Security News > 2000 > November > Sizing Up Security Services
http://www.computerworld.com/cwi/stories/0,1199,NAV47-68-84-90_STO54345,00.html By DEBORAH RADCLIFF November 27, 2000 You hire a security consulting firm that analyzes your network. On his way out, the auditor leaves you to grapple with an 800-page report listing your network's 60,000 vulnerabilities. "Sound familiar?" asked Alan Paller, research director of the SANS Institute in Bethesda, Md., as he addressed 300 information security managers and executive officers at a recent security conference. The room erupted with laughter as the group of IT professionals collectively nodded their heads in agreement. Despite such negative sentiments, IT departments need security services vendors, given the short supply of IT security professionals and the high demand for such services. Unfortunately, not all service providers are created equal, and the differences are most obvious between the small, independent consulting firms and the Big Five's security consulting divisions. Both groups boast some of the brightest security talent around. But the differences in their areas of practice, styles and methodologies are often like night and day. Just how does an IT shop find a security consulting firm that's the right fit? First and foremost, it's about aligning business strategies and technology project needs with service offerings, but it's also about relationships, IT managers say. Requirements Come First Before entering into any vendor relationship, IT departments need to define their business requirements, which will determine the service levels required, says Jerry Dixon, director of information security at $17.7 billion Marriott International Inc. in Bethesda, Md. "Scope and time line will also drive your decision," he adds. Because of the varying size and scope of technical security projects, Marriott uses a combination of service providers. It uses mostly Big Five consulting firms to augment security work during project development. And when it's already working with a large firm to analyze and assist in a new product launch (for example, a new human resources application), Marriott looks first to that vendor to develop the security strategy and technology infrastructure. This makes for better continuity, Dixon explains, because the vendor already knows the business and may have developed a standard set of methodologies it can use across the organization. And there's "less finger-pointing" if something goes wrong, adds J.R. Williamson, Marriott's vice president of end-user technologies. Dixon says he also worries about hidden agendas on the part of the Big Five and other large consulting houses, particularly when it comes to recommending security vendor tools. "A lot of times, the Big Five are resellers for specific products, so their bias may not serve us well," he explains. During his ongoing search for a security consulting firm to assist with new health care patient privacy regulations, Kenneth Cole, MIS director at Sun Healthcare Systems Inc., says he's run into firms of all sizes with agendas to sell certain point products. "These firms will limit their focus on you because they're only focused on their software," Cole warns. True, the Big Five and large consulting firms do set alliances with vendors like San Jose-based Cisco Systems Inc., says Ariel Silverstone, senior manager of security solutions at McLean, Va.-based KPMG Consulting LLC, a division of Amsterdam-based KPMG International. But KPMG doesn't require that clients use these products. "We have created a preferred-vendor list, but that's only based on those vendors' technical merits," Silverstone says. "We do deviate from this list if a customer asks for a specific vendor." Strategists vs. Specialists Dixon insists that Big Five firms are well-suited to overall security strategies, architectural analysis and other "big-picture work." But when it comes to security assessments or highly specialized work like installing a firewall, he calls on the smaller firms. "Some of the smaller firms have quite a bit of background in security research - something Big Five firms don't have time for," Dixon says. "And the smaller firms use a lot of custom assessment tools you typically can't find at the Big Five firms. We've had much better success with small security organizations in these areas." Williamson adds that he's been witness to Big Five-delivered boilerplate assessments that turn up those 60,000 vulnerabilities, providing little or no help in addressing the problems. The smaller firms are more intuitive about what really needs fixing and what doesn't, he says. "Will the larger security company give me an 800-page report that drops the name of their last client and puts your name in the blank? Absolutely," Williamson says. But Silverstone disagrees. "We do not just give a list of security holes. We give a list of holes, followed by mitigation policy, followed by suggestions on repeated testing," he says. "We also have a severity rating system. When a vulnerability gets to, say, 8 on the Richter scale, we will even stop the project, call the customer and tell