Managed Security Service Providers

It's us versus them: overburdened IT groups against smart, malicious opponents who are constantly probing for weak spots. As the red-hot klieg lights of the media and government regulators focus on infosec groups, struggling to thwart everyone from disgruntled employees to professional identity thieves, we're all feeling the heat. Our fictional widget maker is no exception. Is it time for NWC Inc. to call in a specialist?

While MSSPs (managed security service providers) have been around for years, this is not a run-of-the-mill outsourcing decision. Many IT professionals feel strongly that information security is a core business function, and outsourcing it would be equivalent to handing over the keys to the kingdom.

We agree, to a point. For organizations with specialized security needs or policies, an in-house team is the way to go. However, far too many organizations have yet to make information security a core competency, or have thrown in the towel and decided that security will never be a fundamental proficiency. But as attackers become more sophisticated, so must the tools we wield to stop them.

Managed security services will be the fastest-growing segment of the managed services arena, expanding at a compound annual growth rate of nearly 20 percent over the next few years, according to Gartner. MSSPs are benefiting from the shrinking window between weakness discovery and exploit, complex new technologies like NAC (network admission control), and the ever-expanding network perimeter that now includes business partners and telecommuters. At the same time, CTOs are under increased pressure to reduce costs, improve services and meet governmental regulations--all without sacrificing quality of service and ensuring business continuity. It's a recipe for MSSP growth.

In NWC Inc.'s case, our complex Web business model and the high volume of our e-commerce initiatives are business drivers. We built an RFI seeking a partner to monitor and manage our information security infrastructure and sent it to 24 MSSPs. BT Global Services, Cybertrust, Internet Security Systems, LURHQ and SecureWorks accepted. VeriSign Managed Security Services initially accepted and did an outstanding job completing its RFI, but backed out because of the risk of exposing too much confidential data by publishing its RFI responses online (a requirement to participate). Equant also initially accepted but could not complete our RFI in time due to its rebranding to Orange Business Services. MCI, which has partnered with Verizon Business, declined. Accenture, AT&T Networking Outsourcing Services, Capgemini, Computer Sciences Corp. (CSC), Connetic, EDS, Getronics, IBM Global Services, Perimeter Internetworking, Science Applications International Corp (SAIC), Solutionary, Sprint, Symantec, TruSecure, Unisys and VigilantMinds didn't respond to our invitation.

We understand that many vendors are loathe to reveal the level of detail we require in our RFIs, but this information is necessary to award our Editor's Choice and to allow readers to determine which vendors should make their shortlists.

Do Your Homework

Outsourcing best practices apply in spades to MSSP engagements. Successful CTOs actively develop relationships with their providers while putting in place comprehensive management and control policies. If proper due diligence is carried out, security outsourcing can provide terrific benefits: reducing risks associated with misconfiguration; decreasing costs surrounding staffing, training and benefits; and increasing savings associated with maintenance, upgrades and capital payout.

Management and maintenance of firewalls, IDS/IPSs, routers and switches; OS configuration; patch management; and vulnerability assessments are top tasks organizations have typically looked to outsource. But as network threats have increased in volume and complexity, managed services also have grown to provide a combination of expert technological skills with human analysis such as data mining, data collection and normalization, and automated security event correlation to prevent network breaches.

As we discuss in "RFI Scenario", NWC Inc. is focused on growth, with multiple new product lines in the works. Of our 33-person IT staff, only seven bodies are network and system administrators. A finite capital budget combined with an insistence on best-in-class technology means we must get creative.Check out our original RFI (Download the Word Document.) to see our requirements. To win our business, an outsourcer had to demonstrate the measures it's taken to control operational and environmental factors, and all our MSSP candidates did that. In fact, we applaud our participating vendors for the bang-up job each did completing our RFI.

The million dollar question is, Which will be the safest choice? Investigate the financial health of your MSSP. If a provider meets your SLA (service-level agreement) and technical requirements but its business road map and financial health are questionable, walk away. Because three of our vendors are privately held, full financial disclosure wasn't feasible; however, the level of detail Cybertrust, LURHQ and SecureWorks were able to provide reassured us that they could execute just as well as our publicly traded companies, BT and ISS.

Also investigate the MSSP's main vendor relationships. Will it be able to update software protecting your systems should one of its providers go out of business? Get your general counsel to draft a sound contract identifying legal liabilities and ramifications if something were to happen, and have a well-developed contingency plan in place.

