ALKHOBAR, 13 September 2005 — Managed security services (MSS) is a systematic approach to managing an organization’s IT security needs. MSS are generally required by companies who have grown large enough to have a complex IT network. These firms would normally hire an adminstrator with advanced training to handle network security in-house, but many may find that it is more effective from both a cost and human resources standpoint to outsource at least some of their network and information security needs to a specialist provider.
A MSS provider can handle 24x7 monitoring, management and response for security devices, systems and processes, including:
• Network boundary protection, including managed services for firewalls, intrusion detection systems (IDSs) and virtual private networks (VPNs)
• Patch management and upgrades
• Anti-virus and content filtering
• Security assessments and security audits
• Incident management, including emergency threat response and forensic analysis.
As corporate networks become more complex and numerous security devices and solutions, of necessity, become a part of the network, it becomes increasingly difficult for any single administrator to manage all aspects of network security. The poor network administrator would simply be buried in the huge volume of information spewing out from all the security resources connected to the network. The administrator would never be able to find a possible security threat amid the information chaos, let alone mitigate an incident before serious damage was done.
That’s why many large and mid-sized companies in other geographies are turning to MSS outsourcing as the only rational choice to keep their networks humming along. This allows IT staff to focus on core business objectives instead of constantly freaking out over the latest impending network security catastrophe. It is possible to outsource some or all of an enterprise’s network security management requirements and the level of outsourcing has been rising annually. MSS is only constrained by an organization’s level of trust in the MSS provider and the depth of the corporate pockets.
Ideal MSS are delivered in a vendor neutral manner, with the provider tailoring the service to the client’s environment. In reality MSS providers often have preferences in devices, systems and processes. Organizations may find it difficult to resist efforts to migrate security applications to those “recommended” by the MSS and it is essential to consider true cost/benefit ratio in such decisions.
MSS is a field that will offer significant growth to qualified providers. Yankee Group has found that MSS revenue will increase from $1.5 billion in 2002 to $3.7 billion in 2008. Driving this market growth will be the policy of enterprises shifting away from point solutions and threat detection and moving toward integrated solutions and threat prevention. Yankee Group believes that intelligence is the real asset in MSS and that organizations will chose to acquire MSS from those providers with the most experienced security gurus.
While IT outsourcing has not been very popular in the Middle East, Symantec, the leader in MSS globally, believes that regional enterprises have no choice but to consider MSS because companies are finding that they do not have the expertise or bandwidth to ensure that their in-house security monitoring and management capabilities match their requirements.
In March 2004 Symantec announced the appointment of Al-Suwaidi Company in Saudi Arabia to its MSS partner program, the first partnership in the region bringing MSS to companies locally. During the announcement there was some miscommunication about the nature of the facility that was to be unveiled in the Kingdom. The impression was given that a Symantec Security Operations Center (SOC) was to be built in the Kingdom. This is not true. What was intended is that Al-Suwaidi would build local capability in the Kingdom to enable Saudi enterprises to be monitored by a Symantec SOC. Additionally, the resource would be used in order to provide change management and configuration management to clients at a local level.
Symantec SOCs are the nerve-centers of its MSS offering. Several of these SOCs exist around the globe. Invited to visit the Alexandria, Virginia SOC, nothing could have prepared me for this journey into total paranoia.
The staff at the SOC must be constantly on the lookout for threats (real and potential) to their clients’ data and networks. To maintain a high level of client trust, Symantec must ensure the confidentiality of the client data it handles. This led to the company requiring the invited journalists to sign two non-disclosure agreements, one online and one hard copy, before allowing us even a glimpse of its SOC. During most of our visit to the SOC the group was kept inside a soundproof room with a glass that allowed us to see some activity in the SOC, but not hear any conversation. After Symantec’s presentation, the group was allowed very limited accompanied access inside the SOC. All of these measures were to secure client data.
Symantec’s Alexandria SOC is the most advanced facility of its type ever constructed for civilian use. 10,000 square feet of space contains nine 42” plasma screens, three 100” rear-projection display screens and 64 10” flat panel displays. The SOC features a 750 KVA backup generator — enough capacity to power the entire building at full load with spare capacity even on a summer day. The SOC is designed to accommodate 15 security analysts, 15 customer engineers and five call center staff per shift, as well as support and supervisory personnel. Redundancy is the word at the SOC and its built in data-center. Network connections, cooling and power are all fully redundant. That said, if a major crisis or disaster were under way in or near Alexandria, all the operations of the Alexandria SOC could be instantly transferred to another Symantec SOC in a stable geography.
All entrances to the SOC are protected by three-factor, secure biometric authentication using an access card, PIN code and palm scanner. Authentication systems are controlled by different teams for maximum security. That’s right, to create an environment of trust means it’s necessary for Symantec not to trust anyone.
On the SOC floor, proprietary technology combines with topnotch human intelligence to monitor vulnerabilities and attacks and to issue alerts as needed. Global Internet trends are analyzed with information constantly pouring in from Symantec’s tens of thousands of registered sensors on the Internet in 180 countries. Sometimes the attack is blatant and immediately visible but Symantec’s analysts admitted that a major problem can look insignificant at first and that they often go with their gut feeling. That’s when experience is everything.
Symantec attempts to leave nothing to chance. While it touts the quality of the people who work at the SOC, every keystroke an analyst or engineer makes is logged. Even the length of time it takes to perform a task is monitored. Hiring the best is not good enough either for Symantec. After multiple interviews and background checks, all new hires go through a six week “boot camp” where their skills are fully evaluated, tested and upgraded before they come into contact with customer data.
A Symantec SOC is not the ideal working environment for most people but it was noticeable that the staff at the SOC were extremely enthusiastic about their work. They definitely seemed to thrive on the constant challenge. Repeatedly it was emphasized by Symantec executives that the team supporting the MSS is the most important element of those services — even more important than the technology.
MSS are definitely convenient and cost effective but companies in the Middle East still believe that having network and information security managed from other geographies is less than ideal. This is causing them to hold back in committing to MSS outsourcing. Until regional MSS resources are better developed, Symantec, or any security vendor will have a difficult time managing the trust aspect of MSS — and this is one situation where everyone, except the criminals, stands to lose.
* * *
— (Comments to: [email protected])