them it needs fixing right away." Silverstone adds that security assessments are KPMG's most sought-after security services, providing KPMG the baseline for all other security services, including penetration tests (attempted attacks on the network to find vulnerabilities), security architecture design, managed services, strategic planning and forensics. Nonetheless, the IT managers interviewed for this story say the smaller players are more technologically adept at assessment services, in addition to being cheaper. Michael Morris, IT director at Boston-based Wolf, Greenfield & Sacks PC, uses small vendors to conduct assessments and implement point products. But his 60-attorney firm doesn't have deep pockets. So aside from the lower hourly wage for consultants with a small vendor - $200 to $250 per hour, vs. $300 to $450 per hour at larger firms - he also leverages his vendor's vertical-industry experience to set the appropriate security controls and help spread the security gospel to Wolf, Greenfield & Sacks' partners. "Because we're in the area of intellectual property law, we have different touch points for security. We can't just build an average firewall with medium security settings," says Morris. "Our vendor [Jerboa Inc. in Cambridge, Mass.] also helped us a couple years ago with a point-to-point encryption program. We actually got PGP [encryption software] to the point where any of our 60 attorneys can use it without too much pain." Keep Out the Cowboys Morris warns of potential trade-offs in quality of service when using smaller firms. "There are a lot of young bucks coming out of college who aren't very well-directed, so they're not learning good business habits, and they run around like cowboys, without any proven practices," he explains. "That doesn't go over well in our industry, because we have so many methodologies in place to protect our client confidentiality." Many times, Jerboa consultants have had to clean up messes created by such "Rambo" consultants, adds Ian Poynter, the company's founder. "Let's face it. The problem with hiring a small firm is everybody's now a security consultant. We ran into one of these the other day, where a person was trying to break into systems to drum up business," he says. So check references, conduct background checks if the vendor company doesn't have them readily available and look for several years of both technical and vertical-industry experience when choosing a small vendor, Poynter advises. The Final Choice While large services firms may have less flexibility to work creatively than smaller firms, they do offer technical practices and methodologies that are important to specific businesses and vertical industries. But no matter what size company your organization is considering, look for vendors that deliver forward-thinking solutions to technical security problems, says Marriott's Dixon. For example, he says he's been seeing more security services vendors working on scalable security systems at the architectural level - something Jerboa and KPMG have been preaching for two years. "Vendors are following a lot of new security standards and methodologies, like the Common Criteria," which is a National Institute of Standards and Technology-sponsored security evaluation program for vendor products, as well as British security standard 7799, which has been proposed as International Standards Organization standard 17799, Dixon says. "The good news is the quality of consulting services has gotten a lot better in the last three years." [Sidebar notes in the above article: -WK] Tips for Choosing a Security Services Vendor... 1. Know your technical and business objectives up front. 2. If the security work relates to a larger technology project, look first to the vendor supporting that project for security services. 3. Know what you're getting. Users complain that some security assessments are simply boilerplate reports that list thousands of deficiencies but provide little direction on how to address them. 4. Watch out for hidden agendas. Ask about vendor relationships that might influence product recommendations. 5. Look for deep expertise in your company's vertical market. 6. Consider vendors with at least three years of experience - and check references. 7. Ask for vendor accreditations and certifications in networking elements, security and auditing. 8. Check consultant staff references to keep "gray-hat" hackers out of production IT environments. 9. Consider background checks and financial viability checks for smaller firms. 10. Watch out for "Rambo" consultancies that have lots of technical knowledge but little understanding of methodologies or business practices *==============================================================* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen Alfred. M. Gray, USMC ================================================================ C4I.org - Computer Security, & Intelligence - http://www.c4i.org *==============================================================* ISN is hosted by SecurityFocus.com --- To unsubscribe email LISTSERV () SecurityFocus com with a message body of "SIGNOFF ISN".