Brian McKenna

b.mckenna@elsevier.com

Is IT security ready to go the way of physicalsecurity? Should it be done in-house, or shouldcorporates start eating out? Brian McKennatakes some soundings.

Outsourcing in the networkedeconomy

We are moving from an economy based onmarkets to one based on networks. JeremyRifkin’s Age of Access built an argument on thisassertion in 2000, as the new economy startedto come apart at the seams. The idea was thatcompanies would own less and lease more.They’d outsource everything on the peripheryof the enterprise to partners they could trust.Dotcoms outsourced pretty much everything.

How has this idea fared in the informationsecurity world? If there are good logical businessreasons to outsource the information securityfunction, why is it happening so slowly? Indeed,how much of it is happening?

Bruce Schneier, founder of, and chief technol-ogy officer at, network monitoring companyCounterpane, is a proselytizing proponent ofoutsourcing. “The choice isn’t between out-sourcing computer security or doing it yourself;the choice is between outsourcing and notdoing it at all. As not doing it at all becomes anon-option, outsourcing will grow”, he says.

Information Security’s annual survey ofinformation professionals at the end of 2001indicated that only 7% were planning tooutsource in 2002. Perhaps their minds hadbeen concentrated by the dramatic collapse ofmanaged security services provider PilotNetwork Services in April 2001. Pilot was nodotcom pup. It was an eight-year old company,

grey in muzzle, and with 400 employees, and acustomer roster that included PeopleSoft andProvidian Financial.

Small market, on the edge?

Graham Titterington, senior analyst, ITSecurity and Storage at Ovum, describes themarket for security outsourcing services andconsultancy as a “fleabite”. Ovum’s figures inthis space tell a tale of a modest market.Globally, IT security services and consultancywere, according to the research house’s reportE-Business Security: New Directions andSuccessful Strategies (2001), $1.02bn in 2001,and are expected to be $2.39bn this year, and$9bn by 2004.

In Europe, $290m was spent in 2001, $790mwas projected for 2002, and $2.6bn for 2004.

IT security product sales, meanwhile, are esti-mated to be $3.08bn in 2002; that is to sayservices, at $790m are just over 23% of productsales. The 2004 figure for product sales is predic-ted to be £8.9bn, making services, at $290m,29% of product sales. So, growth in services ispredicted, but remains a poor second to products.

Titterington sees activities at “the periphery ofthe enterprise, like firewall management orVPNs” being most suited to outsourcing. Thereal driver, though, is a typical shortage of in-house skills. “Keeping up to date with a dozenor so technologies is very difficult, and so aspecialist provider has an innate advantage”.

“Another big advantage of the outsourcing routeis that some aspects of security, like monitoringfor intrusions, do require 24/7 manning. To getthat you need at least four shifts of people, andyou would not want one person working alone.

Managed Security Services— new economy relic orwave of the future?

613

That means up to 15 people just for a basic levelof cover — massive outlay”.

Titterington also cites a cultural reluctance tooutsource. “A lot of companies initial reaction isdisbelieving. ‘How can we give away the securityof the business?’, they say”. He believes, how-ever, that this threat is more imaginary than real.“Most companies are not aware of the detail oftheir own employees’ career histories; there is agreater risk that you’ll have a bad egg internallyand, in that case, you don’t have the contrac-tural protection you get with a third party”.

Titterington also thinks that any perceivedexpensiveness of outsourcing is also amisperception. “Outsourcing tends to put thecost up front, whereas many companies areburying the cost of information security in theirgeneral IT budgets. If they haven’t fullydeveloped their costing model then outsourcingsecurity will seem expensive”.

In terms of what kinds of organization areopting to outsource computer securityspecifically, “at the front of the queue are thosethat are already doing some outsourcing; butnot the ones who’ve got rid of the whole lot”.

To feed off bigger fish

Looking at the supplier side, research houseOvum paints a dark picture for would be special-ist outsourcers. In their last report on managedservice providers, published in 2001, Ovum’sanalysis was the corporate market would migrateto the big systems integrators and the smallbusiness market would go to the telcos. (Man-aged Service Provision: Opportunities for MSPs).

