Security Steps Up a Notch


An emerging subscription model for vulnerability scanning is breathing new life into security solution providers, who view these services as a way to convince customers their networks and applications need more protection.

Such VARs are taking advantage of reseller programs that offer a cut as high as 45 percent of monthly subscriptions to automated network- and application-scanning services. What's more, they're using these services as a no-obligation entree into new and existing clients who may mistakenly believe their systems are safe simply because they have completed their checklist of firewall, antivirus and intrusion-detection purchases.

"It becomes a cycle," says Sean Stenovitch, president of FutureCom, a Dallas-based solution provider that resells a scanning service from Digital DataTrust, also in Dallas. "We have a company out there making sure the security products we're selling are working the way they should. Customers will buy the service because it validates the products are installed properly." The service might also uncover vulnerabilities that require additional security products, Stenovitch notes.

With vulnerability scanning, the focus is on preventing intrusions rather than detecting them after they have happened. The services,from relatively unknown vendors such as Counterpane Internet Security, Digital DataTrust, Digital Defense (DDI), Foundstone, Guardent, Qualys, TippingPoint Technologies and Sanctum,scan networks and applications and spot openings that can be exploited by hackers. They download the latest vendor patches several times a day, and also generate reports detailing how vulnerabilities can be fixed, complete with an up-to-date list of patches from vendors.

Vulnerability scanning is different from traditional penetration tests offered by EDS, IBM Global Services and other big consulting firms in that the scans are automated rather than a manual attempt by a consultant to mimic the actions of a hacker. That sharply reduces the cost of running scans, allowing for monthly or annual subscription pricing.

"With penetration testing, you're a hacker coming in and trying to capture the flag," says Tom Gallo, president of DDI, San Antonio. "We make sure the gates are in place in case someone plays capture the flag."

Vulnerability scanning also differs from firewalls and intrusion-detection systems, which focus on the network. They don't distinguish between different data types; rather, they look for patterns in data movement, says Gartner security analyst John Pescatore.

The services are particularly well-suited for application-level security testing. Experts agree the quality of software code waned during the technology-boom years as software was rushed to market. Much of the software enterprises use today never underwent rigorous quality assurance and security testing, they say.

"The dot coms and software providers were motivated to provide a solution and get something to market right [away," says Dave Morrow, deputy director of EDS' Security and Privacy Services unit. Adds Tom Clare, director of enterprise solutions at scanning vendor Qualys, which sells only through VARs: "We're still paying for the dot-com boom."

The importance of application-level security monitoring will increase as XML-based Web-services technology begins to replace APIs as the primary way to link one application to another. Web services and the underlying SOAP and UDDI protocols "will break a lot of today's network-level security products," Gartner's Pescatore says.

Application vulnerabilities are so common that some say they require constant attention and assessment, just as the rise in virus production in the mid-'90s ushered in automated virus-scanning tools. The daily, weekly or monthly scans don't take the place of quarterly or yearly attack simulations, but rather protect interim vulnerabilities introduced as apps are added or reconfigured.

"This is daily health maintenance vs. a yearly physical," Clare says. "You can't ignore your health all year and expect to have a good doctor's visit."

Beyond Partnering

Despite the benefits, partnering with scanning-service providers isn't a slam-dunk. For one thing, consulting services dealing with application-level security require expertise not only in security methodologies, but also the applications themselves. Resident experts in Web server, messaging and ERP software are necessary to successfully counsel clients about how to protect those systems, experts say.

"First, you can make the app [crash, which is bad, or make it run so slow that no one can use it," Morrow says.

"With Web servers alone, there are so many variables," Pescatore adds. "You need to understand CGI scripting, Active Server Pages and everything else to understand how they can be exploited."

Domain expertise is viewed as so important that some scanning-security providers say they carefully choose their VAR alliances, favoring solution providers that can engage a client in a full range of security consulting services.

"We are reshuffling and refining our alliances, looking for partners that have talent and can help define a strong security profile," Clare says. "If Bill and his cat have been in their garage selling Check Point at 2 percent over margin, I don't want them."

Location matters, he adds. "You can build a global security product, but security services are local," Clare says.

