Pricing structures also left something to be desired. "When you negotiate an IDS [intrusion detection system] contract for outsourcing, you get people talking about event counts, and they put it together into a magic formula," said Hansen. He also said that the resulting number rarely matched the real value of the service. But it was during those outsourcing interviews that something clicked. Hansen noted that the vendors all relied heavily on technology, too. Their IT security success had less to do with savvy and alert technicians than it did with the technology used. Hansen began thinking about using the same technology with his team. In fact, many of the vendors he interviewed used OpenServices network IT management tools.Sonnenschein has used Security Threat Manager since Version 1.1, and the two companies are collaborating on installing Version 3.1 at the law firm. Security Threat Manager correlates Sonnenscheins 9 million daily security events and accurately identifies 20 or 30 events of interest, according to Hansen. From there, Sonnenscheins administrators need to investigate only about one to three events a day. "We reduced our incident response time from 24 hours to minutes," said Hansen. "We deal with an event as soon as it happens rather than look at a log." Best of all, Hansen was able to reduce the time that a security consultant was needed to assist his team, and he eliminated redundancies. That, in turn, cut costs by $213,000, which pleased Hansens bosses very much. Hansen admitted he will need to hire additional staff in the futureSonnenschein is still growing, after allbut the success with OpenService helped him delay the hiring process for nine months. Integrating Security Threat Manager 1.1 with Sonnenscheins multiple systems and expanding number of offices was no easy task. "When we first got OpenService, they were only built to handle a few systems," Hansen said. "We looked at our infrastructure, and we had to prioritize our implementation." Read more about OpenService here. Anti-virus security and patch management topped Sonnenscheins list of systems that required integration with Security Threat Manager. To Hansens delight, OpenService sent a technician to handle the integration. "We were changing our patch management, and they produced integration before we even got to it," said Hansen. "Their customer service is some of the best Ive ever worked with." Although the transition is complete, Hansen still talks to an OpenService sales engineer once a week to convey any concerns or discuss future challenges. "The only issue we really struggled with came when we performed an upgrade: There was a memory glitch," said Hansen. "Our Nokia [firewalls] locked up." Hansen doesnt blame the struggle with the Nokia equipment on OpenService, however. "It appeared to be an environment-specific/the-way-we-handled-the-deployment issue," he said. "You do the best you can to handle this, but as often as you plan, unforeseen problems come up." In the end, Hansen emphasizes that forgoing a third-party IT security vendor and using technology on the market is not for every organization or IT staff. "I know someone who uses [Security Threat Manager] as a replacement for Fusion, and OpenService is not Fusion," he said. "If all you care about is the correlation of data between one vendors products, its not a good fit. Our system is designed to link data from ... different products." IT security executives must know what theyre trying to accomplish from a business standpoint as well, said Hansen. "We wanted to reduce our monitoring costs," he said. "If you have several technologies, it might not be the right package for you. This is a longer-term investment." The risks to Sonnenscheins IT security and bottom line were great: incompatibilities, missed threats, unexpected costs. With sound planning by Hansen and his staff, and strong customer service and technology from OpenService, Sonnenschein met its goals: higher-quality threat detection at a lower price. Ira Apfel is a freelance writer in Bethesda, Md. He can be reached at firstname.lastname@example.org. Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.
"When we did an analysis, from a cost perspective and [in terms of] value to the organization, we found that the option of purchasing the technology cost us less in the long run than hiring a third party," said Hansen. "They were using a lot of the same products and then adding their own special software on top. If we purchased the same technology, we could depreciate the cost over time."