Advertisement
 
To print: Select File and then Print from your browser's menu

--------------------------------------------------------------
This story was printed from ZDNet Australia.
--------------------------------------------------------------
MSSPs: Protecting your network

By Josh Mehlman and Joan Wilbanks, Technology & Business magazine
February 26, 2002
URL: http://www.zdnet.com.au/news/security/soa/MSSPs-Protecting-your-network/0,130061744,120263475,00.htm




Security won't contribute much to your bottom line--until it fails. But who do you turn to if you can't afford a team of security specialists? ZDNet Australia examines the state of MSSPs in Australia: What MSSPs are, what they can do, and which ones you can trust.

We might argue about the price, performance, and availability of broadband in Australia, but there's no question it is more affordable and accessible than ever before.

When only multimillion-dollar corporations could afford high-speed connections, security issues were dealt with by large IT departments with an in-house contingent of network security specialists.

Today, many companies that can afford to sign up for broadband access can't afford a security specialist--some don't even have an IT department. But the security risks associated with a broadband always-on connection can affect even the smallest businesses.

Traditionally, Internet security solutions have assumed that the user would have (or have access to) a high level of technical expertise. This was indeed the case before advances in DSL and cable modem technology brought high-speed access to the masses.

Now that high-speed services are widely available, Internet security technologies are just as widely needed, yet there has been no inverse reduction in the level of expert oversight they require.

With this in mind, companies of all sizes are increasingly turning to managed security service providers (MSSPs) to handle their security requirements.

Managed security is a booming business, with analysts predicting astronomical growth rates up to 90 percent per annum in the next few years.

The key driver behind this growth is the shortage of qualified security staff, and consequently the very high salaries they draw, according to Ray McIntyre, channel sales manager at security software developer McAfee.

"It allows your IT staff to provide a platform for you to grow your business, while leaving the things that aren't profit generating--such as security--to the expert," he said.

"It's a form of outsourcing for people who realise they don't have those particular skills, but want to keep things in house. They may not want to outsource a whole department."

McIntyre points out that the total cost of ownership of security software and equipment is far greater than the initial purchase price.

"Taking the example of antivirus software, the cost of the software is about 20 percent of the TCO, when you think about training staff, installing the software, and reacting to emergencies. A security provider can spread that cost out over several customers, which means it ends up costing you less."

What can MSSPs do?


MSSPs can provide a variety of services, including firewalls, intrusion detection, VPNs, antivirus protection, and auditing of your security procedures.

Configuring a packet-filtering firewall is no activity for a novice. It requires a nuts-and-bolts understanding of internetwork communications, including protocols, ports, and sockets. And, because firewalls must keep pace with advances in network attack methods, they require frequent updates.

Packet filters are not foolproof either and are subject to IP spoofing attacks.

Some advanced firewalls now use stateful packet filtering, which tracks information across packets. This allows the context of each packet to be taken into account, thus making it easier to distinguish suspicious activity from legitimate network usage.

Even with all this complexity, firewalls are not bulletproof and should be considered the first line of defence.

Intrusion detection systems (IDSes) monitor network traffic for certain patterns of activity that could mean trouble and issue alerts when they find anything that varies from the norm. IDSes usually work by comparing the data that pass through to a database of predefined attack signatures.

The very fact that hackers try not to attract attention to themselves makes it difficult for the IDS to distinguish harmless activity from malicious intent, so IDSes often report false positives, but can also be susceptible to false negatives.

In addition, IDSes are essentially passive systems, although some more advanced IDSes are becoming more proactive in tracking intruders and distracting them from your essential systems.

For these reasons, IDSes need to be constantly supervised by experienced security staff, who can review the full context of the offending activity and determine whether or not concern is warranted.

While the benefits of a VPN are obvious--a secure connection to branch offices or business partners, or allowing staff to work from home--a VPN is also a door into your network.

The door might be deadlocked with encryption and authentication, but these measures are not impossible to get around. Again, expertise and supervision are required to make sure everything is in order.

