Managed Security Services

Survey of Managed Security Service Providers:
Managed IDS, AV, and Filtering

ISP-Planet's biennial survey of MSSPs finds that the Application Service Provider (ASP) model is increasingly popular in the delivery of managed services.

by Lisa Phifer VP Core Competence, Inc. [May 30, 2003]

Managed Intrusion Detection/Prevention Services
Managed Intrusion Detection Services (IDS) are a growth market. According to Gartner, managed security service spending will increase 17 percent in 2003, due in part to government spending on Homeland Security in general and IDS in particular.

Network Intrusion Detection Systems (NIDS) monitor network traffic for known attacks. Host Intrusion Detection Systems (HIDS) run on servers and other systems, observing local behavior to spot attempted intrusions. Traditional NIDS and HIDS are reactive, designed to generate intrusion alerts so that administrators can take remedial action.

Increasingly, managed IDS is joined by Managed Intrusion Prevention Services (IPS). Intrusion prevention services are proactive, designed to take automated action to stop attacks. For example, intrusion prevention systems may sit in-line, aborting TCP sessions or changing firewall rules to block would-be intruders.

The rise of IDS and IPS is quite evident in this year's MSSP survey. First, more MSSPs are offering standalone managed IDS/IPS services. Traditional NIDS and SIDS products from ISS, Enterasys and Cisco are still here, frequently accompanied by open source Snort. But now we see several in-line appliances—for example, Guardent, PreiNET, Proseq, SecurePipe, and SecureWorks.

Automated event correlation and root cause analysis is widespread, but automated response (the hallmark of intrusion prevention) continues to be a point of contention. Most services include security event monitoring, analysis, and defined response/escalation procedures. But inspection method/depth, span of event correlation, and degree of human intervention differ greatly. Some providers argue strongly against automated response, while others emphasize automated, real-time reconfiguration as a strength.

In our view, IDS and IPS are complementary—you can't take remedial action without detecting the attack. Furthermore, some automation may be "easy", but full automation requires maturity—maturity that's hard to come by when new attacks are invented daily. Humans will always be part of intrusion response, no matter how proactive and smart intrusion "handlers" become.

Professional services are included with many of these services. For example:

• Cable & Wireless security engineers review Security Incidents and consult with customers to determine the most appropriate response. Responses may include site hardening, firewall/IDS rule modification, further log analysis, collection of data for intrusion investigation, or collection of evidence to support forensic analysis.
  
  
• An ISS security engineer contacts the customer to discuss the impact of each Security Incident and actions that were taken to isolate and neutralize the network traffic. ISS also notifies the administrator and ISP of the intrusion source. Engineers consult with the customer to design any firewall security policy or router access list changes needed to prevent further traffic from entering the monitored network.

Managed Anti-Virus Services
Managed Anti-Virus (AV) Services [see table] generally follow one of two architectures:

• Many MSSPs use CPE appliances to enforce in-line network or desktop virus scanning.
• Some Application Service Providers (ASP) use network servers to scan traffic (usually e-mail).

CPE solutions distribute scanning to customer firewalls and/or desktops, using central oversite for configuration, update and enforcement. ASP solutions centralize it all on the provider's server, stripping inbound viruses before they reach the customer's network. But to be effective, all traffic must pass through that server, no matter where the user is located.

In our 2001 survey, just one in six providers used the ASP model. This year, 7 of 11 do. More MSSPs seem to be offering managed AV services, alone or combined with anti-spam. Some services scan HTTP, FTP, POP and SMTP, but a growing number focus exclusively on e-mail. This reflects the sad state of the Internet, flooded by unsolicited mail and virus-of-the-day worms. Today, no company can afford to go without virus protection—MSSPs argue that outsourcing AV is more rigorous and cost-effective.

Compared to 2001, AV engine and pattern file update intervals are much shorter. Checks that were once performed weekly or bi-monthly now occur every few hours. Some MSSPs claim to update pattern files "continuously"—presumably, this means installing updates as soon they become available.

We asked providers to summarize actions taken upon virus detection and how incident alerts, logs, and reports are made available to customers. For example, a provider might quarantine infected e-mail—but how are the administrator and recipient or sender notified? Service delivery may start with the AV platform, but ultimately customers select services that are reliable and easy to use.

Managed Content Filtering Services
Historically, Managed Content Filtering Services [see table] have allowed or denied Web traffic based on destination (URL) or payload (Java, ActiveX). This year's survey includes a rising tide of mail filtering services as well.

AV services search Internet traffic for viruses and worms. Content filtering services look for prohibited senders, destinations, keywords, embedded objects and attachments. Messages that violate configured policy are usually blocked—for example, redirecting HTTP requests to an error page or discarding mail messages that appear to be spam.

We asked providers to identify their content filtering platforms. WebSense and firewall add-ons are still present in this year's survey, but is no longer quite as dominant. As with AV, we see an influx of network- and appliance-based solutions. For example, TruSecure's ShadowMail combines virus scanning and content filtering within one gateway-based managed security service.

Updates refresh URLs in blocked categories or senders in "known spammer" lists. We asked how often MSSPs process these updates, how traffic in violation of configured policy is handled, and how incident reports and logs are supplied. Unfortunately, we can't answer the most interesting question: do filters strike a good balance between being too restrictive and being too lax? With any filtering solution, reports are key to understanding policy effectiveness. Also look for services that allow flexible configuration without requiring excessive tuning—for example, category-based blocking with custom exceptions.

—End