On the Patch Patrol

Motorola picks MSP Foundstone to protect its systems perimeter.

Like everyone, Motorola Inc. CIO Bill Boni was still struggling early this year with the security implications of 9/11 when the second shoe dropped: an alert from the CERT Coordination Center indicating serious vulnerabilities in Version 1 of SNMP. Unless organizations disabled the ubiquitous protocol or blocked external access to devices using SNMP services, they could be vulnerable to a variety of security breaches, including denial-of-service and unauthorized-privileged-access attacks, the CERT warning said.

For Boni, the alert was a wake-up call. With offices and IT operations in 47 countries and systems supporting roughly 1 million Internet addresses, Motorola simply didnt have in one place all the information Bonis team needed to identify which systems were exposed to the SNMP vulnerabilities. As a result, Bonis group didnt know how much risk Motorola faced from the SNMP problems or what kind of resources were needed to neutralize the threat.

"We realized what we needed was something like a virtual patrol service that we could use to keep an eye on our perimeter at all times and to spot vulnerabilities," said Boni, in Orlando, Fla. "Something like the old night watchman."

Staffing up internally or hiring consultants to create that kind of function would have been too expensive. Boni said Motorola had, from time to time, hired consultants to perform in-depth security risk analysis on isolated pieces of the companys IT infrastructure in connection with specific application deployment projects. "But the problem was that, because our perimeter is so huge, the cost of using consultants was prohibitive," said Boni. "It looked like we either were going to have to spend a lot more money or accept more risk." (For a case study of another company outsourcing security to an MSP (management service provider).

A third option satisfied both cost and security concerns: Motorola signed on with a security MSP, Foundstone Inc., of Mission Viejo, Calif., to provide a virtual patrol service.

Boni said the decision has enabled him and his staff to better distinguish which security alerts signify risks that must be addressed immediately. This has allowed Boni to shift more IT staffers from chasing alerts and patches to more productive tasks, "at a cost several times lower than what it would have been to hire consultants to do the same thing," he said.

Foundstones Managed Vulnerability and Assessment Service uses a combination of automated systems and consultants to continuously monitor system and network vulnerabilities.

Tests include firewall and host diagnostic reviews, security policy analysis, and wireless security testing.

Foundstone also suggests security policy and organizational best practices to address vulnerabilities, as well as correct response levels for each detected vulnerability or alert.

Pricing of the service is based on company size and the number of IP addresses to be scanned. According to Foundstone, the cost for a small or medium-size company with about 128 in-use IP addresses would be $43,000 per year. The scanning software used by Foundstone, FoundScan 2.5, is also available as a licensed product. It would cost about $30,000 for a version supporting 128 IP addresses, according to the company.

Use of security managed service offerings such as Foundstones is likely to become more common, experts say, as enterprises struggle to reconcile the need to fend off mounting numbers of security alerts and patches with static IT budgets. Many enterprises today are able to direct only about 10 percent of their IT spending to innovative activities such as creating applications, said Tom Pisello, CEO and co-founder of Alinean LLC, a company that analyzes return on IT investments.

"Wed estimate that, in the next couple of years, between 30 percent and 40 percent of enterprises will be outsourcing or using some form of MSP to develop security best practices," said Pisello, in Orlando.

Despite the savings that the MSP approach can represent, Pisello and other experts say IT managers would do well not to assume that a service provider can or should take over all of an enterprises security scanning and response operations. Enterprises using security MSPs still need to put people and processes in place internally to manage the MSP and to physically respond to high-risk events that require immediate action.

After hiring Foundstone, Motorola revamped its internal operations, making a manager at each of its worldwide locations responsible for responding to high-priority security alerts. The company also developed an internal database that normalizes the information it gets from Foundstone and internally generated security alerts, determines the relative risks of each, and pushes information out to responsible managers in field offices.

Although Motorola continues to devote people and dollars to tracking and responding to alerts, the addition of the security MSP has enabled the company to reduce those resources by gaining a better handle on the real risks posed by a given event.

"We want IT people focusing as much as possible on activities that add value to the company," said Boni. "We cant have them deluged with thousands of low-level risks. Were long past the point when we could expect them to respond to and patch everything that comes along."

We realized what we needed was ... something like the old night watchman.