We graded our MSSPs on environmental factors, including physical security; service levels; security practices, including the MSSP's policies and procedures for securing its own systems; support, including technical expertise; and price. See a breakdown of pricing at left. Our evaluations of the individual vendor replies as well as the full RFI responses are available here.

Business Needs

The revved-up speed and increased volume of today's threats require fast response times. Handling these events is taking a toll on the NWC Inc. staff and siphoning resources from other projects. In addition, our IT department must open up select parts of our network to trusted business partners, large customers and telecommuters. The once easily defined network perimeter has eroded. And though we have limited exposure to the potential for stringent noncompliance penalties for HIPAA and Sarbanes-Oxley, the regulatory landscape is constantly shifting. These factors plus a shortage of trained security experts have companies bigger than NWC Inc. barely treading water to keep up with the latest security tools.

We previously investigated outsourcing of application development data center services, CRM and supply chain management, so we're not rookies when it comes to evaluating providers. That's important when looking to partner on something as sensitive as security. Organizations that have successfully outsourced other IT services have an advantage--outsourcing can make operations less expensive, more productive and more efficient. Or it can be an unmitigated disaster. The key is to be diligent about documenting your requirements.

The growing sophistication of security threats means increasing costs to attract and retain experienced personnel who can design, build and sustain an in-house security infrastructure. In NWC Inc.'s neck of the woods, top security managers command $125,000 per year, according to InformationWeek's 2006 salary survey, plus benefits and ongoing education and training. In addition, consider the costs associated with security hardware and software. The size and scope of MSSPs' businesses permit them to negotiate substantial volume discounts with vendors for hardware, software and yearly maintenance costs.

The speed at which vendors issue security patches is alarming, and reviewing the need for each patch is time-consuming and costly. MSSPs must maintain patch levels as part of their SLAs. Their vendor relationships mean MSSPs often receive advance notice of worm and viruses outbreaks, in addition to gaining access to patches sooner--all good for us.

A relationship with an MSSP also proffers another major, yet often overlooked, benefit: Because MSSPs manage numerous hardware platforms from various vendors, they keep spare equipment on hand, and this redundancy comes at little cost to you. We all would love the luxury of having on-site spares, but that's unrealistic for NWC Inc.

Secure Setups

We investigated how hardened the vendor's physical buildings are. We received some interesting responses. All respondents offered backup power supplies, such as UPS systems, emergency batteries and power generators. Cybertrust and SecureWorks earned an edge by describing their power, air conditioning and fire-prevention setups in granular detail, including such items as contracts with diesel fuel suppliers, audits of power performance, the target temperature for SOC (security operations center) rooms, and the time (in seconds) allowed after a smoke alarm sounds for employees to leave the room before the fire-suppression system kicks in. BT and ISS didn't go into as much detail, though BT did state that more specifics can be provided upon request. LURHQ offered more detail than BT and ISS, but not to extent of Cybertrust and SecureWorks. All vendors are doing a good job at securing their physical plants.

Equally important as learning how an MSSP locks down its physical facilities is gaining insight into the background of the people who will be working on your equipment. Fortunately, when it comes to personnel security, all our vendors adhere to strict policies. All stated that potential employees must consent to background checks. In addition, all Cybertrust security operations personnel have received NATO security clearances, while ISS requires personnel in its SOCs to complete documentation for federal background checks. SecureWorks requires its security analysts and engineers to go through additional background checks, including the FBI InfraGard security certification. As part of its new-employee orientation, BT requires all staff, regardless of job responsibility, to go through a security awareness and training program. And not one vendor will hire former black hat types--we wholeheartedly agree.

Supporting Cast

Although everything sounds good on paper, we strived to measure the level of support NWC Inc. could expect by evaluating each vendor's account team and problem-management processes.

LURHQ provides customers with an account management team charged with conducting "Trusted Advisor Calls" with clients every quarter to review incidents or open tickets and address concerns. SecureWorks provides an account rep and field engineer, and introduces clients to its SOC analysts. Our NWC Inc. ISS account executive would act as the primary point of contact, with SOC analysts playing integral roles. Cybertrust has pre-sales, national and territory account managers and post-sales client services managers to handle our account and implementation. BT cited its World Network, which sells and supports BT services through a network of managed entities in various countries.

