Close
  • Latest News
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cybersecurity
    • Cybersecurity

    Managed Security Deals Leave Networks Vulnerable

    By
    eWEEK EDITORS
    -
    July 9, 2001
    Share
    Facebook
    Twitter
    Linkedin

      Companies are increasingly turning over the keys to their e-businesses to security professionals, who often lack the expertise or personnel to operate them safely.

      Hiring security providers to protect corporate networks and the critical data those networks contain is a growing trend, but the companies providing such services are unregulated and not subject to industry certification.

      “Theres a lot of chewing gum and duct tape providers out there that could potentially be causing you more harm than good,” said Elad Yoran, co-founder and chief financial officer of Riptech, one of the largest independent security providers. “Theres a lot of companies jumping into this business, and not all of them really know what theyre doing.”

      Managed security service providers (MSSPs) are hired to monitor and manage a variety of network components, such as firewalls, intrusion detection systems, anti-virus programs, and Web and e-commerce servers. Revenue from these services is expected to swell from $315 million last year to more than $1.8 billion in 2005, according to The Yankee Group.

      Some businesses see managed security as a cheaper way to secure their operations, paying a monthly fee instead of dishing out hundreds of thousands of dollars up front for hardware and software, and hiring their own people to run it.

      As a result, businesses seeking the cheapest providers often get what they pay for. Experts in the field say its not uncommon to find that the provider and customer have different ideas about what is supposed to be provided.

      “We have tested [MSSPs] who were supposed to have security measures in place for their customers and they didnt,” said David Gehringer, senior product manager at Mercury Interactive, which provides security testing for organizations.

      In one case, the service provider had botched the firewall configuration and in another it was charging the customer for services it wasnt even providing, Gehringer said. And when problems crop up, theres not much recourse. One I-manager found this out the hard way.

      “The server that our managed security provider was hosting was hacked into,” said an information systems manager at a major international airline, who asked not to be identified. “They suggested we improve our surveillance tactics.”

      As a result, the airline had to shut down the system — a part of its Web site operations — for two days, as a precautionary measure to plug any holes before it was brought back online.

      The I-manager found out only after this serious problem that his MSSPs version of managed security was browsing his Web site every 15 minutes to make sure it was still operational.

      “We were very angry, disillusioned and threatened to sue,” he said. “Why werent they protecting our systems? We didnt hire this firm to allow for this to happen.”

      Little Recourse

      Aside from suing or complaining to regulators, theres little recourse for a company thats hired a poor security provider. The situation isnt unlike that of the rest of the Internet services industry, where regulators have focused more on political issues, such as content filtering, than on business issues, such as service disputes.

      Since there are few watchdog groups to assess the new managed security industry, the scope of the problem is hard to measure. But one way businesses can figure out their vulnerability is to hire a testing company to see how well their security providers are performing. Such testing uses a combination of software and “ethical hacking” to analyze a companys security.

      Gehringer said that more and more, he has been put in the “uncomfortable” position of testing the security infrastructure of a company thats already being hosted by a managed security provider.

      “Sometimes, the customers are suspicious or dont trust them,” Gehringer said. “But that brings up a touchy issue,” because if the service provider is doing its job, it will be monitoring to detect intrusions and will be alerted when the testers begin poking around.

      One reason that customers are not getting the services they think they should comes down to money.

      “Managed security providers want to sell you something they think youre going to buy,” said Karen Worstell, president and CEO of AtomicTangerine, which offers an MSSP service. “So theyll price it in a way thats attractive, but they cant afford then to offer the services you really need.”

      The burgeoning number of providers that have set themselves up to provide managed security has a wide range of qualifications. Some are solely managed security companies, such as Riptech; some are hosting companies that have moved into security, such as Exodus Communications; and some are software companies, such as Symantec, that also provide a hosting service using their security tools.

      Since so many service providers have seen the revenue potential in offering a security solution, increasing price pressure has hit the industry, said Andrew Schroepfer, president of Tier 1 Research.

      “The trend happened when everyone was building these data centers, and you tried to be capital-efficient and you had to sell something,” Schroepfer said. “And then managed security came along. Now theres pricing pressure, because there are so many services on the market.”

      Data hosting provider Verio made a bold announcement in April, when officials said they partnered with Riptech to provide customers managed security — because they didnt believe they were qualified to do so.

      That was the reason Bob Fetterman, president and CEO of iDashes, a 15-person performance management software company, went with the Verio/Riptech solution. “If your service provider was doing something they werent supposed to be doing, would they tell you? Probably not,” Fetterman said. “Whereas Riptech is a third party, so we can see all the things scanned on Verios network . . . and that makes us feel a lot better than having it integrated in one service provider.”

      The problems that exist between an MSSP and the customer stem less often from negligence than from miscommunication between the two parties.

      Sometimes the translation doesnt compute when I-managers, who are admittedly not security experts, try to tell security experts what they want.

      “People dont know how to ask for what they need,” AtomicTangerines Worstell said.

      For example, a company may want an MSSP to manage its firewall, but there are many variables to managing a firewall — such as proper configuration, applying the latest patches, ensuring availability and stability, and, most valuable, monitoring the traffic that hits the firewall, either in real-time or through daily reports.

      Such misunderstandings can be most dangerous because they can lead a company to believe it is secure, and “a false sense of security is worse than knowing youre not secure,” Riptechs Yoran said.

      eWEEK EDITORS
      eWeek editors publish top thought leaders and leading experts in emerging technology across a wide variety of Enterprise B2B sectors. Our focus is providing actionable information for today’s technology decision makers.

      MOST POPULAR ARTICLES

      Android

      Samsung Galaxy XCover Pro: Durability for Tough...

      Chris Preimesberger - December 5, 2020 0
      Have you ever dropped your phone, winced and felt the pain as it hit the sidewalk? Either the screen splintered like a windshield being...
      Read more
      Cybersecurity

      Visa’s Michael Jabbara on Cybersecurity and Digital...

      James Maguire - May 17, 2022 0
      I spoke with Michael Jabbara, VP and Global Head of Fraud Services at Visa, about the cybersecurity technology used to ensure the safe transfer...
      Read more
      Cloud

      Why Data Security Will Face Even Harsher...

      Chris Preimesberger - December 1, 2020 0
      Who would know more about details of the hacking process than an actual former career hacker? And who wants to understand all they can...
      Read more
      Cloud

      Yotascale CEO Asim Razzaq on Controlling Multicloud...

      James Maguire - May 5, 2022 0
      Asim Razzaq, CEO of Yotascale, provides guidance on understanding—and containing—the complex cost structure of multicloud computing. Among the topics we covered:  As you survey the...
      Read more
      Big Data and Analytics

      GoodData CEO Roman Stanek on Business Intelligence...

      James Maguire - May 4, 2022 0
      I spoke with Roman Stanek, CEO of GoodData, about business intelligence, data as a service, and the frustration that many executives have with data...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2021 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×