|
Moderator: Our Live Expert Q&A with Lisa Phifer, vice president of Core Competence, Inc. will begin in 10 minutes. You can enter questions for Lisa in the bottom box on your screen.
Moderator: Welcome to the Live Expert Q&A with Core Competence, Inc.'s Lisa Phifer. Today's discussion focuses on "When it is beneficial to outsource your security needs to a Managed Security Service Provider?" The Q&A will begin shortly. You can begin entering questions for Lisa in the bottom box on your screen.
Moderator: Our Live Expert Q & A with Lisa Phifer, has begun. Please submit your questions for Lisa in the bottom box of the screen.
dcote284985: What is a managed security service provider? How does this kind of provider fit into the ISP/ASP/MSP space?
Lisa_Phifer: Managed security service providers don't fit neatly into just one category. Most offer secure network services based on firewalls, VPN devices, and intrusion detection, installed at the customer premises or a hosting center. They also deliver application services: 24x7x365 monitoring, incident reports, vulnerability scans, anti-virus updates. And they provide professional services: risk assessment, policy and procedure development, security audits, emergency response, and forensic consulting.
kkomiega16139: What kinds of companies can benefit from purchasing managed security services?
Lisa_Phifer: Small and medium businesses usually can't afford to dedicate staff to security. Finding and retaining security personnel can be a challenge. In-house staff is often spread thin, distracted by day-to-day ops -- these folks simply don't have time to monitor emerging threats and security patches. 24x7x365 monitoring requires not just one expert, but an entire team, versed in system, network, OS, and application security. SMBs have much to gain by leveraging the resources and experience of a provider who lives and breathes security -- provided you choose the right MSS, of course.
mlewis930306: My business already has a firewall and someone assigned to administer it. What can I gain by outsourcing security services?
Lisa_Phifer: First, realize that a firewall is but a small fraction of the cost and complexity associated with establishing a strong perimeter defense. Hardware and installation costs are commonly recovered during the first year of a managed security service contract. By outsourcing, you'll offload monitoring, log file analysis, usage and trend reporting, configuration updates, backups, hardware and software upgrades, intrusion detection, and vulnerability testing. But the most important ingredient is security expertise. Security operations centers deal with attacks every day; they have the tools and experience needed to detect serious intrusions and respond to them quickly and effectively. Even if you continue to administer your own firewall, an MSS can provide security audits and vulnerability testing.
Moderator: Please continue to submit questions at the bottom of your screen.
bsheets454868: How can a managed security service provider help me after my site has been attacked?
Lisa_Phifer: During service setup, an MSS will work with you to define contacts, escalation procedures, and incident response plans. When a serious breach is detected, the MSS will initiate emergency shutdown to contain collateral damage and loss of proprietary information. Many providers offer forensic services: They'll analyze log files and audit trails to determine what happened, identify the attacker, and gather evidence required for prosecution. Finally, an MSS can help you to find and fix vulnerabilities, getting your business back on-line.
hrhsoleil607881: Regarding yesterday's election results - Do you foresee governmental agencies outsourcing e-voting to Managed Security Providers to make Internet voting a viable option by the 2004 election?
Lisa_Phifer: Since there are many states and polling places that still vote by paper ballot, there's still a *lot* of work to be done -- not just on security, but on enabling electronic voting in general. Security is obviously a critical component of that process.
megpulli968785: How do you see MSS adding value to an MSP offering? Should MSPs seek to provide these services themselves or partner? Where's the strategic advantage?
Lisa_Phifer: There are several MSSs that have channel partner programs, whereby an ISP/ASP/MSP can resell expert security services. The benefit of outsourcing here is really quite similar -- leverage existing expertise instead of rolling your own. An MSP can also leverage a security partner's brand to sell their managed service portfolio.
joeinar440410: Do we need secure storage and transmission of file records for a statewide physician's org?
Lisa_Phifer: There are privacy regulations in the healthcare industry, such as HIPPA, that do require you to protect the confidentiality of patient records, both in storage and in transit.
pmjrbaker497295: What guideline can you give regarding cost of outsourcing security services?
Lisa_Phifer: The cost for these services vary widely. They usually depend upon the size of the organization to be protected -- for example, managed VPNs are often priced based on number of concurrent users. Most have an up-front installation fee plus recurring monthly fees. Some services are also priced by bandwidth or SLA.
bvigil849815: Aren't companies reluctant to outsource security? Isn't outsourcing risky?
Lisa_Phifer: Any outsource relationship requires trust, and security can be especially sensitive. Some companies start with in-house security solutions, but seek outside help later. Perhaps they've had trouble finding security staff or keeping up with technology. Maybe they're looking to reduce cost through MSS economies of scale. Or maybe they've been hacked and need expert advice. Companies that outsource should always assign knowledgeable in-house staff to work with the MSS to make sure needs are being met.
Moderator: If you want to hide the chatters that are entering and leaving the chat room, please click on the "Hush" link in the lower-right section of your top frame.
jglossner138260: My business is concerned about Internet security, but where do we start?