Regarding problem management, LURHQ and SecureWorks escalate all service problems to SOC management, regardless of who initiated the process. ISS said that any problems associated with NWC Inc.'s service would be addressed by our ISS account executive, who would coordinate resources. ISS also has a customer advocacy team we could call.

BT's Global Network Operation Team handles the majority of BT's service issues, while Cybertrust manages problems through its customer portal, the Cybertrust MSS Security Dashboard, or through our client service manager. Each call is assigned a unique ID and a severity level (1 through 4). A severity level of 1 or 2 means the customer and Cybertrust both assign a dedicated contact person.

Speaking of upgrades, when negotiating an SLA, pay close attention to the MSSP's agreed-on time to respond to a request, the time frame in which the change should be made, and additional fees charged for unscheduled changes. With a documented SLA, you can recoup financial penalties should the provider fail to meet its contractual obligation. MSSPs will react speedily to major security issues; however, acknowledging noncritical requests may take anywhere from four to 24 business hours.

Although it's acceptable to expect an MSSP to respond to a hardware or software failure within 15 minutes, it's not acceptable to think an MSSP will be able to configure hardware two hours before you need it, so plan ahead.

Of course, networks are not stagnant; changes must inevitably be made as your business grows. NWC Inc. was interested in how well each MSSP could help us accommodate new business partners. Cybertrust stated that configuration changes are submitted through its standard change-request process. Minor network configuration tweaks are included in the recurring fee, but major changes are defined as separate projects, and NWC Inc. would incur charges. LURHQ stated that its proprietary Sherlock platform can scale to accommodate network changes, and that all changes are tracked, documented and accounted for through Sherlock's Web-based client interface.

SecureWorks said that, depending on the complexity of the change, it could have a device reappropriated or relocated with the help of a field engineer and would remotely configure and manage the device once connectivity with its SOC was established. ISS seemed very flexible; it would handle change requests by defining roles and responsibilities, follow a strict customer notification workflow, support a multilevel customer approval process and provide a rollback strategy.

NWC Inc. felt very comfortable that Cybertrust, ISS, LUHRQ and SecureWorks would be proactive in offering advice surrounding risks and possible workarounds, and suggest the most secure ways of implementing change requests. BT wouldn't disclose details about change management, saying public disclosure would be a breach of its security policy.

Behind the Scenes

Internal controls oversee the confidentiality, integrity and availability of all managed services.Each vendor participates in regular audits (both internal and external) of their systems and procedures. SAS 70, an internationally recognized auditing standard developed by the American Institute of Certified Public Accountants, certifies that a service organization has been through an in-depth audit of its control activities, which includes controls over information technology. All five vendors hold the SAS 70 credential.

As for delivery and ongoing maintenance of the services we requested, everything is handled between NWC Inc. and each corresponding vendor. There was no need for any vendor to involve channel partners, resellers, subcontractors or other providers to deliver our requested services.

Keeping Informed

Overall, NWC Inc. was pleased with each vendor's involvement in the security community to ensure the appropriate course of action will be taken when a new vulnerability is identified. All vendors have incident teams that stay current with vulnerabilities and threats. In addition, all stated that they partner with leaders in security, compliance and networking, such as AV vendors, IBM, HP Laboratories, Microsoft and Cisco, to ensure top-notch security services.

Cybertrust sends its personnel to such industry events as the SANS-GIAC, RSA Security, and Black Hat and White Hat worldwide conferences. BT is an accredited member of CERT (Computer Emergency Response Team) and the IETF, and is accredited as a National Institute of Standards and Technology NVLAP lab, able to evaluate crypto products to U.S. FIPS 140-2 level. All vendors said they exchange intelligence information with industry experts, government agencies, professional associations, underground organizations, media and newsgroups, including ICSA Labs, Mitre, SANS, CSI and CERT.

All vendors indicated a focus on preventing, rather than detecting, intrusions. LURHQ guarantees response and escalation to the appropriate NWC Inc. staff within 15 minutes of an incident being identified. It also will work with any customer during the implementation process to develop escalation procedures that meet business needs. ISS' enhanced SLAs guarantee we'll be notified of security incidents within 15 minutes after identification. It also specified escalations within the ISS SOC: After one hour, the issue is escalated to the on-shift SOC supervisor; after four hours, the issue moves to the SOC manager; after eight 8 hours, we get attention from the SOC director; and after 24 hours, the VP of operations is notified.

