Outsourced security can ease administration headaches, but issues remain.
Although outsourcing security is still a controversial subject, an increasing number of businesses are electing to turn over the round-the-clock monitoring of their intrusion-detection systems, firewalls and VPNs to outside firms known as managed security service providers that do the job remotely over the Internet or private lines.
Corporations often say the reason to outsource is the difficulty in finding trained personnel to hire for late-night shifts of IDS and other security gear, or that in-house costs appear far more than what MSSPs charge to perform the job.
Security managers who have outsourced security monitoring emphasize the need to establish close contact with the MSSP staff to respond quickly when security incidents, such as attempted break-ins, arise.
Boston's CareGroup Healthcare System, which operates a regional network in eastern Massachusetts for sharing of medical data, uses MSSP Counterpane Internet Security to monitor its perimeter and internal servers.
CareGroup CIO John Halamka said he faced the decision whether to outsource intrusion-detection monitoring more than a year ago when he purchased IDS equipment, which in this case was the RealSecure host- and network-based IDS from Internet Security Systems.
"I had a choice 18 months ago whether to require in-house staff to do it - and I estimated I would need five full-time engineers - or outsource it," Halamka says. "I decided to outsource it, and it costs less than half of what it would cost me to do it."
CareGroup faces continuous network attacks, some of which have been traced to the Massachusetts Institute of Technology, Halamka says. Responding to the problems from port scanning to break-ins and denial-of-service attacks requires close communication between Counterpane and CareGroup staff. "We really had to work together to get the right level of granularity on this," he says.
The CareGroup network operations center, which is open 24-7, works with Counterpane in a way that gives CareGroup immediate notification of real trouble, but saves the routine problems for daily e-mail reports. Although it's taken considerable effort, outsourcing security monitoring has worked well so far for CareGroup, which just renewed its contract with Counterpane for another 18 months.
At Chicago's Peoples Energy, vice president of IT services Will Evans says his company found it was far from easy to hire staff to conduct security monitoring. "You have to align yourself with someone for outsourced monitoring," says Evans, who began using Riptech last fall for perimeter monitoring.
Many say deciding whether to outsource security monitoring and which MSSP to choose is a challenge.
"Pitfalls abound in outsourced security services, not just in the U.S., but in Europe and Middle Eastern countries, too," says Stan Kiyota, chief IS security officer at Booz-Allen & Hamilton, whose global network spans 75 countries to serve 11,000 employees.
Kiyota said the big consultancies, such as Deloitte and Touche, are security "generalists" that may sign a contract for managed security but then have to go out and hire the expertise.
Kiyota says larger companies might be more financially stable, so there's less worry that they might go out of business suddenly, as Pilot Network Services did last year.
Smaller MSSPs, such as Counterpane, tend to be more candid about their strengths and shortcomings, Kiyota says. But the question for smaller MSSPs is whether they can meet the needs of a large global corporation.
Booz-Allen outsources its LAN password management and router management to Techtronics, and for a few years had a contract with a European-based MSSP, which Kiyota declined to name, to manage several Check Point Software VPN gateways for 100 offices around the world.
But Booz-Allen recently took back management of its VPN-based firewalls, in part because costs, at $50,000 per firewall-based VPN, seemed too high and in part because the company prefers to maintain that expertise in-house.
Kiyota says outsourcing security does not mean abdicating responsibility for security administration. And it requires the customer's IT and legal departments to draw up a contract with the MSSP to designate terms and liabilities.
This effort might well be at odds with the MSSPs whose "fine print in the contracts generally says they have no liabilities" for problems, including security breaches, that might be their fault, Kiyota says.
Kiyota advised starting small by letting a chosen MSSP provide just one or two management functions and see how that goes before committing more.
Choosing the right MSSP isn't easy. Services and pricing range from about $1,700 per month for simple firewall management to upwards of a million dollars to manage a full-service antivirus, VPN, IDS and firewall monitoring on the inside and out.
Symantec, which operates a number of security operations centers around the world, says many of its customers, including the European arm of Xerox, have opted for a full-service plan that also involves having Symantec personnel at the corporate site.
Some MSSPs claim to be willing to monitor almost all vendors' security equipment, while others are limited to specific brands. Some will remotely "patrol" inside the network, others restrict their services to perimeter firewall, IDS or antivirus protection.
According to IDC, the total MSSP market in the U.S. reached $859 million last year, with no clear market leader, although Electronic Data Systems, IBM, Counterpane, ISS and Symantec are among the better known. Some, such as Activis and Ubizen, are better known in Europe. Ubizen has established a foothold in the U.S. by opening a security operations center in Reston, Va.
"The market is still highly fragmented, with consolidation under way," says IDC analyst Allan Carey. That means smaller MSSPs likely will be bought out if they don't go under.
VeriSign bought Telenisus and its security operations center to get a foothold into the MSSP business.
There are dozens of firms hanging out the MSSP shingle: UUNET, Foundstone, Computer Associates, Genuity, Qualys, SAIC, Veritect, Guardent, TruSecure (which bought Three Pillars), SecureWorks and NetSolve are just a few. Each MSSP has its own list of what it will do for the customer.
Chicago's First American Bank and Charter Bank, of Wyandotte, Mich., use the NetSolve managed security service for firewalls and IDS.
"They require you to use a certain type of equipment," says Noel Lavasseur, executive vice president at First American. Both banks use the Cisco PIX firewall and IDS in lieu of other vendor products they had.
"NetSolve has access remotely and they always have control of the firewall and the monitoring," says Mark Parquette, assistant vice president of IS at Charter. "They do this for a monthly fee of about $1,000 for 24-7 monitoring. We get reports as often as we want. As a small bank, we don't have the staff to do this. It's a combination of price and confidence."