Managed security leaves some networks vulnerable

Managed security service providers (MSSPs) may be the way to go to monitor and manage your network components, but make sure you see eye-to eye first.

Companies are increasingly turning over the keys to their e-businesses to security professionals, who often lack the expertise or personnel to operate them safely.

Hiring security providers to protect corporate networks and the critical data those networks contain is a growing trend, but the companies providing such services are unregulated and not subject to industry certification.

"There's a lot of chewing gum and duct tape providers out there that could potentially be causing you more harm than good," said Elad Yoran, co-founder and chief financial officer of Riptech, one of the largest independent security providers. "There's a lot of companies jumping into this business, and not all of them really know what they're doing."


Managed security service providers (MSSPs) are hired to monitor and manage a variety of network components, such as firewalls, intrusion detection systems, anti-virus programs, and Web and e-commerce servers. Revenue from these services is expected to swell from $315 million last year to more than $1.8 billion in 2005, according to The Yankee Group.

Some businesses see managed security as a cheaper way to secure their operations, paying a monthly fee instead of dishing out hundreds of thousands of dollars up front for hardware and software, and hiring their own people to run it.

As a result, businesses seeking the cheapest providers often get what they pay for. Experts in the field say it's not uncommon to find that the provider and customer have different ideas about what is supposed to be provided.

"We have tested [MSSPs] who were supposed to have security measures in place for their customers and they didn't," said David Gehringer, senior product manager at Mercury Interactive, which provides security testing for organizations.

In one case, the service provider had botched the firewall configuration and in another it was charging the customer for services it wasn't even providing, Gehringer said. And when problems crop up, there's not much recourse. One I-manager found this out the hard way.

"The server that our managed security provider was hosting was hacked into," said an information systems manager at a major international airline, who asked not to be identified. "They suggested we improve our surveillance tactics."

As a result, the airline had to shut down the system - a part of its Web site operations - for two days, as a precautionary measure to plug any holes before it was brought back online.

The I-manager found out only after this serious problem that his MSSP's version of managed security was browsing his Web site every 15 minutes to make sure it was still operational.

"We were very angry, disillusioned and threatened to sue," he said. "Why weren't they protecting our systems? We didn't hire this firm to allow for this to happen."

Aside from suing or complaining to regulators, there's little recourse for a company that's hired a poor security provider. The situation isn't unlike that of the rest of the Internet services industry, where regulators have focused more on political issues, such as content filtering, than on business issues, such as service disputes.

Since there are few watchdog groups to assess the new managed security industry, the scope of the problem is hard to measure. But one way businesses can figure out their vulnerability is to hire a testing company to see how well their security providers are performing. Such testing uses a combination of software and "ethical hacking" to analyze a company's security.

Gehringer said that more and more, he has been put in the "uncomfortable" position of testing the security infrastructure of a company that's already being hosted by a managed security provider.

"Sometimes, the customers are suspicious or don't trust them," Gehringer said. "But that brings up a touchy issue," because if the service provider is doing its job, it will be monitoring to detect intrusions and will be alerted when the testers begin poking around.

One reason that customers are not getting the services they think they should comes down to money.

"Managed security providers want to sell you something they think you're going to buy," said Karen Worstell, president and CEO of AtomicTangerine, which offers an MSSP service. "So they'll price it in a way that's attractive, but they can't afford then to offer the services you really need."

The burgeoning number of providers that have set themselves up to provide managed security has a wide range of qualifications. Some are solely managed security companies, such as Riptech; some are hosting companies that have moved into security, such as Exodus Communications; and some are software companies, such as Symantec, that also provide a hosting service using their security tools.

Since so many service providers have seen the revenue potential in offering a security solution, increasing price pressure has hit the industry, said Andrew Schroepfer, president of Tier 1 Research.

"The trend happened when everyone was building these data centers, and you tried to be capital-efficient and you had to sell something," Schroepfer said. "And then managed security came along. Now there's pricing pressure, because there are so many services on the market."

Data hosting provider Verio made a bold announcement in April, when officials said they partnered with Riptech to provide customers managed security - because they didn't believe they were qualified to do so.

That was the reason Bob Fetterman, president and CEO of iDashes, a 15-person performance management software company, went with the Verio/Riptech solution. "If your service provider was doing something they weren't supposed to be doing, would they tell you? Probably not," Fetterman said. "Whereas Riptech is a third party, so we can see all the things scanned on Verio's network . . . and that makes us feel a lot better than having it integrated in one service provider."

The problems that exist between an MSSP and the customer stem less often from negligence than from miscommunication between the two parties.

Sometimes the translation doesn't compute when I-managers, who are admittedly not security experts, try to tell security experts what they want.

"People don't know how to ask for what they need," AtomicTangerine's Worstell said.

For example, a company may want an MSSP to manage its firewall, but there are many variables to managing a firewall - such as proper configuration, applying the latest patches, ensuring availability and stability, and, most valuable, monitoring the traffic that hits the firewall, either in real-time or through daily reports.

Such misunderstandings can be most dangerous because they can lead a company to believe it is secure, and "a false sense of security is worse than knowing you're not secure," Riptech's Yoran said.