microsoft Outlook address book.
    He was taken aback, however, to see who had fallen for the trick and
    unintentionally sent him the "worm" program: it was the chairman of a
    computer security company.
    "If he does that, you can only expect that a lot of other people are
    going to do this," Mr. Rubin said. "You can never eliminate the human
    Some things human nature, for example never seem to change. But
    computer security has changed drastically in recent years, and thanks
    to the boom in computer attacks, security is burgeoning, too:
    investors have rewarded companies that try to ease the burdens that
    businesses face. The most visible part of that trend is the rise of
    what is known as managed security services, in which a company pays
    somebody else to take over the reins.
    It is one of the few segments of the high- technology market that is
    thriving in the midst of widespread dot-com gloom. "It's a ton of
    money," said Olivia Golden, an analyst at Bear, Stearns in New York
    and co- author of a recent report on security issues. According to Ms.
    Golden, venture capital funds have invested more than $500 million in
    about 75 companies over the last year and a half. Another recent
    report on the subject from analysts at the Gartner Group, a technology
    consulting firm in Stamford, Conn., said, "In the last several months,
    hardly a week has passed that has not seen the announcement of an
    established company that expanded its offerings to include managed
    security services, or of a start-up that received funding to do the
    It is easy to see why companies might want to have an outsider take
    over: security is a mess. In the old days say, 1996 running a safe
    shop consisted mainly of preventing unauthorized people from gaining
    access to your computer system by using relatively straightforward
    products known as firewalls, applying an occasional software patch to
    fix vulnerabilities and looking out for viruses and their ilk.
    Things have become a lot tougher, say the believers in managed
    security services. The number of patches has proliferated so wildly
    that most in-house security operations cannot keep up, said Bruce
    Schneier, the founder of Counterpane Internet Security Inc., a
    security services company in San Jose, Calif. Examples of new rogue
    software like the "Love Bug" and "Melissa" have complicated life for
    security teams. And attacks like "distributed denial of service,"
    which last year temporarily blocked access to Yahoo, eBay and other
    sites, have made security a more daunting task.
    Having a team capable of handling such crises would be enormously
    expensive and hard to maintain, Mr. Schneier said, so people look
    outside. "It's a very bursty job," he added. "Boredom for eight
    months, panic for eight hours."
    That means many companies are looking for somebody else to provide
    those resources. "When I need my doctor," Mr. Schneier said, "I need
    him three times a year. I'm not going to hire my own doctor." Hiring
    outside talent instead of building similar expertise from within means
    that companies benefit from the depth of experience as well. "Even if
    you could afford your own fire department, you wouldn't want one," he
    said. "You want them to have the practice, and not say `Oh, yeah,
    that's a fire. I've read about that.' "
    Security is not just about keeping people out anymore. Today's
    companies want everybody to come in: they want customers to shop at
    the Web site, they want employees to do work on the road, they want
    suppliers to constantly provide the data. "We're connecting corporate
    networks to the Internet in more ways than anybody ever anticipated,"
    said Taher Elgamal, the chief executive of Securify, a managed
    security company in Mountain View, Calif.
    Even the gadgets and gizmos that people bring into the office have to
    become part of the security puzzle, said Thomas W. Patterson, the
    managing director of the e-commerce transactions group at KPMG
    Consulting, based in McLean, Va.
    "Everybody wants the day when they just whip out their cell phone and
    the toll arm goes up at the booth or the Coke pops out of the
    machine," he said. But giving that kind of power to tiny machines
    opens new avenues of risk. "You're deploying, essentially, a wireless
    network," Mr. Patterson said, with every hand-held device occasionally
    connected to a company's internal network when information is
    synchronized. So several security companies provide strategies for
    protecting every part of the network, from servers down to hand-held
    The upshot is a new, more integral role for security, said Tom Noonan,
    the chief executive of Internet Security Systems, a security company
    based in Atlanta. "For the first time security interests and business
    interests are aligned," Mr. Noonan said. "We've always been the guys
    who make it difficult for business to get its business done." And as
    insurance companies and new laws like the Gramm-Leach- Bliley Act
    require minimum security standards, the case for managed security
    becomes compelling, he said.
    BUT not all at once. "It's definitely a phased approach. You've got to
    take bite-sized pieces," said Jeffrey Z. Johnson, the chief executive
    of Metases, a security company in Atlanta. Some start with relatively
    simple services like maintaining the firewall and then move up to a
    full range of managed security services, like security network design
    and 24-hour monitoring to detect intruders.
    Not everyone believes that handing over security management to others
    is such a wonderful idea. "By outsourcing security- related tasks,
    many corporations are putting core assets at risk," according to a new
    report written by Steve Hunt, an analyst with the Giga Information
    Group, a research firm in Cambridge, Mass. Managing the security of
    the elements that are critical to a company's success, like a bank's
    account data, should not be handed over to outsiders, he said. And
    like all booms, this one is sure to lead eventually to a shakeout, the
    Gartner Group report said.
    The fear that companies might be giving up the crown jewels has kept
    some of them or their backers from going to a managed security
    service. Kas Naderi, the chief information officer of MunicipalTrade
    in Atlanta, which helps towns sell bonds and obtain financing, said
    his own venture capital backers told him at first that he had to
    manage his own security network.
    "We were actually able to convince them, because of the size of our
    company, we will never be able to hire the best-of-breed security
    folks out there," he said. "Our core competency is not necessarily to
    be in the security business our core competency is to be in the
    municipal bond business." Eventually, Mr. Naderi was able to persuade
    the backers to let him sign a contract with Internet Security Systems.
    But for now, companies are clamoring for someone to take care of their
    security headaches. Christopher Pyle, the president of Champion
    Solutions Group in Boca Raton, Fla., which creates data storage
    systems, said his company chose to use a package of hardware and
    managed security services from SonicWall, based in Sunnyvale, Calif.
    Champion, like many that decide to use managed security services,
    retains the equipment to monitor the monitors, making sure that the
    work they used to do is being performed well. "You can still keep your
    hands on the pulse," he said.
    "It's cheaper for us" than running it with an internal team, Mr. Pyle
    said, adding, "at the end of the day, we can concentrate on what's
    going to make me money." When it comes to fighting something like the
    Anna Kournikova virus, he said, "Let somebody who really majors in
    that major in that."
    "Communications without intelligence is noise;  Intelligence
    without communications is irrelevant." Gen Alfred. M. Gray, USMC
    C4I.org - Computer Security, & Intelligence - http://www.c4i.org
    ISN is hosted by SecurityFocus.com
    To unsubscribe email LISTSERVat_private with a message body of

    This archive was generated by hypermail 2b30 : Thu Apr 19 2001 - 01:38:47 PDT