Sizing Up Security Services

[William Knowles <wk () C4I ORG>]

http://www.computerworld.com/cwi/stories/0,1199,NAV47-68-84-90_STO54345,00.html

By DEBORAH RADCLIFF
November 27, 2000

You hire a security consulting firm that analyzes your network. On his
way out, the auditor leaves you to grapple with an 800-page report
listing your network's 60,000 vulnerabilities. "Sound familiar?" asked
Alan Paller, research director of the SANS Institute in Bethesda, Md.,
as he addressed 300 information security managers and executive
officers at a recent security conference. The room erupted with
laughter as the group of IT professionals collectively nodded their
heads in agreement.

Despite such negative sentiments, IT departments need security
services vendors, given the short supply of IT security professionals
and the high demand for such services.

Unfortunately, not all service providers are created equal, and the
differences are most obvious between the small, independent consulting
firms and the Big Five's security consulting divisions. Both groups
boast some of the brightest security talent around. But the
differences in their areas of practice, styles and methodologies are
often like night and day.

Just how does an IT shop find a security consulting firm that's the
right fit? First and foremost, it's about aligning business strategies
and technology project needs with service offerings, but it's also
about relationships, IT managers say.

Requirements Come First

Before entering into any vendor relationship, IT departments need to
define their business requirements, which will determine the service
levels required, says Jerry Dixon, director of information security at
$17.7 billion Marriott International Inc. in Bethesda, Md. "Scope and
time line will also drive your decision," he adds.

Because of the varying size and scope of technical security projects,
Marriott uses a combination of service providers. It uses mostly Big
Five consulting firms to augment security work during project
development. And when it's already working with a large firm to
analyze and assist in a new product launch (for example, a new human
resources application), Marriott looks first to that vendor to develop
the security strategy and technology infrastructure.

This makes for better continuity, Dixon explains, because the vendor
already knows the business and may have developed a standard set of
methodologies it can use across the organization. And there's "less
finger-pointing" if something goes wrong, adds J.R. Williamson,
Marriott's vice president of end-user technologies.

Dixon says he also worries about hidden agendas on the part of the Big
Five and other large consulting houses, particularly when it comes to
recommending security vendor tools. "A lot of times, the Big Five are
resellers for specific products, so their bias may not serve us
well," he explains.

During his ongoing search for a security consulting firm to assist
with new health care patient privacy regulations, Kenneth Cole, MIS
director at Sun Healthcare Systems Inc., says he's run into firms of
all sizes with agendas to sell certain point products.

"These firms will limit their focus on you because they're only
focused on their software," Cole warns.

True, the Big Five and large consulting firms do set alliances with
vendors like San Jose-based Cisco Systems Inc., says Ariel
Silverstone, senior manager of security solutions at McLean, Va.-based
KPMG Consulting LLC, a division of Amsterdam-based KPMG
International. But KPMG doesn't require that clients use these
products.

"We have created a preferred-vendor list, but that's only based on
those vendors' technical merits," Silverstone says. "We do deviate
from this list if a customer asks for a specific vendor."

Strategists vs. Specialists

Dixon insists that Big Five firms are well-suited to overall security
strategies, architectural analysis and other "big-picture work." But
when it comes to security assessments or highly specialized work like
installing a firewall, he calls on the smaller firms.

"Some of the smaller firms have quite a bit of background in security
research - something Big Five firms don't have time for," Dixon
says. "And the smaller firms use a lot of custom assessment tools you
typically can't find at the Big Five firms. We've had much better
success with small security organizations in these areas."

Williamson adds that he's been witness to Big Five-delivered
boilerplate assessments that turn up those 60,000 vulnerabilities,
providing little or no help in addressing the problems. The smaller
firms are more intuitive about what really needs fixing and what
doesn't, he says. "Will the larger security company give me an
800-page report that drops the name of their last client and puts your
name in the blank? Absolutely," Williamson says.

But Silverstone disagrees. "We do not just give a list of security
holes. We give a list of holes, followed by mitigation policy,
followed by suggestions on repeated testing," he says. "We also have a
severity rating system. When a vulnerability gets to, say, 8 on the
Richter scale, we will even stop the project, call the customer and
tell them it needs fixing right away."