BT assigns each case a priority, with target case resolution times: critical, four hours; urgent, 12 hours; serious, 120 hours; and minor, commercially reasonable efforts. With Cybertrust, depending on the SLA, availability and network health incidents are escalated within 15 to 30 minutes and include an incident report containing both the incident data and response recommendations.

SecureWorks generates alerts on both blocked attacks and suspicious activity. An urgent incident will result in countermeasures being immediately deployed while communication is attempted with the client. Notification time frames are defined by the contracted SLA.

In the rare event that an MSSP does suspect a compromise, all vendors said that escalations are immediately executed while potential damage is contained through every countermeasure available until both the MSSP and client agree on whether a compromise actually occurred.

Outsourcing's Dark Side

If done correctly, there's no doubt security outsourcing can save money and offer peace of mind. Unfortunately, for every positive, there is a negative, and for certain businesses, these could pose substantial risks.

For example, using an MSSP means giving up direct control over NWC Inc.'s security infrastructure devices. Our prospective MSSPs want to maintain full control in order to alleviate finger-pointing should a breach occur. While sharing control is possible, it's problematic--and anyway, why did you hire the MSSP?

Control over device policies will remain with NWC Inc., because creating sound security policies requires an intimate knowledge of a company's inner workings. It's our responsibility to inform our MSSP about who can access certain systems and at what time of day--for example, which trusted business partners can access your company's extranet? Which administrators have access to security data? And, it's your responsibility to collaborate with the MSSP to make sure only authorized personnel can request security changes; you may want to require dual authorization. You're also on the hook to make sure your internal documentation concerning device configurations, IP addresses, user ID and passwords, and support-contract information is up-to-date.

Some MSSPs can provide professional services, for a fee. While we didn't get specific quotes, some vendors did provide info regarding their professional services: BT, ISS and SecureWorks offer project management, vulnerability and penetration testing, on-site emergency response assistance and risk assessments for a fixed, flat fee based on the scope of the proposed project, skill sets needed and level of customization requested. LURHQ charges an hourly rate for consulting services. In addition, ISS stated it would not force NWC Inc. to incur additional charges to coordinate our trading partners, where applicable, into ISS' management of our security.

As with other types of outsourcing, shops that are heavily into customization will run into problems. MSSPs serve hundreds of clients and as such, their operational model is based on being able to scale for the masses--outsourcers hate to deviate from their operational model. Avoid asking an MSSP to customize configurations, for example--if you require a specific port on your firewall to be open, but your MSSP's policy forbids it, you're in for a long haul. While our vendors said they consider special request considerations on a case-by-case basis, understandably none truly seemed open to modifying a configuration that benefits only one customer and doesn't follow security best practices.

Finally, remember that outsourcing security monitoring and management does not eliminate the need for internal security expertise. When your MSSP identifies an exposure, it must be able to communicate with an internal resource capable of understanding the technical repercussions and making an informed decision about changes as they relate to your organization's network, servers and applications. And remember, out-of-sight, out-of-mind does not apply--you must assign someone with enough security knowledge to monitor how effectively your MSSP is performing.

Final Analysis

After evaluating five RFI proposals, we gave our Editor's Choice award to ISS because of it wealth of service offerings, outstanding SLA agreements, highly skilled personnel and bundled pricing options. We especially liked that ISS provided NWC Inc. with a detailed five-phase deployment process that clearly indicates responsibilities and tasks from initiation, planning, staging, integration and closeout. For our full reviews of the five MSSPs, jump to page 10.

The race was close for second and third place. LURHQ held on to second, and SecureWorks and Cybertrust tied for third.

LURHQ's core offering is its threat and vulnerability management service, which would be valuable for organizations that have dedicated security personnel and are interested in managing security threats using an MSSP. It scored consistently well on our grading criteria. SecureWorks focuses exclusively on managed security, staying out of the neighboring disciplines of disaster recovery and network management; that means no services for NWC Inc.'s data archiving and restoration or router/switch maintenance needs. Its pricing was also on the high side.

Cybertrust stood out for its very detailed SLAs; NWC Inc. would be left with a clear picture of expectations and escalation procedures. BT is primarily a provider of networked IT services, local/national/international telecommunications services, and broadband and Internet products and services; still, it held its own in security practices grading except for monitoring and auditing. BT declined to release detailed information about this and a few other areas, citing security policies prohibiting it from publicly providing this information; however, under NDA, it's available.