Likewise, some VARs say they won't resell scanning services that don't directly buoy their product sales. "You have to find one that works with the product fit you're selling," FutureCom's Stenovitch says. "You don't want them to analyze something you don't sell. I don't care about the monthly $2,500 check. I care about how it can be an added source to sell goods and services."

Opening the Door

Some VARs will offer a free security scan for existing clients who believe they have all the protection they need.

"It's a door-opening solution to get us an audience," says Jim Dziak, CEO of MicroTek Systems, a Milwaukee-based solution provider that resells Qualys' scanning services. "We offer a no-obligation technical-assessment report. It allows us to bring a level of awareness to clients,and change their way of thinking,that an occasional audit isn't sufficient."

Qualys can scan a given range of IP addresses in an enterprise, even during business hours and without any hardware or software resident at the customer site. Reports are accessible on the Qualys Web site, and different reports are available to executives, technologists and line-of-business managers.

MicroTek has sold about 40 subscriptions to the Qualys service since signing up with the vendor in November. Subscriptions are sold on an annual basis for unlimited scans. Prices start at $995 per year for one IP address; MicroTek recently sold a subscription for 64 IP addresses for $25,000. VARs get a 40 percent cut.

Dziak wouldn't specify how many product sales have come about because of the program. But security now comprises 25 percent of MicroTek's business, compared with less than 5 percent a year ago, he says. One of its clients, The Equitable Bank, a state savings bank in Milwaukee with three IT staffers, used to pay $6,000 or more for one security audit per year. Information technology officer Mike Block was skeptical of the Qualys service at first, mainly because he had never heard of the company. But he signed up on the basis of his relationship with MicroTek, he says.

Equitable's experience underscores why scanning vendors and VARs so desperately need each other to grow sales. "I said, 'OK, if Jim's involved it must be a good deal and it must be safe,'" Block says. "I wouldn't have bought it otherwise."

Equitable pays about $5,000 per year for scans on eight IP addresses. "Here, I can run this thing every day if I want," Block says. "If I make changes to an

e-mail server, or upgrade an OS and reinstall Exchange Server, we may think we did everything we were supposed to do, but just to make sure we run Qualys."

The service also reassures Block as he familiarizes himself with Linux, which he recently installed on several systems. "I'm kind of new at Linux, and I need to get up to speed," he says.

Establishing Programs

Vulnerability-scanning services are particularly helpful in demonstrating to clients why they might need additional protection, thereby driving new product sales. Charles Fridrich, business manager at Critical IP, a Fairfax, Va.-based solution provider that began selling Counterpane's scanning service in February, says the service has convinced many customers to buy more.

"After Counterpane would do an assessment, it would give its opinion to the company, offering degrees of what is needed," Fridrich says. "That led to suggestions by us that [the customer needed an updated firewall at a gateway to the financial or accounting departments."

Even those scanning providers that started out selling direct now are establishing VAR alliance programs. DDI, for example, was expected to launch a partner program last week. DDI, which charges per scan, now allows VARs to sell scans at $20 to $30 per IP address; VARs pay "a whole lot less," DDI's Gallo says.

DDI differentiates itself by offering internal scans. VARs can carry a DDI box, called a Mobile Localizer, to a customer site and perform a scan from inside the

network. It's an important differentiator,experts say that more than half of all security breaches occur from inside the network. Guardent and Counterpane offer similar internal-scanning services.

Another vendor, Foundstone, rolled out a partner program in April, and Counterpane says it has added 46 VAR partners in the first few months of its program. Counterpane VARs receive 25 percent of the subscriptions they sell.

Qualys, with a customer base of 400 companies growing at 25 per month, sells only through the channel. Premium partners get a 35 percent cut of sales; Platinum partners get 45 percent. Qualys has 300 channel partners to date.

As quickly as the door has opened for these scanning services, many say the door will close. MicroTek's Dziak warns that Microsoft's newfound focus on security may severely reduce the security flaws in Microsoft products, which average one a week. And EDS' Morrow believes that security-scanning services of the automated variety will become commoditized in 12 to 18 months.

Still, he believes rapid technology developments will always breed high-margin security consulting business. "When technology is exploding, there are always unintended consequences," Morrow says. "Security is always playing catch-up."

David Joachim (david@davidjoachim.com) is a business and technology writer in Port Jefferson, N.Y.