Category: Trends

The need to stay ahead of the hacker curve will drive nearly 90% of big U.S. companies to outsource their security to managed service providers by the end of the decade, a report released Monday suggested.

According to the Yankee Group, businesses will hand over security–initially for perimeter defenses but eventually for inside-the-firewall protection–to managed security service providers to the tune of $3.7 billion by 2008, a jump from 2004’s estimated $2.4 billion.

“Enterprises are outsourcing more technology in general,” said Matthew Kovar, a VP at Yankee Group’s security solutions group.

Enterprises know what they have to do, but more of them will see that [security] isn’t a core competency,” he added, and will hand the reins to a managed security service provider.

Security outsourcing will prove attractive, said Kovar, for reasons other than the cost savings typically cited by companies that farm out business processes.

Among the drivers toward managed services are the accelerated attacks of today’s threats–giving enterprises virtually no time to put up defenses on their own before an attack infiltrates a network–legislative requirements such as HIPAA and Sarbanes-Oxley, and the trend toward pushing out the network perimeter to include partners and remote workers.

These and other factors are outpacing the average company’s ability to keep up with the latest counter-measures and techniques to thwart attacks, Kovar said in his report.

While managed services biggest number of customers are currently those subscribing to anti-spam services, managed firewalls aren’t far behind, said Kovar.

And as the trend continues, other security defenses now solved by hardware, such as intrusion detection and intrusion prevention, will also be shipped out for others to handle.

“One of the easiest managed services to see success is E-mail anti-spam services,” Kovar said.

The vendors that Yankee Group sees in the top tier include TruSecure and Symantec, with Unisys, Netsec, Solutionary, Internet Security Systems, and RedSiren close on their heels.

http://www.informationweek.com/story/showArticle.jhtml?articleID=29116929

Sales of WLAN switches grew by 125 percent, according to the study.

Leading the growth was Symbol Technologies, which is the leading switch vendor. The study indicates that Symbol’s wireless switch sales increased by 256 percent.

Airespace, the second leading wireless switch vendor, saw its sales increase by 48 percent, according to the study.

http://www.commsdesign.com/news/market_news/showArticle.jhtml?articleID=29106036

A poll of 254 senior executives by the Economist Intelligence Unit found that security has replaced network reliability and availability as the most critical network attribute. But while businesses worry about security, the vast majority of executives want to further open up their networks to partners, customers and mobile workers. This creates friction between general management and IT executives, who point out that opening up the network can increase vulnerability.

More than 80 per cent of all the executives surveyed believe that their goals of giving remote workers access to corporate networks and improving the availability of customer data for employees will leave their firms vulnerable to security threats.

Security spending itself is likely to shift focus over the next few years, according to the study, moving from layers of perimeter protection and intrusion detection to better tools aimed at preventing attacks.

The report also noted that the spiralling threat of cyber-attacks and increased vulnerabilities are pushing up costs, causing network security spending to outpace overall IT expenditure.

On average, the firms surveyed devoted nine per cent of the IT budget to network security in 2002. This figure rose to 11 per cent last year and is expected to reach 13 per cent this year.

“In a global networked economy of internet connectivity and interoperability, isolation leads to irrelevance for enterprises that can’t protect their networks,” said Hossein Eslambolchi, president of AT&T global networking technology services, which sponsored the survey, in a statement. Increasingly, the chief executive is taking ownership of network security policy in some companies, the report found, while in others a relatively new role, that of chief security officer, is emerging.

http://www.computing.co.uk/news/1156671

Case in point, the June 25th Russian attacks that turned IIS servers into delivery platforms for identity-thieving Trojan keystroke loggers. The attacks relied on two vulnerabilities in Internet Explorer that security researchers discovered for the first time weeks earlier on a malicious adware-implanting website. At the time of the attack, no patch was available. ISPs were able to quickly contain the threat by shutting down traffic to the Russian host serving up the malware. But the episode proved that the zero day concern is more than hyperbole.

“We believe zero day vulnerabilities are imminent. says Oliver Friedrichs, senior manager at Symantec’s Security Response center.

As the window shrinks between the discovery of vulnerabilities and the exploits that follow them, security patching — once an obscure and neglected chore — is beginning to take on a more urgent role in some corners of the business world, say analysts and IT managers.

Leading the way are organizations with mission-critical technology — chiefly finance agencies — who’ve managed to reduce critical security patch times from weeks to just days.

“In some cases, it took 200 days to roll out a patch across 36,000 machines,” says Rober Garique, VP and CISO of the Bank of Montreal.

“Now we can do that in less than a week.”

The key, they say, is that they’ve moved patch management from their small security organizations into their network infrastructure management.

It’s a culture shift — a new way of working with network administration, says Mike Corby, director of META Group Consulting.

In this model, security teams rate the criticality of each patch, but administrators manage the actual patching as part of their normal network and system management processes.

“This is part of the natural evolution of security,” says Garique.

So the different system administration groups should do their own testing and patching as part of their overall system management.”

At Bank of Montreal, this approach gets critical patches to onto over 30,000 devices in two-to-three days.

The Bank of New York boasts similar deployment speeds for an equally-large network.

For non-critical patches, each bank folds the patches into administrative updates in cycles of one week, three weeks or further out, depending on severity.

And they’re the ones held accountable for 99.9% availability – not the security people.

Once they’re aware of their ownership of the problem, they’re professionally accountable.”

