In Brief

Managed Security Services

Security outsourcing is on the rise

November 08, 2002 — CSO — Managed Services

Security outsourcing is on the rise. In-Stat/MDR research group says the managed-security services market will hit nearly $5 billion by the year 2006. Currently, consulting makes up the biggest slice of the outsourcing piebut that's changing. Managed-security monitoring is a fast-growing segment that will surpass consulting services during the next few years, according to In-Stat analyst Jaclynn Bumback. Outsourcing not only embraces mainstream security functions but some very specialized niches as well, as you'll see below.

Breach NotificationCatbird Networks offers external website security monitoringchecking a website continuously (43,000 times per month) to test for security breaches, including defacement, hijacking and identity theft. The twist is that unlike most monitoring services, Catbird works outside the corporate firewall, providing what the company describes as an "external layer of security." An example of how this can pay off: According to Catbird, in some cases, Web traffic can be diverted without penetrating the firewall, which means conventional protection from intrusion detection systems won't sound any alarm.

The service also monitors online transactions and website performance. The company is aiming particularly at customers in regulated industries, citing as a customer case study The Marion Bank in Marion, Ohio, which implemented the Catbird service to help pass muster in an FDIC audit. -Kathleen Carr

Vulnerability AssessmentOf course, it makes more sense to prevent hacker attacks, if possible, than to clean up after them, says Charles Kolodgy, analyst at IDC (a sister company to CSO's publisher).

That's Caleb Sima's reasoning as well. And Simalike so many security vendorsisn't afraid to flirt with hyperbole: He's "99 percent certain" he can break into your website, armed with nothing more than your URL and his company's software. Sima is founder and CTO of SPI Dynamics, a new player in the Web application vulnerability market (where KaVaDo and Sanctum are the current market leaders, according to Giga Information Group security analyst Michael Rasmussen). Sima's WebInspect software synchronizes with a central database of hack techniques (which is continually updated by SPI Dynamics) and scans the user's website for vulnerabilities.

Sima says he has worked with government agencies and others to share his Web monitoring product. Paying customers are offered a demo, after which they can decide whether to spring for the whole contract, which typically costs around $20,000 annually. -K.C.

WiretappingOn to the specialized niche example: VeriSign now offers telecom companies an outsourced wiretapping service.

VeriSign suggests that by using its new product NetDiscovery, small cellular companies can easily comply with new federal wiretapping regulations and save money. Complying with the Communications Assistance for Law Enforcement Act means cellular communications companies must have wiretapping abilities and be able to retrieve specific conversations, a capability most companies do not currently have. For small companies that could mean expensive systems upgrades, new equipment and staff to run that new equipment. Companies that do not comply face $10,000-a-day fines for every court-ordered wiretap request they cannot fulfill.