The Orange County Teachers Federal Credit Union was frustrated and unhappy with its managed security services provider, so when the contract was nearing its end, Tom Giangreco, information security officer, decided to take a look and see what other managed security service companies were out there. In November 2003, the financial institution switched its security outsourcing to Counterpane Internet Security.
"We were pretty impressed right off the bat," said Giangreco. Not wanting to make the same mistake twice, the credit union's executives met extensively with senior engineers from Counterpane before making their decision. Giangreco credits Counterpane's experience, resources, and equipment to the 180-degree turnaround his organization has experienced in the relatively short time span.
MSSPs (Managed Security Service Providers) have been popping up all over the place for the last few years as security has been catapulted to the forefront of the business world. Regardless of the nature of business, protecting critical infrastructure such as corporate networks and Web presences is essential. Because of the complex and expensive nature of maintaining a SOC (Secure Operations Center), many companies have chosen to outsource portions of, as well as their entire, security operations.
Counterpane Internet Security (http://www.counterpane.com 650/404-2400) was founded on the basis that, despite having security devices in place, if these static devices are not properly configured, maintained, and continuously monitored, they become relatively useless against evolving attacks.
Doug Howard, vice president of strategy and product development at Counterpane, says the company routinely monitors over 300 types of systems as compared to other MSSPs, which average around only 17 different kinds of systems. "With our core infrastructure, we are able to monitor more infrastructure than anybody else. I don't mean that on a quantity basis like we can monitor more firewalls and IDSes because that is where most of our competitors focus. While yes, we do monitor those devices, most of our monitoring actually occurs on the core systems, meaning where the actual content resides—the Oracle server, the Sun Unix box," explains Howard.
This factor played a vital role in Giangreco's deployment of Counterpane's services. When suspicious internal activity was suspected, it only took Counterpane three days to install and properly configure their equipment. Howard clarified the credit union's decision by citing the statistics from the FBI that 60% of attacks come from within. "You will never detect those type of attacks with a firewall, and you might with IDS, but we believe that by sending and receiving information off of the core system being protected that we are able to get more intelligence than looking at security-only devices. That's really what we do better than anybody else."
Counterpane's MSSP offers remote real-time monitoring by collecting large amounts of logs—10MB to 20MB, even 100MB daily—via its two round-the-clock SOCs. When a security event is logged, Counterpane can react in one of two ways. If the customer is managing their own infrastructure, Counterpane can call and offer advice. If Counterpane is managing a device on behalf of the company, it can make a change on the device.
While most of Counterpane's customers are Fortune 1,000 companies, Howard believes that ultimately the business case for MSSP becomes even more attractive in the SMB market. "People don't have and can't afford the talent set to be in their operational facility 24/7. From an annualized basis, its going to cost you $1 million to $1.2 million just to look at the same information we monitor, and our average contract ranges from $40,000 to $150,000 a year—between 4% and 10% of what it would cost to do yourself—and that doesn't include hardware and software for analysis and keeping it all up-to-date. It's a huge savings," said Howard.
Counterpane's Enterprise Protection Suite includes managed devices, vulnerability scanning, professional services, and active response—all of which give customers the option of layering additional security within their infrastructures.
Another leader in the MSSP arena is Ubizen (www .ubizen.com; 703/391-0375), a Belgian company that provides managed and professional services, as well as being a reseller for brand-name security devices. "If you were to ask 10 different people their definition of managed security services, I think you would get 10 different answers," says John Wilson, executive vice president and general manager at Ubizen. He explains Ubizen's MSSP as the co-sourcing of the monitoring, managing, and supporting of a wide variety of security devices 24/7/365 that is backed by a strong service level agreement.
Although some people might write off the term "co-sourcing" as marketing jargon, Ubizen stands by its definition because its customers can select monitoring, management, support maintenance, or a combination of the three. A typical example would be a large global customer who wants to maintain control of the rule based on its firewalls so it is making policy decisions; however, it outsources the monitoring uptime and log analysis of the firewalls. In addition, the company might want to outsource its entire IDS system. "We're willing to draw a line of delineation to where they have responsibilities and so do we. It allows organizations to decide what they want to keep in-house and what they want to outsource," says Wilson.
Ubizen currently monitors approximately 4,000 security devices in 50 different countries with four state-of-the-art SOCs in Brussels, the United States, Luxembourg, and Saudi Arabia. In addition to its worldwide coverage, Ubizen has developed its own in-house correlation engine, SEAM (State and Event Analysis Machine), which serves as the foundation of its MSSP.
Ultimately, Wilson considers security knowledge to be Ubizen's advantage over its competitors. "Its not just that you have the knowledge, its how you use the knowledge," he says.
by Sandra Kay Miller