http://www.nytimes.com/2001/04/18/technology/18SCHW.html By JOHN SCHWARTZ April 18, 2001 Like many people, Aviel D. Rubin recently received an e-mail message purporting to offer him a picture of the tennis star Anna Kournikova. Mr. Rubin, a computer security researcher at AT&T Labs-Research in Florham Park, N.J., knew too much about the risks of rogue software to open the attached file, which was in fact a program that would damage the recipient's computer and copy itself to everyone on the user's Microsoft Outlook address book. He was taken aback, however, to see who had fallen for the trick and unintentionally sent him the "worm" program: it was the chairman of a computer security company. "If he does that, you can only expect that a lot of other people are going to do this," Mr. Rubin said. "You can never eliminate the human element." Some things human nature, for example never seem to change. But computer security has changed drastically in recent years, and thanks to the boom in computer attacks, security is burgeoning, too: investors have rewarded companies that try to ease the burdens that businesses face. The most visible part of that trend is the rise of what is known as managed security services, in which a company pays somebody else to take over the reins. It is one of the few segments of the high- technology market that is thriving in the midst of widespread dot-com gloom. "It's a ton of money," said Olivia Golden, an analyst at Bear, Stearns in New York and co- author of a recent report on security issues. According to Ms. Golden, venture capital funds have invested more than $500 million in about 75 companies over the last year and a half. Another recent report on the subject from analysts at the Gartner Group, a technology consulting firm in Stamford, Conn., said, "In the last several months, hardly a week has passed that has not seen the announcement of an established company that expanded its offerings to include managed security services, or of a start-up that received funding to do the same." It is easy to see why companies might want to have an outsider take over: security is a mess. In the old days say, 1996 running a safe shop consisted mainly of preventing unauthorized people from gaining access to your computer system by using relatively straightforward products known as firewalls, applying an occasional software patch to fix vulnerabilities and looking out for viruses and their ilk. Things have become a lot tougher, say the believers in managed security services. The number of patches has proliferated so wildly that most in-house security operations cannot keep up, said Bruce Schneier, the founder of Counterpane Internet Security Inc., a security services company in San Jose, Calif. Examples of new rogue software like the "Love Bug" and "Melissa" have complicated life for security teams. And attacks like "distributed denial of service," which last year temporarily blocked access to Yahoo, eBay and other sites, have made security a more daunting task. Having a team capable of handling such crises would be enormously expensive and hard to maintain, Mr. Schneier said, so people look outside. "It's a very bursty job," he added. "Boredom for eight months, panic for eight hours." That means many companies are looking for somebody else to provide those resources. "When I need my doctor," Mr. Schneier said, "I need him three times a year. I'm not going to hire my own doctor." Hiring outside talent instead of building similar expertise from within means that companies benefit from the depth of experience as well. "Even if you could afford your own fire department, you wouldn't want one," he said. "You want them to have the practice, and not say `Oh, yeah, that's a fire. I've read about that.' " Security is not just about keeping people out anymore. Today's companies want everybody to come in: they want customers to shop at the Web site, they want employees to do work on the road, they want suppliers to constantly provide the data. "We're connecting corporate networks to the Internet in more ways than anybody ever anticipated," said Taher Elgamal, the chief executive of Securify, a managed security company in Mountain View, Calif. Even the gadgets and gizmos that people bring into the office have to become part of the security puzzle, said Thomas W. Patterson, the managing director of the e-commerce transactions group at KPMG Consulting, based in McLean, Va. "Everybody wants the day when they just whip out their cell phone and the toll arm goes up at the booth or the Coke pops out of the machine," he said. But giving that kind of power to tiny machines opens new avenues of risk. "You're deploying, essentially, a wireless network," Mr. Patterson said, with every hand-held device occasionally connected to a company's internal network when information is synchronized. So several security companies provide strategies for protecting every part of the network, from servers down to hand-held organizers. The upshot is a new, more integral role for security, said Tom Noonan, the chief executive of Internet Security Systems, a security company based in Atlanta. "For the first time security interests and business interests are aligned," Mr. Noonan said. "We've always been the guys who make it difficult for business to get its business done." And as insurance companies and new laws like the Gramm-Leach- Bliley Act require minimum security standards, the case for managed security becomes compelling, he said. BUT not all at once. "It's definitely a phased approach. You've got to take bite-sized pieces," said Jeffrey Z. Johnson, the chief executive of Metases, a security company in Atlanta. Some start with relatively simple services like maintaining the firewall and then move up to a full range of managed security services, like security network design and 24-hour monitoring to detect intruders. Not everyone believes that handing over security management to others is such a wonderful idea. "By outsourcing security- related tasks, many corporations are putting core assets at risk," according to a new report written by Steve Hunt, an analyst with the Giga Information Group, a research firm in Cambridge, Mass. Managing the security of the elements that are critical to a company's success, like a bank's account data, should not be handed over to outsiders, he said. And like all booms, this one is sure to lead eventually to a shakeout, the Gartner Group report said. The fear that companies might be giving up the crown jewels has kept some of them or their backers from going to a managed security service. Kas Naderi, the chief information officer of MunicipalTrade in Atlanta, which helps towns sell bonds and obtain financing, said his own venture capital backers told him at first that he had to manage his own security network. "We were actually able to convince them, because of the size of our company, we will never be able to hire the best-of-breed security folks out there," he said. "Our core competency is not necessarily to be in the security business our core competency is to be in the municipal bond business." Eventually, Mr. Naderi was able to persuade the backers to let him sign a contract with Internet Security Systems. But for now, companies are clamoring for someone to take care of their security headaches. Christopher Pyle, the president of Champion Solutions Group in Boca Raton, Fla., which creates data storage systems, said his company chose to use a package of hardware and managed security services from SonicWall, based in Sunnyvale, Calif. Champion, like many that decide to use managed security services, retains the equipment to monitor the monitors, making sure that the work they used to do is being performed well. "You can still keep your hands on the pulse," he said. "It's cheaper for us" than running it with an internal team, Mr. Pyle said, adding, "at the end of the day, we can concentrate on what's going to make me money." When it comes to fighting something like the Anna Kournikova virus, he said, "Let somebody who really majors in that major in that." *==============================================================* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen Alfred. M. Gray, USMC ================================================================ C4I.org - Computer Security, & Intelligence - http://www.c4i.org *==============================================================* ISN is hosted by SecurityFocus.com --- To unsubscribe email LISTSERVat_private with a message body of "SIGNOFF ISN".
This archive was generated by hypermail 2b30 : Thu Apr 19 2001 - 01:38:47 PDT