Security Tutors

Although determined hackers and careless users can compromise technology safeguards, security experts can step in with specialized skills and services to help businesses assess and manage their risks and vulnerabilities, as well as develop secure policies and applications, according to roundtable participants, who represented seven firms that sell security solutions and/or services.

"Getting the human in the loop is what it all comes down to," said Chris Ellerman, vice president of professional services at Meridian IT Solutions, Schaumburg, Ill.

The people quotient is becoming ever more critical as the number of security vulnerabilities continues to increase exponentially, roundtable panelists said. And businesses are finding it tough to keep up and are tapping security solution providers to assess their systems on a regular basis, they said.

Dan McCall, executive vice president and co-founder of Guardent, Waltham, Mass., said vulnerability assessments are one of his company's fastest-growing businesses. "We've turned that into a managed service, technology-aided, as an expert looking at the results of automated tools," he said.

While businesses might be able to run scanning tools on their systems to find vulnerabilities, they may not know how to prioritize which security holes are the most critical to fix, the panelists said. "That's the biggest value people get out of our deliverables,the prioritization," said Chris Wysopal, director of research and development at @Stake, Cambridge, Mass.

Any assessment that @Stake does is tied to the business context, comparing the cost of fixing the security problem with the company's business processes, Wysopal said. Companies are now asking for network assessments and penetration tests more often, he added.

"People are saying, 'I need to have these done on a quarterly basis,' where before they might have had it just once a year," Wysopal said.

Paul Rohmeyer, COO of Icons, North Brunswick, N.J., said the growing demand for vulnerability assessments is enabling his firm to turn the assessments into a managed service. "We are implementing scanning architectures and then coming in on a recurring basis to run those architectures and produce findings, coach, train, transfer knowledge,whatever your favorite buzzword is,to leave the client equipped to use those architectures in between our assessments," he said.

Periodic assessments also provide continuous product opportunities, Rohmeyer said. "You're inevitably going to have a better viewpoint of the product needs," he said.

Michelle Drolet, CEO of Conqwest, Holliston, Mass., said her firm provides customers with monthly "health checks",assessments that employ a variety of tools to check for vulnerabilities and security-policy compliance. About a dozen clients have signed up so far, she said. "We deliver the reports to the IT director, and typically we're brought back in to do a week's worth of remediation," she said.

Conqwest also helps companies train their employees in security policies, such as basic password management. "The weakest link in security, in my mind, is the human factor," Drolet said, explaining that human error is to blame for many security problems.

Other roundtable participants echoed that view. Gary Fish, president and CEO of FishNet Security, Kansas City, Mo., said his firm's services business continues to grow. This year, services account for about 30 percent of FishNet's sales, up from between 15 percent and 20 percent last year, he said. Product sales make up the rest.

"We came up with this new model. We call it APIME: assess, plan, implement, manage and educate," Fish said. "We're going into organizations and saying, 'I could sell you the six firewalls you just asked for, but I'm not sure you really need them. Why don't you let us spend one day [at your company. It will cost $2,500.' We'll do a preliminary assessment, we may run a scan or do a more in-depth assessment, and then we'll write a security road map for that organization."

Recurring assessments are a good fit for companies that don't want to outsource their security entirely to a monitoring firm, said Meridian's Ellerman. For example, Meridian sent an engineer to a client site once a week for six months to help the customer interpret firewall data and implement a security solution, he said.

"They don't want anything going off-site," Ellerman said. "They're looking for a hybrid solution."

The roundtable panelists also said that companies bring them in to assess the security status of organizations that they do business with or plan to acquire. "In B2B contracts, we're being brought in to do security assessments before those people sign the contract to see if they're secure," Conqwest's Drolet said.

And the proliferation of wireless technology is driving additional security assessment work, according to the panelists. Administrators often are embarrassed to discover that someone can drive around in a car rigged with rudimentary equipment and access their corporate data via an unsecured wireless LAN that they didn't even know was in their organization, executives said.

"We're starting to see a lot of requests. They're coming to us and saying, 'We need a wireless audit done,' " Fish said.

Wireless LANs are insecure out of the box, but businesses can implement policies and technology to secure them, solution providers said. "Good security practice is good security practice, across any kind of environment," said Kenneth Cavanagh, vice president of professional services at Vigilinx, Parsippany, N.J. "If [companies follow the rules and regulations, policies and procedures, wireless can be made as secure as it possibly can be."

@Stake has seen substantial growth in the application assessment and development side of its business, which serves enterprise application developers, ISVs and others, Wysopal said. "People test for functionality and for performance. They don't test for security," he said. "[Security should be built into any kind of project."

Finding employees who have the expertise to advise clients on security policies and technology is getting easier, roundtable participants said.

"That churn in the telco business has put an awful lot of talented people back out on the street," Cavanagh said.

This year was the first year that FishNet Security has been able to hire people away from competitors, said Fish, adding that he hired six engineers from competitors that either went out of business or were struggling.

Still, finding people with specific security skills can be a chore, McCall said. "The area where we actually struggle is hiring people that really understand operational security,intrusion-detection systems, scanning systems. People who really get it when it comes to firewalls tend to be in very high demand," he said.

Vendor certifications are helpful in managed security because engineers must be able to thoroughly understand specific devices, McCall added.

General security certifications, such as the Certified Information Systems Security Practitioner (CISSP), can demonstrate some technical knowledge and test-taking ability but don't necessarily have hands-on experience, said Cavanagh. He and other panelists said that hiring people with well-honed IT skills is key.

"If you find a good network engineer, and that person can look at a network diagram regardless of what they've been trained in and understand what the security risks and exposures are, then when it comes down to whatever technology is being used in that client environment, they can learn that," Cavanagh said.

Solid IT fundamentals carry much weight in hiring, Wysopal said. "You need to have the basics. Anyone who understands the basics and has an engineering or programming background, it's easy for them to learn the details. It's hard to go the other way," he said.

Customers also are seeking solution providers that not only understand their firewall architectures but also their particular markets, Rohmeyer added. He and other roundtable participants said corporate demand for security expertise is opening up plenty of opportunities for them to provide training services.

"We've been inundated with requests by clients to add training to every project we do," Rohmeyer said. "There seems to be no shortage of training work around."

Added Wysopal: "Everyone wants knowledge transfer, whether it's informal, a few presentations or a primer."

The training @Stake provides is general, covering areas such as secure application design training, according to Wysopal. "We don't teach it for any particular platform," he said.

Some solution providers offer training on specific vendor products. Meridian IT Solutions is a Symantec training center, and FishNet Security is a training center for several vendors, including Check Point Software Technologies and Internet Security Systems.

In some cases, vendors ask solution providers to write training materials, as was the case with FishNet Security and Entercept Security Technologies, Fish said. Likewise, Icons developed an application-security training program for a large vendor, Rohmeyer said.

Looking ahead, roundtable executives said they see no end to the services opportunities in security because it's a never-ending concern.

"The problem is rooted in the dark side of human nature and the complexity of networking. If either of those change in our lifetime, I would be surprised," said Guardent's McCall. "Ultimately, there are going to be technology improvements, but the vulnerabilities will change. What it really requires is some level of service associated with staying on top of it and being diligent about the protection mechanisms."

Bringing together the various departments of a company,human resources, MIS, legal, etc.,to develop and enforce policies is essential to tackling the security problem, Drolet said. "You evaluate, you write the policies, you educate the employees and you put the enforcement technology in place, and then you start again every month of every quarter," she said. "It's just doing due diligence."