Network Security: Leave It to Experts 

The widespread adoption of the Internet and Intranets/extranets has put sensitive corporate information at grave risk. With new emerging business applications, distributed business environments and ever-growing complex networks, securing the IT infrastructure has become imperative for corporates. Moreover, since security infrastructure is a major component of the total IT infrastructure, its non-availability directly affects the overall infrastructure performance. Not only the information assets, but also the IT infrastructure as a whole is put to risk due to non-availability of security infrastructure. Consider this:

• A firewall down means the network goes down or gets slow
• A firewall policy malfunctioning means non-availability of a particular service or an unwarranted restriction on a user group
• An IDS down means a major security compromise
• An anti-virus down means user productivity sinking or even a network outage

Thus, securing information alone is not enough, securing infrastructure performance is important too. Further, the actual information security issue calls for near real-time response to attacks. An IDS or a firewall generates thousands of incomprehensible logs that need to be co-related to detect an attack. In isolation, these logs do not help the security administrator. 

Add to this the responsibility of monitoring attacks 24x7. It is estimated that almost 60 percent of the attacks happen during the graveyard shift–a period when availability of skilled resources is always in question. With attacks becoming more sophisticated and new vulnerabilities being discovered everyday, an organization is left with two choices. One, entrust its infrastructure security to a non-specialized personnel during the night shift, who even if detects an attack has limited capability to resolve it. Two, employ ‘expert resources on tap’ to work for it 24x7.  

WHY MSS... A firewall alone can produce 1 GB log data in one day An IDS sensor can produce over 500,000 messages a day, out of which 95 percent may be false alarms  Security devices generate alerts for both malicious and normal activities Logs and alerts only define the event, which is not enough One cannot predict the timing of a hack/intrusion, and hence a 24x7 operation is imperative Intrusions are like a bull-run. A tomorrow-morning analysis of the event log would be too late

As a result, more and more organizations are turning to managed security service providers (MSSPs) to avail the technical expertise and knowledge of outside security experts for remote monitoring of their security devices–firewalls, VPNs and intrusion-detection systems. An MSSP alerts an organization in near real-time for security threats, security device non-availability or malfunctioning, and security policy violations. 

MSS allows organizations to concentrate on maximizing core IT benefits rather than worry about infrastructure security. This can be done at two broad levels. One, the MSSP can remotely monitor a security infrastructure at the organization’s site via the Internet. In this case the MSSP may host the device management or other backend systems at its site. Two, the MSSP can provide on-site security management services at the organization’s site, similar to third-party facilities management for organizations. The organization may choose to outsource its security entirely, leaving the management and maintenance of its security systems totally in the hands of a consultancy firm.

Some of the capabilities that an enterprise must look for in an MSSP before opting for it are:

n Software and Tools: The MSSP should have invested in best-of-breed tools at its security operations and management center, such as a combination of device managers, task managers, service-level managers and co-relation engines to ensure that the customer receives the highest granularity of information, qualified security alerts, immediate response times, and guaranteed service commitment.

n Skills: While software forms the base of a solution, skilled resources are integral to run and operate the software to make any operations management exercise successful. The MSSP must have engineers with high-level security expertise in monitoring, diagnostic consulting, and security planning and audit services. The security team should comprise various technology and process specialists with diverse certification levels from Cisco, RSA, Checkpoint, ISS and process consultants of the ilk of CISA and BS7799.

n Processes: The processes followed at the MSSP should be benchmarked against global standards. The available skills should be put to extremely efficient use by predefined escalation paths through the operations organization. Automatic trouble ticketing for major and critical alerts ensures that each trouble ticket generated follows a fully automated path of escalation and closure. The procedures should be such that the trouble ticket is automatically closed on resolution of the problem.

n Reporting: Clients should always be aware of how the MSSP is keeping their proprietary data safe. Near real-time reporting of a threat considerably reduces the chances of damages. Not only should a good MSSP be able to inform its clients of attacks, but also be able to prevent and counter them.

Swapan Johri, director (managed security services) HCL Comnet