Lisa_Phifer: Ask a managed security provider to help you design a security policy and define "best practices" for your business. Most providers will conduct a vulnerability assessment to locate unprotected resources and security risks. They'll help you to identify the resources you need to protect and who should be granted access to them. A good MSS will repeat this vulnerability assessment and review your policies on a regular basis. Implementing effective security requires on-going partnership between you and your provider.
joeinar440410: How do we set up secure VPN over the Internet?
Lisa_Phifer: The first step is always to define a security policy for your organization: what needs to be protected, who is permitted access. Then approach an MSS to review your policy, test your network for vulnerabilities, and propose a VPN solution to protect your traffic. Depending upon the type of VPN you're looking for, you may be considering secure remote access, secure site-to-site, or secure Extranet VPN. The solutions will differ for each kind of VPN.
marty610626: Who are the leaders in MSS?
Lisa_Phifer: Managed security services are available from many different sources. Top-tier ISPs like AT&T, Genuity, PSINet, Sprint, and MCI/UUNET all sell them. Many ASPs, ISPs and carriers offer "home grown" security solutions or resell services delivered by specialists like ISS, myCIO.com, and DefendNet. IT outsourcers, system integrators, and security consultants also provide security services, often acting as VARs. Finally, there are hosters like Exodus and Loudcloud that bundle managed security into ASP infrastructure.
Moderator: Please continue to submit questions at the bottom of your screen.
pcampbell312144: What is the value/benefit of outsourcing security?
Lisa_Phifer: An organization that focuses on security is better able to attract and retain expert staff who understand how to recognize and deal with security issues. An MSS can build up the breadth and depth of people and systems resources to deal with security issues. This can be an expensive proposition for many SMBs, so the value of outsourcing is reducing cost and improving the quality of security by leveraging an existing resource.
dtart56775: My ISP offers a managed VPN service. Am I better off purchasing this kind of service from my ISP, or should I look for a provider that specializes in security?
Lisa_Phifer: Managed security services are available from many different sources. Top-tier ISPs like AT&T, Genuity, PSINet, Sprint, and MCI/UUNET all sell them. Many ASPs, ISPs and carriers offer "home grown" security solutions or resell services delivered by specialists like ISS, myCIO.com, and DefendNet. IT outsourcers, system integrators, and security consultants also provide security services, often acting as VARs. Finally, there are hosters like Exodus and Loudcloud that bundle managed security into ASP infrastructure.
brinson.evans608332: To what degree are the managed security monitoring providers successful?
Lisa_Phifer: That's a great question. From speaking with security providers, big and small, I've heard that providers getting into the managed firewall monitoring market hit a wall around 200 customers. Beyond that, they really need to develop integrated monitoring systems that let them see "the big picture", not just a single product. They also develop formal procedures for log analysis and incident response to help them deal with scale issues.
megpulli968785: Can you name some prominent MSS or provide a resource for list/evaluation?
Lisa_Phifer: Actually, if you go to Yahoo and search on "managed security", you'll come up with some 4000 hits. There are many providers entering this business now. You can whittle down this list by visiting a security portal like SecurityFocus. You can also look for reviews from publications like Network Computing and ISP-Planet.
pmjrbaker497295: Are there any 'standards' that an MSS must meet to qualify to provide services, or must the user use their own vetting procedure?
Lisa_Phifer: I'm not aware of any organization that "certifies" managed security providers. Companies that resell security services through channel partners do assess the performance of their resellers. While it may sound odd, you can also outsource the evaluation process -- have a system integrator who focuses on security evaluate a candidate MSS on your behalf.
Moderator: Questions that are not answered during this live Q&A will be available in the transcript.
Moderator: Please continue to submit questions at the bottom of your screen.
jah15816479: Which Tier 1 ISPs currently offer these types of security products through an MSP? It seems that most offer these as add-ons to co-location services, rather than as a packaged managed hosting product.
Lisa_Phifer: Many tier 1 providers offer managed firewall and VPN services, and these do (today) usually include customer premises equipment. Some carriers, like Savvis and Qwest, are beginning to offer network-based managed services, that does not require a security device on the customer premises.
pcampbell312144: How do you view the further of managed security within an ASP model?
Lisa_Phifer: I believe that security is an essential ingredient in a successful ASP. ASPs must prove that they deliver secure services and have secure procedures and practices in place to safeguard customer data and access to it. I see managed security providers partnering with ASPs to provide this.
ehurley906142: Based on research, do the biggest threats come from in house sabotage or hackers from the outside?
Lisa_Phifer: A 1999 FBI/CSI study on computer crime estimated that 55% of enterprise network security breaches are due to unauthorized access by insiders. The rate of insider theft increased 10% between 1998 and 1999. Some experts believe these numbers are low, in part because enterprises are reluctant to disclose this information. Because those who administer security services are in a position to do serious damage, it's important that they be trustworthy. If you outsource security services, do so to a reputable provider with bonded staff.
jim44447: Do you have any estimates of what it cost to setup a "Secure" Network Operations Center" (Do your own security) versus paying a monthly service for an MSP. It seems the market is very young with no real business model yet.