RFI Scenario

NWC Inc. delivers consumer electronic widgets around the globe. Of our 207 employees, 140 are located at our manufacturing facility in Syracuse, N.Y. The rest are at our corporate headquarters in Green Bay, Wis. NWC Inc. runs 24/7 on a varied infrastructure (see Vital Stats details below).

Our corporate focus is on growth, so NWC Inc. needs a way to tighten network security that is scalable and doesn't require a large capital investment or additional staffing. But we don't want to sacrifice quality--we want best-in-class security technologies that can support our 24/7 e-commerce business. We decided to explore whether managed security services could accomplish this.

We can be flexible about what services are outsourced; we issued our RFI seeking to partner with a vendor that could provide managed services for firewalls and intrusion detection; router/switch maintenance and security; proactive, continuous security monitoring to provide early-warning threat identification and detection; incident management, including forensic analysis on an as-needed basis; log monitoring services; vulnerability and penetration testing; information security risk assessments; data archiving and restoration; security patching; antivirus/ antiphishing/ content-filtering services; and as-needed on-site consulting.

How many of these security functions move to an outsourcer will depend on the level of support and expertise available and, of course, cost. We'll also look at how compatible the MSSP is with NWC Inc.'s existing equipment and plans for future growth, as well as what best-practices policies and procedures are in place.

To learn more about NWC Inc., go to nwc.com/go/inc.jhtml.

Download all the vendors' responses and our evaluations:

• BT

• SecureWorks
• Cybertrust
• ISS
• LURHQ
• Call for response document

Offshore

NWC Inc. strongly preferred to partner with a U.S.-based outsourcing location; however, we were open to facilities outside of the United States if there was a business operations benefit. All five vendors could accommodate our preference and service NWC Inc. with a U.S. SOC (security operations center). Cybertrust uses a three-tier architecture for its service model, while ISS prefers to deliver its service from its cluster of SOCs located around the world--it takes advantage of in-country resources to reach out to its global centers and extended knowledge-base.

With today's global economy, we also were interested to see if the vendors offered SOCs and/or research sites around the world. Keeping in mind that many viruses are launched from developing countries, a vendor with worldwide presence may be closer to the source of suspicious activity and can more quickly identify threats and protect its customers. Based on RFI responses, BT, Cybertrust and ISS all have such an international presence. LURHQ indicated that its focus is on North America, but said it manages and monitors devices located all around the world. SecureWorks' operations are based in the United States, but the vendor handles security outsourcing for several multinational clients, monitoring both U.S. and international locations.

MSSPs Review

After evaluating five RFI proposals, we gave our Editor's Choice to Internet Security Systems because of it wealth of service offerings, outstanding SLA agreements, highly skilled personnel and bundled pricing options. We especially liked that ISS provided NWC Inc. with a detailed, five-phase deployment process that clearly indicates responsibilities and tasks from initiation, planning, staging, integration and closeout.

The scores were close for second and third place. LURHQ held on to second, but SecureWorks nudged out Cybertrust by just 0.04 for third.

LURHQ's core offering is its threat and vulnerability management service, which would be valuable for organizations with dedicated security personnel interested in managing security threats using an MSSP. It scored consistently well on our grading criteria. SecureWorks focuses exclusively on managed security, staying out of the neighboring disciplines of disaster recovery and network management; that means no services for NWC Inc.'s data archiving and restoration or router/switch maintenance services. Its pricing was also on the high side.

Cybertrust stood out for its very detailed SLAs; NWC Inc. was left with a clear picture of expectations and escalation procedures. BT is primarily a provider of networked IT services, local/national/international telecommunications services, and broadband and Internet products and services; still, it held its own in security practices grading, except for monitoring and auditing. BT declined to release detailed information about this and a few other areas, citing security policies prohibiting it from publicly providing this information; however, under NDA, it's available.

Internet Security Systems
Based on our RFI responses, ISS offered the most complete and detailed services of all participants. And, it was willing to work within NWC Inc.'s tight budget.

ISS provided NWC Inc. with a detailed, five-phase deployment process that clearly indicates responsibilities and tasks from initiation, planning, staging, integration and closeout. ISS stated a typical length of time for deployment of its managed services is three to four weeks once the contract is signed.

