IT managers besieged by hackers and viruses are waving the white flag, and a new wave of managed security providers --dozens of them --are ready to pounce on the opportunity.
Their main target: administrators such as the one at a Boston financial institution whose network was brought down for several hours last week by one of the newest virus strains, Life Stage. "This is proving to be a pain," said the administrator, who requested anonymity. "You can't keep up. Something has to happen."
Life Stages was just the latest security headache in a week that also saw Nike's Web site brought down by political activist hackers and America Online customer service accounts compromised by a Trojan horse.
Overwhelmed by such security threats and facing an endless IT labour crunch, companies increasingly are turning to outside vendors to monitor, manage and respond to security breaches.
"Security's a large problem that oftentimes even large organisations don't have the resources to deal with," said Roy Thetford, CEO of one of the newest companies specialising in intrusion detection and response, a startup called Schwoo.com.
"The reason you do managed security services is because security is complex, difficult and distasteful," said Bruce Schneier, a cryptographer and the founder of Counterpane Internet Security, a security services company. Schneier will chair the eWeek/DCI Web Security Summit in Boston this week. "It's hard to build, hard to train and hard to find expertise."
While this new brand of service provider --the managed security provider, or MSP --presents fresh options to besieged IT staffs, the glut of offerings also poses new issues. Which one to choose? Who's trustworthy? And what to do with existing security infrastructures?
Many MSPs started in the software business and so offer services that coexist with their legacy, such as public-key infrastructure vendors that manage certificate authorities.
Others, such as Schneier's Counterpane, focus on 24-by-7 monitoring of networks for malicious or careless activity. RSA Security and myCIO.com centre their service on auditing and assessing networks, then offer subscription services that employ their software.
Software companies including Cyber Safe and Symantec, meanwhile, are re-engineering their products to work as hosted applications. This week, Netlock Technologies will announce Netlock Version 3.0, and Zone Labs will announce a partnership with a major Internet service provider to host and deploy its ZoneAlarm intrusion detection software.
At the same time, service companies such as Ernst & Young are cobbling security software together with services. E&Y last week launched a portal site called eSecurityOnline.com.
Schwoo, a startup comprising self-proclaimed "Carnegie Mellon University code geeks," is developing software that applies new techniques for detection and automatic response to security breaches. But Thetford said his company won't sell the software; instead, it will offer a managed service, packaging the software with education and methodology expertise.
"A managed service allows us to protect the algorithms and, on the fly, modify our detection response," he said. "The software is locked away in our operations center. You can't buy it or download it and reverse-engineer it. It takes away some of the hacker's advantage."
Still other vendors are wrapping managed security into bigger managed services. Aventail, for example, is offering security as part of its business-to-business commerce offering, while Critical Path is doing the same as part of its hosted messaging solution.
Some users, while open to exploring these new security services, remain wary. No matter how frustrated by security headaches, many IT managers say outsourced security services raise questions about legal liability, trust and dealing with legacy security inside the enterprise.
"There's a future for managed security, but I am dubious," said Jeff Uslan, manager of security at 20th Century Fox. "One of the reasons is many of these companies have something to sell. If I ask for help, that's what I want, help. An assessment. I don't want their software."
Counterpane's Schneier believes that, in the face of increasing security threats and lack of IT talent, those concerns will erode and managed security will become part of a basic IT strategy.
"Some will at first say security is core and you have to keep it in-house, but that's bogus," he said. "You want to move money around, you give it to the armored car driver, the guy that's done it 2,000 times before. Every bank in the country uses another company to ship its money around. That's core."