Titterington says that the future for the small,specialist MSSPs is bleak unless they can get alarge part of their revenue from subcontractingfrom systems integrators like EDS and IBMGlobal Services. The small MSSPs need to feedoff bigger fish.

Jeremy White, consultancy manager in thesecurity practice in Logica, confirms that, when

putting together the firm’s standalone securityoutsourcing offer, he and his colleagues lookedat the option of working with a specialistboutique. “But we felt that we had all the skillsand facilities we needed in house”. There are 50consultants in the UK practice and about twicethat number in the rest of the firms 34 countrylocations.

Schneier is sceptically ruminative about this.“It’s hard for me to predict how the businessend of this will play out. In general, companiesthat have tried to do one-stop shopping forcomputer security — Network Associates andSymantec, for examle, — have failed. But, onthe other hand, Cisco does a great firewall andIDS business.

“I don’t know how people will eventually buyCounterpane services. Right now most are buy-ing through VARs (value added resellers), whichis similar to how Checkpoint sells firewalls”.

Counterpane announced 100% year-on-yeargrowth in September 2002, and said it hadtripled business through its reseller programme.One-fifth of its customers are in financialservices, and 85% of its clients employ morethan 1,000 people. So it’s not a small companymarket play.

Keep some at home

Meanwhile, in the UK, Richard Cambridge,Qinetiq Trusted Information Managment’sdirector of managed security services, is also notconvinced that Ovum is right. “That will holdtrue for some of the market, but many bigfinance houses will want to do their ownsecurity. Indeed, if anybody wants to outsourcetheir security we would still maintain that theyshould maintain a level of that function inhouse. For example, in the finance marketpeople want to deal with the people who aredirectly providing their security not third party”.

At Qinetiq Trusted Information Management’sSecure Operations Centre (SOC) in Malvernthere are two analysts working on a 24/7 basis,

614

Managed security services

Brian McKenna

backed up by 30 experts on standby. They aremainly, Richard Cambridge confirms, doingwork for clients in the areas of intrusiondetection, Internet gateway services, and securehosting. Cambridge is not permitted to namehis clients, but can confirm that they “have asignificant number of customers, including acouple of very big financial services firms”. Healso confirms that Qinetiq Trusted InformationManagement is setting up a second SOC inWashington State, in the US. Its parentcompany, Qinetiq (75% of the old BritishDefence Evaluation and Research Agency),announced sales of $931.3m in March 2002;about 80% of the company’s turnover comesfrom the UK’s Ministry of Defence.

“We like to shout about our method and modelthat allows us to find out about a client’sbusiness and apply the appropriate technologyand then deploy the tools, processes and peopleto manage it”, says Cambridge.

He emphasized that network monitoring is notjust about technology. “If you put simple tech-nology in place to deal with security eventsthey will deal with the ones that they knowabout. However the problem is that the clever-est, newest hackers will attack your network ina way that the sensors will not pick up”.

“What we have developed is the software at ourend that enables us to manage the data in anefficient manner, making it easier for theanalysts to pull out the important things. Andthat is how we can do it with only two analystsin our Malvern SOC”.

It is this which makes Qinetiq’s managedsecurity services offering stand out, inCambridge’s view. Competitors, such as ISS,Riptech (acquired by Symantec in August2002), Counterpane, and the ersthwhile Activissub-division of Articon-Integralis, do not,according to Cambridge “use the same strategyas we have adopted, and none of them has thesame background as we’ve got, in relation to theBritish defence establishment”.

Qinetiq’s competitors, in Cambridge’s view,“tend to put software on the client side thattries to do the intelligent filtering that we do inour SOC. They try to reduce throughput data totheir SOC, otherwise they need to employ morepeople, which is very expensive.

The intelligence of themachine

“That means relying on the intelligence of themachine, thereby reducing their ability to catchan attacker who can hide their attack amidstthe noise. If things go very badly the amount ofinformation in a SOC will go up dramatically.We’ve got the back up, within Qinetiq, to copewith that. I doubt our competitors do”.