Not only does ISS share vulnerability information with CERT and other security research organizations, it also conducts daily calls with national security and intelligence agencies to discuss new vulnerabilities and threats and recommended courses of action.

ISS can provide standalone services or bundle Proventia IPS appliances. A bundled scenario has hardware ownership transferred to the customer on the first day of the contract, while the costs of the hardware and any applicable maintenance fees are amortized over the length of the outsourcing contract. In essence, no capital outlay is needed. Hardware costs become an operating expense. NWC Inc. would not incur finance charges.

ISS deploys its services on hardware and software from a variety of partners, including Check Point Software Technologies, Cisco Systems, Juniper Networks, McAfee and 3Com. The exception is its log management service, which requires a proprietary on-site aggregator for collection and transmission of log/event data. ISS's X-Force Protection System (XPS) provides remote management of devices, monitoring of events, and escalation of alerts and incidents.

Key features of ISS's services are its performance-based SLAs, which guarantee response times and countermeasures for security incidents. In fact, ISS submitted three pages of SLA information--and this was a summarized version. SLAs cover everything from policy change acknowledgements (two-hour response) to device outage notifications (two-hour response) to security incident countermeasures (30 minutes) to security content update guarantees (48 to 72 hours).

ISS SLAs are standardized across each individual service offering with three possible levels: standard, select and premium. After reviewing RFI responses, we believe ISS has the most aggressive SLAs of our five participants. The company puts its money where its guarantees are by ensuring that customer networks, critical servers, and desktops remain protected--or the service is delivered free of charge. In addition, non-compliance with premium-level services results in a $50,000 cash payment to the customer.

Finally, NWC Inc. can have full visibility into ISS' service deliverables using the Virtual SOC Portal, where detailed access to trouble tickets, incident reports, logs, events, automated alerts, device configurations and reports are provided.

Internet Security Systems, $4,801 for a 36-month term. (800) 776-2362. iss.net

LURHQ
LURHQ's core offering provides clients with threat and vulnerability management. Services are designed for large organizations with dedicated security personnel interested in managing information security threats using an MSSP and focus on vertical markets in the financial services, insurance, manufacturing, utility and healthcare industries.

LURHQ's Threat Intelligence Group monitors for suspicious activity and collaborates with a range of entities, including antivirus vendors, the Department of Homeland Security, MITRE and the FBI, to discover suspicious activity that could possibly be a threat to clients. Its Sherlock Enterprise Security Management Platform provides aggregation, correlation and graphical tools for real-time security monitoring and management. The platform consists of the Inspector, the Sherlock Analysis Engine and Inspector Agents. Inspector is the event aggregation point; it would reside on NWC Inc.'s network. Using encrypted communication channels, events are transmitted from the Inspector to the Sherlock Analysis Engine in LURHQ's SOCs for analysis. Should NWC Inc. terminate its contract with LURHQ, we would not suffer a disruption in business because LURHQ does not have any device asset ownership.

LURHQ stated that it may schedule maintenance outages with 24-hour's notice to selected customer contacts. Maintenance downtime will not exceed four hours within a calendar month without prior customer consent.

LURHQ's SOC staff is available 24/7/365, and NWC Inc. and LURHQ's SOC can communicate via phone, fax, face-to-face, e-mail and through use of a ticketing system residing on the Sherlock Enterprise Security Portal. All LURHQ analysts are SANS GIAC certified. LURHQ does not offer tiered services, but instead offers an unmetered level of service where customers can call as often as needed for support and remediation, at no additional cost. LURHQ's SOC team members hold a variety of industry and product certification, including CISSP, CCNA, CCSE, CCSA and MCSE.

Service guarantees include SOC availability: 99.9 percent Internet communications availability; incident response within 15 minutes of identification; and helpdesk request response within one hour, or 15 minutes for emergency requests. Monetary credits are available for noncompliance.

LURHQ performs full backups nightly and validates both before and after backup to ensure data integrity. Data is encrypted during transit and is stored on hardened and physically secured servers. Unscheduled backups can be requested.

LURHQ's Information Security Program charter and supporting policies/procedures are based on the ISO 17799 standard. Its security policies and controls are audited internally by management and externally as part of an annual SAS 70 Type II audit.

