http://www.theage.com.au/articles/2002/09/24/1032734104214.html By Kim Zetter September 24 2002 Next The spike in computer crime in the past two years has been matched by a parallel spike in the number of security consultants and companies popping up to relieve organisations of their worries and their budgets. With promises to plug holes, monitor traffic and chase down criminals, Managed Security Services can appeal to IT departments too taxed with administration to maintain security and to companies too small to hire specialist staff. Knowing what to do yourself - and what to contract out and to whom - is a common difficulty. The advantages of outsourcing are many. It's less expensive to pay a fee for expert services than to hire and train dedicated staff. Security providers are aware of the latest vulnerabilities, patches and products. And if they're monitoring your traffic full-time, they can respond to attacks in progress rather than a day or week later when your regular administrators get around to analysing the network logs. What's more, MSS providers have more experience to respond to attacks against your system since they are more likely to have seen similar attacks on others. But not all offer the same services or quality and not all are financially stable. According to industry researchers at Giga Information Group, there are more than 80 MSS providers in the United States operating nationally - down from 125 last year - a figure that analysts expect to drop to 60. So you should choose wisely if your security provider goes belly-up. When it comes to picking a provider, the managed security label can be misleading since it encompasses a variety of services, from one-time vulnerability assessments to 24-hour network monitoring. Some companies that call themselves MSS providers are actually only product resellers. Steve Hunt, a research analyst with Giga, says there are six categories of MSS: * On-site consulting to develop a security plan and infrastructure. * Vulnerability testing. * Product sales of security hardware and software. * Remote perimeter management, which involves installing, configuring and managing a virtual private network. * Network monitoring, a 24x7 service to watch network traffic for suspicious activity and intrusions. * Compliance monitoring to ensure employees comply with company policies. Some providers offer a single service, others a smorgasbord. Costs can range from $US250 ($A474) a day for consulting to $US12,000 a month for network monitoring. Small Sydney provider Kyberguard, for instance, has 50 clients including Nippon Telephone and Telegraph and international engineering group Montgomery Watson Harza. It charges $250 a month for small companies, which includes the cost and installation of a firewall and IDS hardware as well as 24-hour monitoring of perimeter activity. For 100 to 150 employees they charge $950 a month for hardware and monitoring of internal-external traffic. They also install and configure VPNs. Canberra-based 90East, which has offices around the country, charges $7000 to $10,000 a month for network monitoring. It also offers server hosting and VPN services. The company is new to the commercial market after securing government systems for several years. The founders were government contractors who built a complex firewall system for federal agencies, then formed 90East when the government decided to outsource security. Their clients include 35 federal departments, state governments and legal firm Minter Ellison. The company recently acquired Application Service Provider Peakhour. Giga's Steve Hunt says that before choosing any MSS, you should assess your business risks and needs to decide what you can do in-house and what you should outsource. But no company should hand over all security to an outsider. Greg Nelson, information security manager for chip maker Advanced Micro Devices, says companies should retain control of security management. "You can outsource specific tasks but you can't outsource responsibility for the security of your company," he says. Bruce Schneier, founder of United States network monitoring service Counterpane, recommends outsourcing labour-intensive tasks such as vulnerability assessment, network monitoring, consulting and forensics. Schneier says companies cannot effectively monitor their own networks. "Security monitoring is inherently erratic: six weeks of boredom followed by eight hours of panic," Schneier says. "Attacks against a single organisation don't happen often enough to keep (staff) engaged and interested. "The choice is not outsourcing or doing it yourself. Goldman Sachs can do it themselves. But nobody else can." AMD, which has 14,000 employees worldwide but only three security staff in the US, hired Counterpane after trying unsuccessfully to track more than 100 Internet servers. "We were always a day behind in analysing results and we could never catch anything as it was happening," AMD's Nelson says. Counterpane monitors AMD's systems around the clock, while another undisclosed company runs penetration tests twice a month. Nelson says the decision was also an economic one. Counterpane charges about $US12,000 a month, as opposed to the $100,000 to $200,000 a month it would cost most companies to hire five or six specially trained employees to monitor their systems around the clock. AMD at least recognised the need to monitor their networks. But according to Tim Cranny, senior consulting engineer with 90East, many companies do not even make the attempt. "You'd be astonished at the number of companies that have an intrusion-detection system or firewall but no one watching them," he says. Although it might be tempting to hire an all-in-one MSS for your needs, Counterpane's Schneier says you should avoid companies that have a conflict of interest, such as those that sell products and offer to manage them or those that offer device management plus monitoring. If the monitoring staff discover an intrusion to a system that the device-management team should have secured, they're likely to fix it quietly without telling you about the mistake. Companies that sell products and do vulnerability assessments also have an obvious interest in finding problems their products will solve. He believes it is better to hire a company that does one thing well and to hire others for separate tasks. Giga's Hunt says that penetration tests can sometimes be useless as they can be used to get an organisation to sign on for other services or by IT departments to justify larger budgets. "And all the reports say the same thing," Hunt says. "You have crappy passwords, you have open ports, your operating system lacks the latest patches." Hunt says before authorising a test you should shore up your network with basic steps such as secure passwords and closed ports and then test only to find serious problems you would have missed on your own. In the end, the best providers are leaders in their field and have a good history behind them. Hunt suggests talking to other companies with security needs similar to yours and asking analysts for solid security consultants and companies that will be around for a while. Before hiring Counterpane, Nelson narrowed AMD's choices to five companies but by the time they came to make a final decision three of them were already out of business. - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Tue Sep 24 2002 - 02:32:38 PDT