[ISN] Managed Security Deals Leave Networks Vulnerable

From: InfoSec News (isnat_private)
Date: Wed Jul 11 2001 - 00:14:08 PDT

  • Next message: InfoSec News: "[ISN] Black Hat & Defcon"

    By Brian Ploskina
    Interactive Week
    July 9, 2001
    Companies are increasingly turning over the keys to their e-businesses
    to security professionals, who often lack the expertise or personnel
    to operate them safely.
    Hiring security providers to protect corporate networks and the
    critical data those networks contain is a growing trend, but the
    companies providing such services are unregulated and not subject to
    industry certification.
    "There's a lot of chewing gum and duct tape providers out there that
    could potentially be causing you more harm than good," said Elad
    Yoran, co-founder and chief financial officer of Riptech, one of the
    largest independent security providers. "There's a lot of companies
    jumping into this business, and not all of them really know what
    they're doing."
    Managed security service providers (MSSPs) are hired to monitor and
    manage a variety of network components, such as firewalls, intrusion
    detection systems, anti-virus programs, and Web and e-commerce
    servers. Revenue from these services is expected to swell from $315
    million last year to more than $1.8 billion in 2005, according to The
    Yankee Group.
    Some businesses see managed security as a cheaper way to secure their
    operations, paying a monthly fee instead of dishing out hundreds of
    thousands of dollars up front for hardware and software, and hiring
    their own people to run it.
    As a result, businesses seeking the cheapest providers often get what
    they pay for. Experts in the field say it's not uncommon to find that
    the provider and customer have different ideas about what is supposed
    to be provided.
    "We have tested [MSSPs] who were supposed to have security measures in
    place for their customers and they didn't," said David Gehringer,
    senior product manager at Mercury Interactive, which provides security
    testing for organizations.
    In one case, the service provider had botched the firewall
    configuration and in another it was charging the customer for services
    it wasn't even providing, Gehringer said. And when problems crop up,
    there's not much recourse. One I-manager found this out the hard way.
    "The server that our managed security provider was hosting was hacked
    into," said an information systems manager at a major international
    airline, who asked not to be identified. "They suggested we improve
    our surveillance tactics."
    As a result, the airline had to shut down the system - a part of its
    Web site operations - for two days, as a precautionary measure to plug
    any holes before it was brought back online.
    The I-manager found out only after this serious problem that his
    MSSP's version of managed security was browsing his Web site every 15
    minutes to make sure it was still operational.
    "We were very angry, disillusioned and threatened to sue," he said.
    "Why weren't they protecting our systems? We didn't hire this firm to
    allow for this to happen."
    Little Recourse
    Aside from suing or complaining to regulators, there's little recourse
    for a company that's hired a poor security provider. The situation
    isn't unlike that of the rest of the Internet services industry, where
    regulators have focused more on political issues, such as content
    filtering, than on business issues, such as service disputes.
    Since there are few watchdog groups to assess the new managed security
    industry, the scope of the problem is hard to measure. But one way
    businesses can figure out their vulnerability is to hire a testing
    company to see how well their security providers are performing. Such
    testing uses a combination of software and "ethical hacking" to
    analyze a company's security.
    Gehringer said that more and more, he has been put in the
    "uncomfortable" position of testing the security infrastructure of a
    company that's already being hosted by a managed security provider.
    "Sometimes, the customers are suspicious or don't trust them,"
    Gehringer said. "But that brings up a touchy issue," because if the
    service provider is doing its job, it will be monitoring to detect
    intrusions and will be alerted when the testers begin poking around.
    One reason that customers are not getting the services they think they
    should comes down to money.
    "Managed security providers want to sell you something they think
    you're going to buy," said Karen Worstell, president and CEO of
    AtomicTangerine, which offers an MSSP service. "So they'll price it in
    a way that's attractive, but they can't afford then to offer the
    services you really need."
    The burgeoning number of providers that have set themselves up to
    provide managed security has a wide range of qualifications. Some are
    solely managed security companies, such as Riptech; some are hosting
    companies that have moved into security, such as Exodus
    Communications; and some are software companies, such as Symantec,
    that also provide a hosting service using their security tools.
    Since so many service providers have seen the revenue potential in
    offering a security solution, increasing price pressure has hit the
    industry, said Andrew Schroepfer, president of Tier 1 Research.
    "The trend happened when everyone was building these data centers, and
    you tried to be capital-efficient and you had to sell something,"
    Schroepfer said. "And then managed security came along. Now there's
    pricing pressure, because there are so many services on the market."
    Data hosting provider Verio made a bold announcement in April, when
    officials said they partnered with Riptech to provide customers
    managed security - because they didn't believe they were qualified to
    do so.
    That was the reason Bob Fetterman, president and CEO of iDashes, a
    15-person performance management software company, went with the
    Verio/Riptech solution. "If your service provider was doing something
    they weren't supposed to be doing, would they tell you? Probably not,"
    Fetterman said. "Whereas Riptech is a third party, so we can see all
    the things scanned on Verio's network . . . and that makes us feel a
    lot better than having it integrated in one service provider."
    The problems that exist between an MSSP and the customer stem less
    often from negligence than from miscommunication between the two
    Sometimes the translation doesn't compute when I-managers, who are
    admittedly not security experts, try to tell security experts what
    they want.
    "People don't know how to ask for what they need," AtomicTangerine's
    Worstell said.
    For example, a company may want an MSSP to manage its firewall, but
    there are many variables to managing a firewall - such as proper
    configuration, applying the latest patches, ensuring availability and
    stability, and, most valuable, monitoring the traffic that hits the
    firewall, either in real-time or through daily reports.
    Such misunderstandings can be most dangerous because they can lead a
    company to believe it is secure, and "a false sense of security is
    worse than knowing you're not secure," Riptech's Yoran said.
    ISN is hosted by SecurityFocus.com
    To unsubscribe email isn-unsubscribeat_private

    This archive was generated by hypermail 2b30 : Wed Jul 11 2001 - 00:23:54 PDT