One of the strongest security defences is devising, implementing, and enforcing a strong security policy. The need for policy is particularly pertinent when you consider that the majority of security breaches come from within--disgruntled employees (or ex-employees), or outsiders acting on information these employees provide.

Yet survey after survey has revealed a disturbing absence of security policies in IT departments. For example, a survey in September last year by outsourcing company CSC of North American companies with revenues of US$1 billion or greater revealed that 46 per cent had no security policy in place.

Even fewer had programs to monitor compliance with these policies, or to measure the return on investment for their security expenditure.

A generally accepted figure around the industry is that 70 percent of all companies have not implemented a security policy. On the other hand, awareness of security is on the rise, so these figures might be a little out of date.

What's in it for me?

Keeping all this in mind, it's clear that if you're constantly connected to the Internet, you're also constantly connected to a wide variety of threats that require a great deal of expertise and investment to defend yourself against.

The benefits of an MSSP include:

  • The cost of the service is far less than hiring a full-time security expert, yet it can provide the technical know-how of a whole team of experts.

  • Network activity is monitored in real time 24 hours a day, not just during work hours.

  • The service can protect the internal network from unsecured VPN endpoints.

  • The firewall and IDS solutions are far more effective because they are managed and monitored by security pros; the customer should not have to solve security problems.

  • When an intrusion is detected, these pros can use the remote monitoring connection to determine whether the alarm is justified and to actually block the intruder's actions.

Insisting on 24-hour monitoring is essential to hiring an MSSP, according to Jeff Paine, principal consultant with security provider eSec. "Hackers don't respect business hours," he says.

"By using technology and expertise, managed service providers should be able to provide more comprehensive monitoring and management for lower cost than for the organisation to hire multiple specialists to work shifts around the clock (or incur the cost of developing their own systems)."

Number three combo with extra VPN


Different MSSPs provide a variety of services in varying combinations. Most will look after firewalls, VPNs, monitoring, intrusion detection, and reacting to emergencies. Some also include antivirus protection (or only include antivirus protection).

Some also provide security consulting services, which can be a way to convince you to invest in their managed services, but not necessarily.

"We position ourselves as a security provider that can look at the overall issues a business is facing," says Getronics national marketing manager for managed services, Peter King.

"Realistically, the security threat is wider than just IT. Part of our offering is an organisational review, because 70 percent of companies don't even know if they have a security policy, or who owns it, or how it's supposed to be implemented or changed."

Getronics provides a full organisational review, that not only looks at a company's security policies, but also compares what the policy says and how it's actually implemented. Getronics staff also interview the client's staff to gauge their understanding of the security policy.

"The second part is to set up an external scan of an organisation, to review the external security aspects to see where the weak points are," says King.

"Third point is an internal one, where we use people that might otherwise be called hackers to work inside the organisation and see what they can exploit."

After completing this review, Getronics will present a client with a full report of its findings.

"A lot of organisations will say 'thank you' and deal with it internally. Other organisations will ask us to help them implement it, and others will just store that information away and do nothing," he says.

"There's one state government organisation that already has an organisation doing their security services and using our services as an audit."

Who can you trust?

Although the number of MSSPs in Australia is relatively small, there are still a variety of different options available.

Choosing a provider is first and foremost about matching your requirements to the provider's expertise. Beyond this, there are some criteria you should view as essential.

Damian Thompson, general manager of MSSP Zento says that a reliable provider must have:

  • At least 18 month's working capital to support operations

  • Dedicated 24 x 7 x 365 Security Operations Centre (SOC)

  • Technologically advanced and secure data centre infrastructure

  • Industry accredited and experienced IT security staff

  • Multi-vendor support

  • Service Level Agreements guaranteeing the delivery of managed services

"With the marketplace the way it is, this is not the time to have financial concerns about the company you're outsourcing your security to," he says.

McAfee's Ray McIntyre agrees. "You need your partners to be sound because you're in it for the long haul."

