Managing security mayhem--time to outsource?
 |
| Charles Johnson VP of security services Symantec |
Innumerable intrusion alarms, rogue remote workers, untamed wireless access. It can all add up to a big, unmanageable mess.
That's why Charles Johnson, Symantec's VP of security services, is on a mission to expand his company's managed security services (MSS) business. And for good reason: By 2005, Gartner expects 60 percent of enterprises to outsource some form of perimeter security monitoring.
Symantec acquired its place in the MSS market by gobbling up MSS early birds, most recently Riptech. High rates of consolidation are expected in the managed security market through late 2003. Johnson told TechUpdate why Symantec sees a big future in managed security services, how it helps companies respond to attacks, and why traditional infrastructure management doesn't cut the mustard.
How does Symantec plan to distinguish itself from other managed security providers?
From one of the original players in the managed security services market, we inherited a good client base to work from, and of course just expanded it from there.
The biggest issue we saw with managed security services was clients wanted to outsource but needed confidence that someone was big enough with deep enough pockets and enough longevity in the business to know that they're going to be there for the life of that contract.
So when Symantec bought Axent, that started to formulate a good player that CIOs could see as a reasonable player. And then once we bought Riptech, that was, "OK, that is a billion-dollar player in the business, has formidable resources behind them, has a global network of security operations centers, and has cutting-edge technology that's not like anyone else's." So the ability to scale and correlate data, and look backwards, and trending, and tell you not only what is happening today with your network, but to look back at the past and say, "Let me tell you what has happened over the last six months and what you need to do about it"--that has been the differentiator we've seen most.
Being a software vendor, is that in any way a disadvantage in that you might have to convince potential services clients that you're really vendor-agnostic?
The Axent services arm was always agnostic, so it had a relationship with Checkpoint and Cisco and ISS and the major players. Symantec continues that. In fact, almost 70 percent of what we manage in security operations centers today, is non-Symantec product.
I don't know of any other vendor that actually does it. We actually go into the client, look at that heterogeneous environment, and our comment back to the client is, "If you're comfortable with the quality of the products you picked, the network you're running it on, and the services they're giving you, we'll take that over and manage it for you as a seamless extension of your staff." We keep 32 terabytes of data online--of client, vulnerability, and thread data--which we can use to do comparison analysis, for how you are doing against your peer group, how you are doing against the world at large, how you are doing in particular to your geographical area. And a lot of CIOs like that piece of it: "Tell me how I'm doing compared to my buddy down the street, so I can go tell the CEO, 'My report card is good.'"In your literature, it says that a managed security service is "only truly effective when it fits unique and evolving business needs." When is a managed service better than just buying software and running it in-house? (In other words, is this an attempt to distinguish the MSS service without hurting your security software business?)
We actually differentiate the two. The services sits over there and it works with different vendors, including Symantec. That piece we kind of keep off and separate; whatever the client needs that makes sense for their business, their unique requirements, is what we actually do. We don't bring them in on the banner of some other vendor and then convert them to Symantec product. We don't do that.
What we're finding with most clients: They bought the software, they bought the firewalls, they bought the intrusion detection. And I think it's when they really started trying to do something with the intrusion detection data that they realized the magnitude of the problem was well beyond their skill set and well beyond the resources and time they wanted to put in to make it effective. So, it's like you've got ten thousand alarms going off, five of them are probably valid, two of them you really need to do something about--but you don't have the time or the resources to find what those five are and what the two really are. So you end up running like a chicken with his head cut off or doing nothing, which is what a lot of them did: put the software in there, it spits out alert data, and you don't respond because you don't know how to respond.
So when the managed security services start coming around, with viable large companies, then they said, "You know what? We need to become experts in what we do. Our core business is--whatever it is--but it's not security. So, we need to remain experts in our core business and dedicate our resources to that, and the resources we retain on the security side, let's get them where they're focused on getting the security architecture around the new e-commerce or business applications and processes we're going to put in place. And the remaining people, let's make sure they're experts so when our security management company calls, we're experts in responding and recovery in whatever the issue is."
What we expected was, the middle market was going to be the one that outsourced, and now we have fifty-five Fortune 500 [companies] as growing clients--and a lot of the major insurance companies. We [asked the insurance companies], "Why did you outsource?" They said, "We're masters of risk management. If I can share the risk with an expert and concentrate on insurance while you concentrate on how to mitigate my security risk, why wouldn't I do that?"
As those enterprises roll out more and more wireless networking to remote workers, how much more difficult will it be to secure those companies?
Orders of magnitude. I tell you, they rolled it out without asking the question, what is the impact going to be on my network? And I think they just thought like it was a calculator: I need to calculate these numbers [and vote]. They didn't realize when they bought up these little PDAs that they admitted real data, and that with the right device you can pick up that information.
One thing that's growing in our assessments: We go and we sit in the lobby; we let the little tool run. We can pick up wireless communications, and the clients are oblivious. I've got this little infrared port and I point it to the guy over here and I send him data. Well, who else did you send it to? They don't realize that just because you point it in a certain direction, that doesn't mean it didn't go in multiple directions and into multiple devices.
