In the first week of October, news broke of multiple IT security alarms. Bugbear hit, a nasty worm virus. Microsoft released a multitude of patches and advisories on various vulnerabilities open to attack. Meanwhile, hackers defaced a U.S. Department of State Web site with obscenities. For many, there is no feeling of security when it comes to IT security.
Allan Carey is program manager for information security services of IDC headquartered in Framingham, Massachusetts. IDC reports in Reality or Illusion: Demystifying the Managed Security Services Market, that the managed security service market will grow from 720 million dollars in 2000 to over 2.2 billion dollars by 2005 with compound annual growth rate of 25.4%.
The major areas of concern are reflected in the table below. The growth is driven by concerns in intrusion detection systems (IDS), vulnerability assessment, and anti-virus.
Carey outlines the needs of enterprises in security. "The managed security services market is being driven primarily by resource constraints to capital and security expertise, as well as the growing complexity of networks and rogue access points, which exponentially increase exposure to vulnerabilities and threats. Customers want information security solutions to seamlessly integrate into the network, ensure scalability, and provide a measurable return on investment."
A Case in Point
David MacLeod is chief information security officer for the Regence Group headquartered in Portland, Oregon. The Regence Group is the result of four entities coming together in a voluntary affiliation. The organizations are Blue Shield of Washington, Blue Shield of Idaho, Blue Cross/Blue Shield of Utah, and Blue Cross/Blue Shield of Oregon and HMO of Oregon. All had separate IT, HR, and security and combine to have 10,000 desktop computers.
MacLeod had a daunting task ahead of him when it was decided to have a single enterprise-wide security organization. With previously different approaches, missions, and priorities, unifying security would be taxing.
MacLeod noted that " what wasn't value added was 24/7 monitoring of logs and intrusion detection systems that we did not have but would be putting in. It would cost too much to create such an organization. We looked into Counterpane and discovered that service was available to us for far less than we could do it ourselves. I couldn't even hire the bodies much less have the tools, technology, skills and knowledge. Doing it in-house just didn't make sense. It was not a viable alternative."
Counterpane Internet Security Inc. of Cupertino, California was founded in 1999. Counterpane has built robust advanced tools with sophisticated analytic and diagnostic technology that remotely monitor the client's site in real time.
One of driving forces is cofounder and renowned security guru Bruce Schneier, famous for devising email encryption languages. Steve Hunt vice president of research for Giga Information Group headquartered in Cambridge, Massachusetts acknowledges the expertise of Schneier. "Counterpane is the thought leader in monitoring centers. Counterpane's founder is recognized as one of the preeminent security professionals in the world. He has personally overseen the design of the monitoring service and training of the staff. Counterpane is devoted to managed security and invented it."
In June 2001 the outsourcing solution was implemented through July. MacLeod found the deployment to be relatively easy. "We were up and running within days. It was a very painless experience to bring up our systems and have reports."
In August the system was prepared to meet the first major threat as they caught Nimda. "Even before the Nimda storm crossed our network, Counterpane was on the phone with us. As a result, Nimda compromised only 10% of desktops and 5% of servers." MacLeod says. The Nimda attack has been the only successful one, and the damage was greatly reduced.
The ability of Counterpane to analyze the Regence Group systems, determine what threats are of concern and what are false alarms has been clearly demonstrated. In the fourth quarter of 2001 over 145,000 possible security incidents occurred. Most of these potential violations were the result of noise over the system. Counterpane was able to determine that only about 200 warranted action by the Regence Group.
There has been a marked decrease in potential violations in the first two quarters of 2002. MacLeod credits Counterpane with this. "With Counterpane we are able to monitor and respond to incidents. We are able to close off targets of opportunity. The incidents are dropping as we have fewer things exposed." In the last six months there have only been 121,000 incidents and only 50 were suspicious enough to warrant further investigation. "We credit that to Counterpane in helping us identifying things that need to be fixed." MacLeod says.
The expertise of Counterpane has enabled MacLeod to efficiently maintain security with a reduced staff. "I only need three people in my compliance monitoring section because of the way that Counterpane has filtered this for us. If I didn't have Counterpane I would obviously need more than three folks."
Outsourcing Adds Cost Efficiency, Expertise and Objectivity
Carey adds that there "Has been a shortage of IT professionals specializing in security. It is challenging to find experienced IT security professionals. Using an outsourcing provider leverages expertise, augments in-house staff, and reduces the significant capital investment. The economics make sense for the outsourcing model and they can do it more efficiently than in-house."
Hunt notes that, "You have to be concerned about checks and balances, conflicts of interest. You don't want the company managing your firewall to perform vulnerability or penetrations testing. If they find weaknesses they are tempted not to report them. Outsourcing when done properly is the best way of building a coherent security architecture."
The capabilities of Counterpane are clearly demonstrated by a recent incident imparted by MacLeod. "On June 27th we had an attack on one of our web sites. Counterpane identified it, told us what they were trying to take advantage of and repelled the attack. They were able to identify that the attack came from the fifteenth building of the first district in Beijing, China."
Lessons from the Outsourcing Journal:
- Outsourcing provides expertise in security for enterprises with sensitive needs and diverse IT infrastructure.
- Outsourcing quickly enables organizations to successfully deal with serious threats.
- Outsourcing improves IT security defenses.