Schneier queries this. “They’re making a virtueout of necessity. Our customers generatemillions of lines of audit information per day. Itis impossible for a human to go through themall. The only way to see patterns is to weed outthe useless data. ‘HTTP page delivered’ or‘Printer out of Toner’ is not useful, even intimes of real crisis. In fact, in times of real crisisit is even more important to get rid of them, soyou can see the real information.

“Most people who do monitoring don’t haveany technology to do that, so they pretend thatit’s important that they see all the data. In fact,the only reason we can scale to hundreds ofcustomers is that we built a distributedprocessing system and put most of the initialanalysis, correlation, and triage at the customernetwork and not on the Counterpane network.

“The Counterpane network, and the analysts,see what may be important or what is unknown,and not what is known to be unimportant”.

“During Nimda, total message volume went upby a factor of 1000 in the first four hours, with asustained factor of 100 increase during the firstthree days. I can guarantee you that anyone whodid not do triage at the customer network wouldhave fallen flat in the face of that kind of

Managed security services

Brian McKenna

615

volume. We didn’t. We continued to monitorthroughout the crisis, precisely because ournetwork is built to scale and does not send everyirrelevant message across a fat pipe to the SOC”.

Qinetiq’s Cambridge admits that one of theproblems they do have is “the difficultycorporates have in justifying the spend onsecurity. Also, security tends to be seen asequalling a firewall. That is not buying security,and is an attitude we are trying to turn around.

“For example we had one client who hadbought IDS sensors; however, when theyrealized the implications of managing them theyrefused to plug them in”.

“The realization that buying technology doesnot buy you security will cause the market totake off. That’s the big message”.

Jeremy White, at Logica, agrees that “it will bethe recognition by a lot of organizations thatthey can’t do it properly themselves cost-effec-tively that will cause the market to take off.”

White maintains that Logica’s “history of aspecific 17-year security centre of excellence,with expertise going from top-level policy andstrategy down to implementation andpenetration testing” makes the firm stand out inthe marketplace. He concedes that Qinetiq, asan emerging, fellow-UK-based competitor, doeshave an impressive applied research backgroundtogether with in-house technical expertise, butis less sure of their “commercial expertise indelivering in a competitive environment”.

The firm’s security practice has so far been apart of the activity of Logica OutsourcingServices. One instance of this that has asignificant security salience is Logica’sengagement on the UK’s radiation monitoringprogramme. In August the company announcedit had won a £16m contract to design andsupport the UK Department of Environment,Food and Rural Affairs (DEFRA) replacementRadiation Incident Monitoring NETworksystem (RIMNET).

Logica will provide DEFRA with a technologyenhancement of the existing RIMNET systemand will offer ongoing consultancy, infrastruc-ture management, remote systems managementand help desk support over a 10-year period.The new system will incorporate software fromMicrosoft, Veritas and ESRI, to provide a highavailability platform, to ensure the co-ordinationof the UK’s response to an overseas nuclearaccident and support the response to othernuclear incidents affecting the UK.

Logica's security practice will, the companysays, ensure that the installed system conformsto relevant government security requirements,by assessing the risks to RIMNET andimplementing appropriate security measures tocounter those risks.

“The security implications of this project arenot just around confidentiality, but also aroundintegrity and availability. Part of the reason wewon the work was our integration of security asan integral part of the system implementationand its operation”, says White.

But it is still early days for Logica’s standaloneoutsourced security offering, and Whiteconfirms that there are no specific deals inplace at present.

Schneier, meantime, believes that the managedsecurity services provider sector is “taking offslowly because all outsourcing takes a while tobe accepted. Remember when everyone hadtheir own PBX, and no one wanted to outsourceit? Remember when everyone had their ownmodem banks, and no one wanted to outsourceit? Infrastructure is always outsourced even-tually; there’s no other way to make it scale”.

ResourcesBruce Schneier’s position paper on security outsourcing is at

www.counterpane.com/outsourcing.pdf

Quinetiq Trusted Information Management lays out itsmanaged security services case at http://www.qinetiq.com/tim/html/managed_security_services/index.asp

616

Managed security services

Brian McKenna