LURHQ Corp., $5,000, one year term. (843) 903-4376. lurhq.com

SecureWorks
With more than 1,300 clients throughout the Unites States, Europe and Asia and a high retention rate, SecureWorks is a solid MSSP targeting verticals in financial, utilities, health care and government.

SecureWorks focuses exclusively on managing security. It does not offer the neighboring disciplines of disaster recovery and network management, which means no data archiving and restoration or router/switch maintenance. Services it does provide include network intrusion prevention, firewall management, host intrusion prevention, vulnerability assessments, log analysis, encrypted e-mail and e-mail filtering. SecureWorks also has in-house expertise in GLBA, HIPAA, SOX and other regs, which allows it to offer such services as phishing takedown and HIPAA gap analysis.

SecureWorks uses proprietary technology for several of its services. Its iSensor is used for intrusion prevention, while the iScanner provides vulnerability assessment services. The iSensor and iScanner devices are provided on a Dell server platform. NWC Inc. would have to purchase the hardware with a limited license to the SecureWorks software during the service contract term. Upon contract termination, NWC Inc. loses its rights to proprietary SecureWorks technology and services. Security event data created during the contract remains the property of SecureWorks, though NWC Inc. is able to use any reports and data that were delivered during our contract period.

SecureWorks foresees a minimal performance impact on NWC Inc.'s network. It stated that inline NIP technologies and firewalls will introduce latency of ~250 microseconds and ~100 microseconds, respectively. HIP technology adds about a 5 percent CPU overhead to the servers on which it is deployed.

Managed services from SecureWorks come with a standard SLA that guarantees response to voicemail and e-mail, monitoring the uptime of equipment and notification of equipment failure, and guaranteed timeframes for updating devices with security measures. SecureWorks does not customize its SLAs for individual clients.

Through SecureHub, SecureWorks' secure Web portal, NWC Inc. would be able to view four levels of reports: executive operational, technical operational, board reports and compliance reports. Operational reports are available in real-time and can also be e-mailed to pre-identified NWC Inc. contacts. Board and compliance reports are available on demand and are pushed to clients after they've run.

SecureWorks also offers training through Webinars and provides an "Onboarding Welcome Kit" that explains how a client would access and utilize reports. And, we can call the SOC 24/7/365 to ask questions.

SecureWorks maintains redundant, highly available systems for processing security event traffic. It has a disaster recovery site in a geographically separate location that is serviced by multiple ISPs and connected using redundant telecommunications facilities. The company states that its SOCs have an available uptime of 99.999 percent.

Backups are performed nightly to disk media and transferred to tape weekly. Critical data is mirrored to standby servers in at least 15 minute intervals. SecureWorks says it keeps data "indefinitely," which can be good or bad, depending on your policies.

SecureWorks can manage multivendor equipment on our network using its proprietary, and imaginatively named, RCMS (Remote Configuration and Management System). Firewalls, host IPS agents, and log collectors are managed from secure consoles located at the SecureWorks SOC, which is a SAS 70 Type II certified facility.

Got locations around the globe? SecureWorks offers language support in a wide variety of languages, including French, Spanish, Chinese, Russian, Hindi and even Romanian.

SecureWorks, $8,750, one year term. (404) 327-6339, (877) 905-6661. secureworks.com

Cybertrust
Cybertrust targets large enterprises and governmental agencies as well as a wide range of vertical markets, including banking/finance, services, telecommunications, consumer products and health care.

The company has designed its service model on a three-tier architecture. First is the customer premises; the second tier is a Security Management Center (SMC) where all customer data is parsed, analyzed and stored; and the third tier is a SOC where Cybertrust analysts perform further analysis and offer recommendations to the customer. Cybertrust stated that NWC Inc. would be serviced 16 hours per day out of its SOC in Virginia and 8 hours out of it's Leuven, Belgium location; however, we had the option to be serviced out of its Norcross, Ga., facility. We believe Cybertrust's model would streamlines NWC Inc.'s ability to migrate back from an outsourced model to an in-house or co-sourced model if needed.

Logs and alerts generated from monitored devices are collected by Cybertrust's Local Event Collector, an on-site appliance running Cybertrust's software. Information is then sent over a secured IPSec connection from our site to the Cybertrust SMC. The SMC is the termination point for the VPN tunnel. Connectivity between the customer and the SMC can be over leased line or VPN.