Avoiding the Chicken Little Syndrome With network administrators handling patch management, IT security is free to assume more of a role of advisor and 9-1-1 operator, sending alerts to administrators assigned to patch the networking segment.

“About two years ago, awareness among the infrastructure people was an issue when we used to rely too much on the severity ratings provided by the vendors,” says Eric Guerrino, senior vice president and head of information security for Bank of New York.

At Bank of New York, the infosec team takes alerts and reports from vendors, CERT, the Financial Services ISAC, vulnerability alerting services, the media and other sources of information.

“Sometimes, especially on the network, most of the critical patches we’re concerned with need to be rolled out at the edge devices but not necessarily the entire network.

So we’ll give it rating of high for servers in the DMZ, and a medium rating for everywhere else,” says Guerrino.

Network administrators at both banks use vulnerability and asset management tools, along with network protocols and network management tools to keep track of devices, services, versions and patch levels.

The key is continuous assessment of your network devices, their versions, and their patch levels.

And you need to assign asset value to those systems — for example a financial or health care database is more critical and sensitive than, say, your Web server,” says Abraham Kleinfeld, president and CEO of nCircle, a vulnerability assessment vendor in San Francisco.

“Buying Time” with Firewalls Guerrino and Garique say that their security patching routines have become sane — nearly predictable, except for when the occasional big one hits.

http://www.securityfocus.com/news/9100

As the window shrinks between the discovery of vulnerabilities and the exploits that follow them, security patching — once an obscure and neglected chore — is beginning to take on a more urgent role in some corners of the business world, say analysts and IT managers.

Leading the way are organizations with mission-critical technology — chiefly finance agencies — who’ve managed to reduce critical security patch times from weeks to just days.

“In some cases, it took 200 days to roll out a patch across 36,000 machines,” says Rober Garique, VP and CISO of the Bank of Montreal. “Now we can do that in less than a week.”

The key, they say, is that they’ve moved patch management from their small security organizations into their network infrastructure management. It’s a culture shift — a new way of working with network administration, says Mike Corby, director of META Group Consulting. In this model, security teams rate the criticality of each patch, but administrators manage the actual patching as part of their normal network and system management processes.

So the different system administration groups should do their own testing and patching as part of their overall system management.”

For non-critical patches, each bank folds the patches into administrative updates in cycles of one week, three weeks or further out, depending on severity. At Bank of Montreal, this approach gets critical patches to onto over 30,000 devices in two-to-three days.

The Bank of New York boasts similar deployment speeds for an equally-large network.

For non-critical patches, each bank folds the patches into administrative updates in cycles of one week, three weeks or further out, depending on severity. With network administrators handling patch management, IT security is free to assume more of a role of advisor and 9-1-1 operator, sending alerts to administrators assigned to patch the networking segment.

“About two years ago, awareness among the infrastructure people was an issue when we used to rely too much on the severity ratings provided by the vendors,” says Eric Guerrino, senior vice president and head of information security for Bank of New York.

At Bank of New York, the infosec team takes alerts and reports from vendors, CERT, the Financial Services ISAC, vulnerability alerting services, the media and other sources of information. “Sometimes, especially on the network, most of the critical patches we’re concerned with need to be rolled out at the edge devices but not necessarily the entire network. So we’ll give it rating of high for servers in the DMZ, and a medium rating for everywhere else,” says Guerrino.

Network administrators at both banks use vulnerability and asset management tools, along with network protocols and network management tools to keep track of devices, services, versions and patch levels.

The key is continuous assessment of your network devices, their versions, and their patch levels. And you need to assign asset value to those systems — for example a financial or health care database is more critical and sensitive than, say, your Web server,” says Abraham Kleinfeld, president and CEO of nCircle, a vulnerability assessment vendor in San Francisco.

“Buying Time” with Firewalls Guerrino and Garique say that their security patching routines have become sane — nearly predictable, except for when the occasional big one hits.

http://www.securityfocus.com/news/9100

According to data compiled by WebSideStory, Internet Explorer’s market share has dropped 1.32 percentage points since June 4, the first marked decay in IE’s leadership since 1998.

“Sometimes these are just spikes,” said Geoff Johnston, an analyst with WebSideStory, “but this has become a very predictable trend.”

Internet Explorer has had more than 95 percent of the browser share for the past two years, and until early June of 2004, had owned about 95.7 percent of the market. Within the last month, however IE’s share of the U.S. browser business fell from 95.48 on June 4 to 94.16 on July 9. Netscape and Mozilla, meanwhile, saw their share climb from 3.54 percent to 4.59.

“The past couple of years, IE’s share has been pretty steady. But this is the first time we’re seeing an actual trend,” said Johnston.

A one-and-a-third point loss may not set alarm bells ringing at Microsoft, but when one considers how many people use the Internet, the number of users switching are significant.

Some analysts estimate the U.S. Internet population at around 200 million. A 1.32 percent change in browsers, then, translates into 2.6 million dropping IE. The slip by IE is also important, said Johnston, simply because it’s so difficult to get people to change browsers. “There’s this huge inertia,” he said, “that keeps them using the same browser.”

Behind the downturn in IE’s share, said Johnston, is the combination of its recent slew of security problems and the appearance of alternatives that are as good, or in some cases better, than Microsoft’s browser. The security problems [of IE] mixed with the launch of excellent alternatives, like Firefox, are what’s finally getting people to switch. They’re thinking, ‘I’m not the only one.’

Like they say, nothing attracts a crowd like a crowd.”

http://www.techweb.com/wire/story/TWB20040712S0003