[ISN] Outsourcing Security Doesn't Mean You're Desperate

From: InfoSec News (alerts@private)
Date: Mon Dec 18 2006 - 02:05:01 PST


http://www.informationweek.com/news/showArticle.jhtml;?articleID=196604332

By Larry Greenemeier
InformationWeek
Dec 16, 2006 
(From the December 18, 2006 issue) 

On the surface, giving the security of your networks, systems, and data 
over to someone else seems like a desperate move--an acknowledgement 
that the threats are more than you can handle. The reality is that 
tapping into a service provider might be the best way to protect your 
company and comply with the latest government regulations.

One caveat: Do your homework. You must know what's in your networks, 
systems, and databases and clearly define how the service provider is 
going to help your company meet its security and compliance needs. You 
also must be sure the service provider is financially stable before 
trusting it to manage intrusion detection and prevention, log analysis, 
firewall, or other security services.

Lack of resources and expertise is most often the reason for subscribing 
to security services. "In the security world, it's a game of catch-up. I 
couldn't possibly throw enough resources at it internally," says Ken 
Emerson, director of strategic planning and CIO at Boiling Springs 
Savings Bank in New Jersey. He tapped Perimeter Internetworking to 
manage e-mail security and an intrusion-detection system. "I didn't feel 
like I had the necessary knowledge on my staff, especially with the 
rapidly growing volume of spam," he says.

Emerson thoroughly checked Perimeter and found it had passed the 
Statement on Auditing Standards No. 70, a standard set by the American 
Institute of Certified Public Accountants that requires an in-depth 
audit of a service provider's control activities. "The other outsource 
firms I looked at didn't have SAS 70 certification," Emerson says. "I'm 
not going to have depositors if I can't protect their information."

After Boiling Springs signed with Perimeter, a worm got into a PC at one 
of its branches. Perimeter notified the bank so it could shut down the 
infected computer, Emerson says.

Kettering Medical Center Network, a group of 50 health care facilities 
around Dayton, Ohio, turned to managed security services to augment its 
internal IT security resources, particularly the time-consuming task of 
sifting through data collected by its Check Point Software Technologies 
and Cisco Systems firewalls, which protect remote physicians' offices 
that are part of the Kettering network.

Kettering owns the network security equipment, but for the last two 
years it has had Symantec collect and analyze data from firewall logs. 
"We need to be concerned if someone is trying to do a port scan against 
our systems or if our network contains ad bots or spy bots trying to 
communicate out," says Bob Burritt, Kettering's IS network and 
technology manager.

The ability to detect and avert downtime is crucial to any organization, 
but particularly a health care operation. Added incentive is the $1 
million a day Kettering would lose if it couldn't bill or collect fees. 
Burritt declines to say how much Kettering is paying for Symantec's 
services, but he notes that outsourcing firewall log analysis saves as 
much as $150,000 annually, roughly the cost of hiring two full-time IT 
pros.


WHO TO CALL?

Perimeter and Symantec are among the dozens of companies that offer 
services for keeping out malicious e-mail, blocking network-borne 
viruses, and automatically patching software as vulnerabili- ties are 
fixed. In recent years, a number of smaller service providers have been 
absorbed by larger service providers looking to add security offerings. 
Symantec spent $145 million in 2002 on Riptech, a provider of outsourced 
network-monitoring services run by Amit Yoran, who went on to become 
director of the National Cyber Security Division of the Department of 
Homeland Security.

VeriSign bought Guardent in 2003 for $140 million, and BT Group earlier 
this year acquired Counterpane Internet Security, founded by IT security 
luminary Bruce Schneier. Other security vendors have merged, including 
SecureWorks with Lurqh in September (keeping the name SecureWorks), and 
TruSecure with Betrusted in 2004 to form Cybertrust.

SecureWorks' customer Digital Federal Credit Union isn't likely to 
outsource the maintenance and management of its core IT infrastructure 
for loans and deposits anytime soon, but the not-for-profit financial 
cooperative formed in 1979 as part of Digital Equipment Corp. knows its 
limitations when it comes to security. "We're a financial services 
company, we're not security experts," says VP of IS Kris VanBeek. 
Digital Federal serves more than 300,000 members at 1,000 companies.

Digital Federal has SecureWorks perform security assessments on the 
products and services it develops for the Web. "SecureWorks is able to 
keep up with the latest; we don't have anyone on staff who can do that," 
says David DeWitt, the credit union's IS risk manager.

"We're looking at SecureWorks in place of hiring a whole department to 
do this full time," says VanBeek, who estimates it costs about half as 
much to outsource as it would to hire a security staff and buy the 
necessary technology.

Before opting to outsource any aspect of its security, a company needs 
to be able to clearly define all interfaces into its data and how the 
service provider will access that data. Security services, like any 
other, must be managed, and that typically costs about 10% of the 
services contract when you factor in the time and effort of your IT 
staff to do it, says Paul Simmonds, global information security director 
of Imperial Chemical Industries Group, which develops and sells paints, 
foods, fragrances, and personal care products.

ICI Group has relied on Qualys for the past four years to scan every IP 
address ICI owns or has data on for signs of trouble. Before hiring 
Qualys, ICI didn't have a regular or repeatable process for detecting 
viruses or other problems with its IT systems. When Simmonds joined in 
2001, "we ran a penetration test and actually defaced the ICI Web site 
in under a half hour," he says.

Qualys manages all of the devices used to protect ICI's systems and 
provides the company's security staff with a Web-based interface for 
checking the information collected. This approach lets ICI avoid 
investing in security hardware and software. If Qualys went bust, "the 
only thing we'd have committed to was their services. This is difficult 
work," Simmonds says, so the decision to outsource was easy.


_____________________________
Subscribe to InfoSec News
http://www.infosecnews.org/mailman/listinfo/isn
 



This archive was generated by hypermail 2.1.3 : Mon Dec 18 2006 - 02:26:24 PST