Internally, Cybertrust's Risk Management Group conducts regular audits, security assessments, and penetration tests on their own infrastructure. Vulnerability assessment monitoring tools run automated scans. IDS probes and agents are installed to reach operational standards that Cybertrust defines in its Cybertrust Orange Book, "Policies, Processes, and Procedures," which follows the BS 7799 standard.

Cybertrust prefers clients use its Security Dashboard to submit change requests, view network status, schedule reports and review service agreements. Emergency trouble tickets are also communicated using telephone and encrypted e-mail.

Cybertrust provided NWC Inc. with very detailed SLAs that clearly state expectations and escalation procedures. For example, Cybertrust sets a target level of less than or equal to 1 in 10 for availability reports. This means that out of 10 reports due, Cybertrust is allowed to exceed the targeted response only once during a calendar month. To maintain SLAs, Cybertrust assigns a client service manager to each of its managed service customers. The CSM is a customer's first channel to raise service issues or concerns. In addition, Cybertrust assesses its key performance indicators monthly.

Cybertrust maintains information about new threats and vulnerabilities through its partnerships with product vendors, industry experts, government agencies and professional associations. We were impressed with Cybertrust's relationships with such vendors as Check Point Software Technologies, Cisco Systems, ISS, Juniper Networks, Nokia, RSA Security (now part of EMC), Sun Microsystems and Symantec.

Cybertrust offered NWC Inc. the option of using a dedicated, private SMC to process, analyze and store our logs with equipment owned by NWC, or to use a shared SMC where NWC Inc. will have its dedicated network segment but certain components will be shared with other Cybertrust customers. Either scenario still has Cybertrust re-using as much of NWC Inc.'s existing infrastructure as possible. If NWC Inc. chooses a shared SMC, Cybertrust will own all the equipment located there.

Cybertrust uses its OnlineGuardian system to collect data from security devices and send the information to its State and Event Analysis Machine, which can analyze millions of events quickly to determine if they pose a security risk.

Cybertrust, $8,114, one-year term. (888) 627-2281. cybertrust.com

BT Global Services

BT is a communications provider with principal services surrounding networked IT services, local/national/international telecommunications services, and broadband and Internet products and services. The vendor owns and operates its own network infrastructure in North America. BT also has 20 MPLS nodes across the United States.

BT's helpdesk would be NWC Inc.'s first line of support and a conduit to BT's SAT (Security Administration Team) global technical support group for problem resolution.

BT SAT is focused on managing all aspects of our firewall service, including development and specification of rule sets, access monitoring, real-time alarm handling, intrusion detection, event management, auditing and reporting.

When resolving problems, each identified issue is assigned a Case Priority identifier with a corresponding timeframe for resolution. To log and track problems, NWC Inc. will have Web access to case reports.

BT's SLA documents measure the availability of the managed platform; the length of time it takes BT to restore service once a fault has been advised; management of policy changes; and the notification, update and escalation of performance indicators related to problem management. SLA non-compliance provides customers with financial credits.

BT's Advanced Reporting is a new service that collects all logs from managed devices and consolidates them into a single database per client. The service provides views on security and network metrics. BT offers three reporting packages: basic reporting provides free reports on its managed firewall, URL filtering and blocking services monthly; premium reporting delivers business-critical reports on a weekly or monthly basis covering usage and potential abuse, for a fee; custom report generation covers reports that are not in BT's list of "canned" reports and carries fees based on the work required to construct and deliver the custom report.

While we did tell BT that scoring is based only on information that we can share with readers, the company would not disclose detailed information about its backup procedure, its secure configurations, or monitoring and auditing processes as it felt this disclosure would be a breach of security policies. Had we been willing to go under NDA we could have had the info. As it was, this lack of information caused BT to lose some ground when it came to scoring.

BT Global Services, $5,001, two year term. (800) 331-4568. btglobalservices.com

Joanne VanAuken is a freelance writer and was a technology editor with Secure Enterprise.Write to her at [email protected].

Managed Security Service Providers Interactive Report Card

Sorry,
your browser
is not Java
enabled

Welcome to NETWORK COMPUTING's Interactive Report Card, v2. To launch it, click on the Interactive Report Card ® icon above. The program components take a few moments to load.

Once launched, enter your own product feature weights and click the Recalc button. The Interactive Report Card ® will re-sort (and re-grade!) the products based on the new category weights you entered.

Click here for more information about our Interactive Report Card ®.