Lisa_Phifer: Many providers have posted white papers, giving a cost/benefit analysis for build vs. buy. Creating your own SOC, with 24x7x365 staff, redundant locations, and tools for cross-platform automation, can easily run into six digits annually. I agree the industry is fairly new and the prices are all over the map, so you'll see a lot of variety in these calculations. For examples, see DefendNet and ISS.
ralph.leighton262482: In your opinion, what separates the true tier 1 MSS providers from the less capable security firms?
Lisa_Phifer: Staff. Any ISP can resell a firewall and call it a managed firewall service. Putting the people and procedures in place around this equipment is what differentiates the service provider. Also, breadth of services -- vulnerability assessment and policy development up-front, and forensic services after an attack.
Moderator: Questions that are not answered during this live Q&A will be available in the transcript.
pvio938607: What special provisions should Internet-enabled businesses seek when negotiating contracts with security providers? Are guarantees helpful or necessary?
Lisa_Phifer: Managed security service level agreements (SLAs) may define the scope of the service, how quickly troubles are resolved, and how frequently change requests are processed. They often quantify performance expectations (availability, latency, busy-free access). Security levels are more difficult to quantify in a meaningful way: Do you really want a provider that blocks 99 out of every 100 attacks?
fpena: What are the main/general concerns that customers have procuring these services from vendors?
Lisa_Phifer: First and foremost, customers worry that the MSS is trustworthy, that they can deliver the services they advertise, that they'll be reliable, that they can respond quickly and effectively to threats, and that they'll stand behind their services with SLAs.
pcampbell312144: What market size do you see having the largest growth potential for managed security services?
Lisa_Phifer: The SMB market is the "sweet spot" for MSS providers, because these companies need security quickly and don't have the resources to develop their own in-house. Large enterprises ultimately have larger budgets for security and are thus attractive, and I'll think we see more providers going after these companies with security partnership arrangements in the future (outsource resource-intensive or emergency tasks, with in-house supervision and guidance.)
pmjrbaker497295: Are there any MSS providers who specialize in Cellular/Mobile environments? My case is being a GSM operator moving towards GPRS then UMTS.
Lisa_Phifer: I'm not aware of any MSS who focuses on this market right now.
ssimpson271952: What should an SLA include with this type of outsourced contract?
Lisa_Phifer: SLAs should define who can modify security parameters, when, and how. They should define max response times and escalation procedures for incident response. They may also define performance metrics (latency, throughput, etc)
Moderator: Our chat will be ending in 10 minutes. If you'd like to continue to discuss these issues with other users, feel free to stay on the chat.
yeswes568463: Can you point me to case studies on the Web of companies that have benefited from MSSs?
Lisa_Phifer: Most MSSs post case studies on their web sites. I've also spoken with customers in profiles I've written for ISP-Planet. You can probably find similar case studies in other publications.
yeswes568463: How do MSSs address the security issues created by ever-increasing remote users with VPN access?
Lisa_Phifer: Remote access VPNs are more difficult to provide (as an MSS) than site-to-site VPNs, because of limitations associated with standard IPsec today. But there are many providers who do offer remote access VPN services, and some bundle dial access and PKI with the service as well.
jtaranto548815: How do you guarantee security when it is outsourced?
Lisa_Phifer: Providers do offer SLAs that include service credits when metrics are not met. But these don't usually reflect the cost of a serious outage. For that, large sites will take out insurance policies with companies like Marsh.
marty610626: Are you familiar with Onesecure?
Lisa_Phifer: No, I have not come across this service.
Moderator: Our live Q&A with Lisa Phifer will be ending in 5 minutes. Please submit your final questions now. A full transcript of today's chat will be available online within 48 hours at any of these TechTarget sites: SearchNetworking, SearchWebhosting, SearchSecurity and SearchASP.com.
pcampbell312144: How does an outsourced security provider increase a business' top line or equity?
Lisa_Phifer: If an on-line business or ASP can successfully meet security challenges, it is clearly of greater value than one that cannot.
yeswes568463: Do MSSs develop custom diagnostic and trouble-reporting code in-house for customers whose needs aren't met by off-the-shelf solutions?
Lisa_Phifer: Definitely. One company that focuses just on that is Counterpane. I highly recommend checking out their site for a description of what's involved in doing so.
yeswes568463: Do you think Microsoft would be wise to outsource their security, given the double hacker access in the last two weeks?
Lisa_Phifer: Well, Microsoft obviously has the resources to deliver security in-house, but I am sure they are contracting outside services as well to assist with forensic analysis and policy refinement to prevent this kind of incident in the future.
Moderator: This concludes our Expert Live Q&A Session today with Lisa Phifer. Our thanks to Lisa for taking time to join us and answer questions. Feel free to stay in the auditorium and continue discussing the subject amongst yourselves. Any final words, Lisa?
Lisa_Phifer: I'd like to thank everyone for their thought-provoking questions!
Moderator: If you would like to discuss the topic of Managed Security Service Providers with Lisa further, you can contact her at Lisa@corecom.com. |