Wireless takes the word perimeter to a whole new level. At least when you were dealing with firewalls and a network, you could somewhat say, "The perimeter stops at our network." Then a year or so ago we realized, no, the perimeter stops at the client network because it's connected to our network. Now, there is no perimeter. It's the wild, wild west. So whether you're at the client level, the gateway level, or the server level, you've got to secure each one of those levels against the major threats and vulnerabilities that they export.So with a managed security service, how much does your typical customer reduce its IT security staff, or do they redeploy their staff?
What we're seeing is that they're using them differently. They've always wanted to get into a proactive mode versus a reactive mode. The feedback we're hearing from staff members is, "now they've got me working with the business unit; they're getting ready to roll out some sophisticated e-commerce app, and I'm doing the security architecture and testing it to make sure that once it goes online it doesn't put the network, the company, or the partners at risk."
The other thing we're hearing is, we're now able to take the time to refine our policies and really write a policy that deals with the client-server environment, not rely on that old mainframe policy we wrote twenty years ago, but security around RACF and ACF2.
And other ones we're seeing, they're spending more time on the fixes. They're taking in all this assessment data, and they've not had the staff or the time to actually go fix the things that were pointed out. Because as we provide data back to them, after what's happened, we'll say "OK, you've got somebody running this type of attack against your environment here. If this person happens to get past this gateway and get inside, what does your internal network look like?" In some cases, we actually manage it with the client, but in a lot of cases that's just too new a service--they're not taking advantage of that yet. So their greatest concern is, if you get past that gateway, is it free reign on the network without you being able to catch him and stop it? In a lot of cases, it is.
The focus is then on tightening up the outside perimeter, and it was kind of squishy in the middle. But if we tighten up the perimeter, we'll have time to fix the interior network. So now it's time to fix the interior network but the outside has disappeared--you can't really put your finger on it anymore.
In the case of an attack like you're describing, how exactly does your service work? Do Symantec personnel consult with the client's IT security staff? Who's actually performing duties to stop an intrusion?
In most cases, I would say both. We're sitting there doing the monitoring and the management, in a lot of cases, of both the intrusion detection and the firewall. And in some cases we have devices that interact with servers where we're managing the compliance of the security policy down to the server level, as far as the operating system, how it's configured, and those types of things.
So let's say we see an attack and it meets the criteria where they need to be alerted by phone. We believe they could be successful; you need to react now. You're usually calling their knock, or you're calling the security person or whoever is on call that week to respond.
The sophisticated larger companies have a very good process in place for how to respond. Some less sophisticated companies will ask, "What do I need to do to deal with this?" You get them on the phone and you say, "Calm down, we need you take these actions at the firewall level. We need you to take this action at the server level. You should notify these people in your organization to respond." And you actually walk through what they should do for incidence response and recovery--if they don't have one in place. Sometimes they'll ask you, "If I have damage, will you send somebody out here within a business day to help us deal with this correctly?" We offer that service, not only directly, but also through our partners like PricewaterehouseCoopers and others.How much consulting accompanies your service? Do you consult up-front, or on an as-needed basis?
The first consulting is done when you're trying to lay out the architecture around the business. Let's not just put sensors in, let's put sensors in the right places to protect the things and alert against the things you absolutely don't want to have happen.
Because the first thing they did was buy a bunch of intrusion detection and just stuck it everywhere, it was kind of like the car alarm going off in the parking lot. You're trying to figure out, is it my car or is it somebody else's car? The architecture piece has been sitting down and saying, where are your critical applications, where are your critical servers? Let's put the architecture around those pieces, let's manage it, and respond appropriately to the level of protection you want to afford that particular application or server.
What does a typical service level agreement with Symantec look like, and how does the pricing work?
We have standard service level agreements that we work from. We'll say, "You want a firewall? We make this many changes for you within a business day, we'll make so many for you in this many hours. If you want something above and beyond that, you talk to us and then we customize the contract."
For eighty percent of the clients, standard contracts work just fine. As you get into the Fortune 500, they do a lot of unique things and a lot of global operations. They have more sensitive and unique requirements. So in that case, it will add on. You have your basic price that goes to your standard service, and then, as they start to customize that service level agreement to meet their business needs.
Who do you see as main competitors for managed security services?
Probably, the big traditional players: the infrastructure management companies who come in and say, "I'll source your entire network and, oh, you want me to do security too? Well, we do that too." You know how that's played out. That's just the traditional EDSes and IBMs of the world.
As far as the niche players, we're seeing them losing a lot of traction. They're not able to keep up with the growth that the client's looking for, the financial ability that the clients are now demanding, These days you have a lot of companies coming out, and they say, "I've got twenty-five million in venture capital." Well, you're managing a hundred-million-dollar Web site. So having twenty-five million dollars in venture capital doesn't give that guy a warm fuzzy.
What we're increasingly hearing is, "We love that you do a billion bucks, we love that you have that kind of cash on hand, we love that if something goes wrong, two of us can share the responsibility with the shareholders in court."
So when you start segmenting the market like that, there just aren't that many players in that range…I think some of your niche players are seeing stuff around their technology. You know, "I sell you my technology, I manage my technology--no, I don't manage my competitors." As John Thompson puts it, "We feel so confident about managing our own technology, we even manage theirs as well."
Does your company use a managed security service? TalkBack below or e-mail us with your thoughts.