Having relationships with more than one vendor allows an MSSP to give customers a choice of services depending on their budget and requirements. "A lot of companies hitch their horse to one wagon," he says.

"Having multiple relationships, you're delivering much better value to the client because you're much more aware of what's going on in the marketplace," says Thompson.

"Some of the vendors such as Cisco and Nokia have very good software, but just relying on a single vendor's suite of software is a risk factor," adds Getronics' Peter King.

eSec's Jeff Paine says a good cue that an MSSP's staff are knowledgeable is if they are active contributors to security forums and symposiums.

"There are plenty of other considerations--the nutshell summary is that an organisation looking for an MSSP should try and compare the providers on a level playing field, and never assume anything about the service being provided," he adds.

"Ask the hard questions, and make sure the provider is capable and experienced. Organisations should be completely comfortable trusting the MSSP with their security before retaining their services."

Paine lists three more criteria:

  • Scalability: the managed service should be adaptable to a changing network without sacrificing security.

  • Seamless operation: it should not be intrusive on daily operations.

  • Simplicity: increased complexity is counterproductive, managed services should not increase complexity.

McIntyre agrees that MSSPs should be seen and not heard. "You need to make sure they're deploying the correct technology, they need to be able to push out emergency patches and the like over the Internet from their SOC. You don't want someone constantly in your office tinkering with your systems."

Reporting is also an important issue, according to King. "You need an MSP who's able to prove to you how they're looking after you. We place a big emphasis on reporting. We want to show them where they have flaws so they can go and repair them."

Who can you trust?


Although the number of MSSPs in Australia is relatively small, there are still a variety of different options available.

Choosing a provider is first and foremost about matching your requirements to the provider's expertise. Beyond this, there are some criteria you should view as essential.

Damian Thompson, general manager of MSSP Zento says that a reliable provider must have:

  • At least 18 month's working capital to support operations

  • Dedicated 24 x 7 x 365 Security Operations Centre (SOC)

  • Technologically advanced and secure data centre infrastructure

  • Industry accredited and experienced IT security staff

  • Multi-vendor support

  • Service Level Agreements guaranteeing the delivery of managed services

"With the marketplace the way it is, this is not the time to have financial concerns about the company you're outsourcing your security to," he says.

McAfee's Ray McIntyre agrees. "You need your partners to be sound because you're in it for the long haul."

Having relationships with more than one vendor allows an MSSP to give customers a choice of services depending on their budget and requirements. "A lot of companies hitch their horse to one wagon," he says.

"Having multiple relationships, you're delivering much better value to the client because you're much more aware of what's going on in the marketplace," says Thompson.

"Some of the vendors such as Cisco and Nokia have very good software, but just relying on a single vendor's suite of software is a risk factor," adds Getronics' Peter King.

eSec's Jeff Paine says a good cue that an MSSP's staff are knowledgeable is if they are active contributors to security forums and symposiums.

"There are plenty of other considerations--the nutshell summary is that an organisation looking for an MSSP should try and compare the providers on a level playing field, and never assume anything about the service being provided," he adds.

"Ask the hard questions, and make sure the provider is capable and experienced. Organisations should be completely comfortable trusting the MSSP with their security before retaining their services."

Paine lists three more criteria:

  • Scalability: the managed service should be adaptable to a changing network without sacrificing security.

  • Seamless operation: it should not be intrusive on daily operations.

  • Simplicity: increased complexity is counterproductive, managed services should not increase complexity.

McIntyre agrees that MSSPs should be seen and not heard. "You need to make sure they're deploying the correct technology, they need to be able to push out emergency patches and the like over the Internet from their SOC. You don't want someone constantly in your office tinkering with your systems."

Reporting is also an important issue, according to King. "You need an MSP who's able to prove to you how they're looking after you. We place a big emphasis on reporting. We want to show them where they have flaws so they can go and repair them."


Copyright © 2009 CBS Interactive, a CBS Company. All Rights Reserved.
ZDNET is a registered service mark of CBS Interactive. ZDNET Logo is a service mark of CBS Interactive.