Managed Security Deals Leave Networks Vulnerable

[InfoSec News <isn () c4i org>]

http://www.zdnet.com/intweek/stories/news/0,4164,2783136,00.html

By Brian Ploskina
Interactive Week
July 9, 2001

Companies are increasingly turning over the keys to their e-businesses
to security professionals, who often lack the expertise or personnel
to operate them safely.

Hiring security providers to protect corporate networks and the
critical data those networks contain is a growing trend, but the
companies providing such services are unregulated and not subject to
industry certification.

"There's a lot of chewing gum and duct tape providers out there that
could potentially be causing you more harm than good," said Elad
Yoran, co-founder and chief financial officer of Riptech, one of the
largest independent security providers. "There's a lot of companies
jumping into this business, and not all of them really know what
they're doing."

Managed security service providers (MSSPs) are hired to monitor and
manage a variety of network components, such as firewalls, intrusion
detection systems, anti-virus programs, and Web and e-commerce
servers. Revenue from these services is expected to swell from $315
million last year to more than $1.8 billion in 2005, according to The
Yankee Group.

Some businesses see managed security as a cheaper way to secure their
operations, paying a monthly fee instead of dishing out hundreds of
thousands of dollars up front for hardware and software, and hiring
their own people to run it.

As a result, businesses seeking the cheapest providers often get what
they pay for. Experts in the field say it's not uncommon to find that
the provider and customer have different ideas about what is supposed
to be provided.

"We have tested [MSSPs] who were supposed to have security measures in
place for their customers and they didn't," said David Gehringer,
senior product manager at Mercury Interactive, which provides security
testing for organizations.

In one case, the service provider had botched the firewall
configuration and in another it was charging the customer for services
it wasn't even providing, Gehringer said. And when problems crop up,
there's not much recourse. One I-manager found this out the hard way.

"The server that our managed security provider was hosting was hacked
into," said an information systems manager at a major international
airline, who asked not to be identified. "They suggested we improve
our surveillance tactics."

As a result, the airline had to shut down the system - a part of its
Web site operations - for two days, as a precautionary measure to plug
any holes before it was brought back online.

The I-manager found out only after this serious problem that his
MSSP's version of managed security was browsing his Web site every 15
minutes to make sure it was still operational.

"We were very angry, disillusioned and threatened to sue," he said.
"Why weren't they protecting our systems? We didn't hire this firm to
allow for this to happen."

Little Recourse

Aside from suing or complaining to regulators, there's little recourse
for a company that's hired a poor security provider. The situation
isn't unlike that of the rest of the Internet services industry, where
regulators have focused more on political issues, such as content
filtering, than on business issues, such as service disputes.

Since there are few watchdog groups to assess the new managed security
industry, the scope of the problem is hard to measure. But one way
businesses can figure out their vulnerability is to hire a testing
company to see how well their security providers are performing. Such
testing uses a combination of software and "ethical hacking" to
analyze a company's security.

Gehringer said that more and more, he has been put in the
"uncomfortable" position of testing the security infrastructure of a
company that's already being hosted by a managed security provider.

"Sometimes, the customers are suspicious or don't trust them,"
Gehringer said. "But that brings up a touchy issue," because if the
service provider is doing its job, it will be monitoring to detect
intrusions and will be alerted when the testers begin poking around.

One reason that customers are not getting the services they think they
should comes down to money.

"Managed security providers want to sell you something they think
you're going to buy," said Karen Worstell, president and CEO of
AtomicTangerine, which offers an MSSP service. "So they'll price it in
a way that's attractive, but they can't afford then to offer the
services you really need."

The burgeoning number of providers that have set themselves up to
provide managed security has a wide range of qualifications. Some are
solely managed security companies, such as Riptech; some are hosting
companies that have moved into security, such as Exodus
Communications; and some are software companies, such as Symantec,
that also provide a hosting service using their security tools.

Since so many service providers have seen the revenue potential in
offering a security solution, increasing price pressure has hit the
industry, said Andrew Schroepfer, president of Tier 1 Research.

"The trend happened when everyone was building these data centers, and
you tried to be capital-efficient and you had to sell something,"
Schroepfer said. "And then managed security came along. Now there's
pricing pressure, because there are so many services on the market."

Data hosting provider Verio made a bold announcement in April, when
officials said they partnered with Riptech to provide customers
managed security - because they didn't believe they were qualified to
do so.

That was the reason Bob Fetterman, president and CEO of iDashes, a
15-person performance management software company, went with the
Verio/Riptech solution. "If your service provider was doing something
they weren't supposed to be doing, would they tell you? Probably not,"
Fetterman said. "Whereas Riptech is a third party, so we can see all
the things scanned on Verio's network . . . and that makes us feel a
lot better than having it integrated in one service provider."

The problems that exist between an MSSP and the customer stem less
often from negligence than from miscommunication between the two
parties.

Sometimes the translation doesn't compute when I-managers, who are
admittedly not security experts, try to tell security experts what
they want.

"People don't know how to ask for what they need," AtomicTangerine's
Worstell said.

For example, a company may want an MSSP to manage its firewall, but
there are many variables to managing a firewall - such as proper
configuration, applying the latest patches, ensuring availability and
stability, and, most valuable, monitoring the traffic that hits the
firewall, either in real-time or through daily reports.

Such misunderstandings can be most dangerous because they can lead a
company to believe it is secure, and "a false sense of security is
worse than knowing you're not secure," Riptech's Yoran said.




ISN is hosted by SecurityFocus.com
---
To unsubscribe email isn-unsubscribe () SecurityFocus com.