Silverstone adds that security assessments are KPMG's most
sought-after security services, providing KPMG the baseline for all
other security services, including penetration tests (attempted
attacks on the network to find vulnerabilities), security architecture
design, managed services, strategic planning and forensics.

Nonetheless, the IT managers interviewed for this story say the
smaller players are more technologically adept at assessment services,
in addition to being cheaper.

Michael Morris, IT director at Boston-based Wolf, Greenfield & Sacks
PC, uses small vendors to conduct assessments and implement point
products. But his 60-attorney firm doesn't have deep pockets. So aside
from the lower hourly wage for consultants with a small vendor - $200
to $250 per hour, vs. $300 to $450 per hour at larger firms - he also
leverages his vendor's vertical-industry experience to set the
appropriate security controls and help spread the security gospel to
Wolf, Greenfield & Sacks' partners.

"Because we're in the area of intellectual property law, we have
different touch points for security. We can't just build an average
firewall with medium security settings," says Morris. "Our vendor
[Jerboa Inc. in Cambridge, Mass.] also helped us a couple years ago
with a point-to-point encryption program. We actually got PGP
[encryption software] to the point where any of our 60 attorneys can
use it without too much pain."

Keep Out the Cowboys

Morris warns of potential trade-offs in quality of service when using
smaller firms. "There are a lot of young bucks coming out of college
who aren't very well-directed, so they're not learning good business
habits, and they run around like cowboys, without any proven
practices," he explains. "That doesn't go over well in our industry,
because we have so many methodologies in place to protect our client
confidentiality."

Many times, Jerboa consultants have had to clean up messes created by
such "Rambo" consultants, adds Ian Poynter, the company's
founder. "Let's face it. The problem with hiring a small firm is
everybody's now a security consultant. We ran into one of these the
other day, where a person was trying to break into systems to drum up
business," he says.

So check references, conduct background checks if the vendor company
doesn't have them readily available and look for several years of both
technical and vertical-industry experience when choosing a small
vendor, Poynter advises.

The Final Choice

While large services firms may have less flexibility to work
creatively than smaller firms, they do offer technical practices and
methodologies that are important to specific businesses and vertical
industries.

But no matter what size company your organization is considering, look
for vendors that deliver forward-thinking solutions to technical
security problems, says Marriott's Dixon. For example, he says he's
been seeing more security services vendors working on scalable
security systems at the architectural level - something Jerboa and
KPMG have been preaching for two years.

"Vendors are following a lot of new security standards and
methodologies, like the Common Criteria," which is a National
Institute of Standards and Technology-sponsored security evaluation
program for vendor products, as well as British security standard
7799, which has been proposed as International Standards Organization
standard 17799, Dixon says. "The good news is the quality of
consulting services has gotten a lot better in the last three years."


[Sidebar notes in the above article:  -WK]

Tips for Choosing a Security Services Vendor...

1. Know your technical and business objectives up front.

2. If the security work relates to a larger technology project, look
first to the vendor supporting that project for security services.

3. Know what you're getting. Users complain that some security
assessments are simply boilerplate reports that list thousands of
deficiencies but provide little direction on how to address them.

4. Watch out for hidden agendas. Ask about vendor relationships that
might influence product recommendations.

5. Look for deep expertise in your company's vertical market.

6. Consider vendors with at least three years of experience - and
check references.

7. Ask for vendor accreditations and certifications in networking
elements, security and auditing.

8. Check consultant staff references to keep "gray-hat" hackers out of
production IT environments.

9. Consider background checks and financial viability checks for
smaller firms.

10. Watch out for "Rambo" consultancies that have lots of technical
knowledge but little understanding of methodologies or business
practices



*==============================================================*
"Communications without intelligence is noise;  Intelligence
without communications is irrelevant." Gen Alfred. M. Gray, USMC
================================================================
C4I.org - Computer Security, & Intelligence - http://www.c4i.org
*==============================================================*

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".