1 Security of managed services A leadership perspectives white paper Recommended next steps for CIO and IT leaders Number 5 in a series Executive Summary Enterprises are becoming increasingly aware of the need for information security to satisfy regulatory compliance and to protect themselves against the cyber threat perils of the environment in which they operate. They are also becoming more open to the idea of out-tasking aspects of their IT security provision. These factors have brought about escalating demand for managed security services. The main differentiator between managed security service providers (MSSPs) is their level of expertise, and their ability to deliver this expertise 24 7 to customers. In particular, an MSSP should be constantly vigilant and well informed about the threat landscape, detecting and tracking each new threat as it develops. They can then block threats in the Web, and inform their clients about what steps they need to take, or make them for their clients. Enterprise customers need the confidence of having a close relationship with their providers. Many customers look for a local presence. The notion of a global service operating out of a geographically remote secure operations centre (SOC) is simply not acceptable in many countries and industry sectors.
2 Business case overview Organisations with a professional IT security team set up to carry out around the clock global cyber threat intelligence gathering, will this year likely detect a staggering one billion incidents a day. In 2010 du s own IT security division detected well over 864 million security incidents a day worldwide, identified as many as 12,500 different types of virus, reported over 200 cases of illegal software and discovered 14 new strains of malware. du has a dedicated team of qualified, experienced and certified security professionals working out of a security operations centre focused entirely on information and data protection. This is unlike the situation in many enterprise IT groups, where security is one among many tasks attributed to them. For them cyber security can become a marginal activity. The sheer volume of potential malware dangers can become overpowering. The threat prevention operation is made doubly difficult because it is not always clear when and from where cyber threats originate. The changing nature of cyber threats A report from Google shows that most vulnerabilities are only exploited for a short time, until new ones become available. So almost as soon as the security team has found a fix, the problem has moved on. Almost any browser supporting technologies such as Flash, Java, PDF or QuickTime are nowadays susceptible to so-called drive-by download attacks. IP cloaking is also on the rise, as malware authors come up with new ways of writing evasion code that trick detection systems into thinking content is safe and so allow malicious content to be hidden from vulnerability scanners. All the evidence shows that the frequency, severity and overall cost of cyber attacks on private and public sector organisations is rising by more than 50% year on year. The average cost of cyber crime is also on the rise, with the costs incurred by a benchmark sample of affected organisations hitting $5.9 million last year, according to one new study. The study from the influential Ponemon Institute has found that cyber attacks have become commonplace in business, with surveyed organisations experiencing 72 successful attacks in a four-week period, an increase of nearly 45% from More than 90% of all cyber crime is caused by malicious code, denial of service, stolen devices and web-based attacks. These are getting more costly to deal with, because it takes more time to find them and clean them up. Generally, the attacks that are most expensive to deal with are denial-of-service, weboriented attacks, malicious code and sinister insiders. The effectiveness of systems put in place against such threats varies. The level of anti-malware implementation also varies from country to country, according to the institute s researchers. Across the Middle East only 65% of companies have adopted threat prevention systems, while in the UK and US levels of implementation among businesses stand at 92% and 82%, respectively. Even in these regions of relatively high anti-malware adoption, the vast majority of companies still experienced an IT security breach in the last 12 months, and almost a third lost business information. Recovery and detection are the most costly internal activities, the study found, highlighting a significant cost-reduction opportunity for organisations that are able to automate detection and recovery by using the services of a managed security solutions provider like du. Per capita security cost for five industries (converted into US dollars) US UK France Germany Australia Average Financial Communications Technology Consumer Retail
3 On the business logic of managed security solutions Enterprises are turning to managed services for the following reasons: Convenience: for fast procurement (and termination) of on-demand IT services available on a self-service basis from a variety of networked devices. Convenience drives faster time to market. Adaptation: through the ability to mix and match IT services and increase or decrease their use as required. Innovation: a managed service provided as an ondemand option makes it easier to try new things while taking fewer risks via a pay-as-you-go approach known as utility computing. Simplicity: one of the biggest problems for enterprise CIOs is that IT environments have become too complex with too many moving parts making them inflexible, unreliable, and expensive to run. Managed services reduce significant elements of the IT stack to standardised commodity services sourced as a black-box utility with less focus on technology and operations and more focus on service orchestration, integration, and delivering business value from IT services rather than delivering IT systems. Quality of service: enterprises can rightly expect managed IT resources to be more reliable, available, scalable, and secure than traditional internal set-ups of on-premise staffs and compute resources as well as greener. Lower costs: from economies of scale based on IT resource pooling (which could be in the cloud), coupled with the pay-as-you-go approach to using these resources. Cost transparency/awareness: the ability to understand, measure, and manage who is using which IT resources at what cost for billing, planning, and optimisation purposes. For these reasons managed services of all types have become popular among organisations of all sizes, and analysts estimate the managed security services market is now worth about $4.5 billion worldwide, and is expected to grow at a rate of 15% for the next three years. In markets like the UAE, where certain types of specialist ICT skills can be scarce and expensive, managed services is becoming increasingly important to businesses, with multiple factors driving adoption: 1. Reduced capital expenditure 2. 24x7 support for less money 3. Regulatory/compliance assurances 4. Allows improved business focus in IT 5. Access to world-class threat monitoring skills 6. Addresses a difficult to manage function 7. Transparency of information security costs 8. Always-current threat prevention/business continuity protection 9. Guaranteed uptime and availability 10. Lower overall TCO (total cost of owership) than on-premise options. Understanding TCO, ROI and making the business case The primary reason for managed services adoption is cost reduction. This lies in a shift in onus away from on-premise capital expenditure towards a fully serviced operating expense model and everything this entails (see chart). The TCO argument is a strong one and well worth exploring in more detail. According to one study commissioned by MSSP SecureWorks, one enterprise customer realised a three year, risk-adjusted Return-on-Investment in excess of 250% through the adoption of managed security services. The SecureWorks ROI calculation took into account total service fees of $943,500 and internal administrative costs of $73,440. Among the avoided costs were $3,375,000 for an internal security team, and $150,000 in software and hardware. It was also estimated that the firm saved $450,000 through reduced risk of loss from a security breach. Experts in the field like Bruce Schneier of BT will argue that security is not an investment that provides a return, but an expense that pays for itself in through loss prevention which most certainly affects a company s bottom line. A company should implement only security countermeasures that affect its bottom line positively. It shouldn t spend more on a security problem than the problem is worth. Conversely, it shouldn t ignore problems that are costing it money when there are cheaper mitigation alternatives.
4 The classic methodology used for this is called annualised loss expectancy (ALE) calculate the cost of a security incident in both tangibles like time and money, and intangibles like reputation and competitive advantage. Multiply that by the chance the incident will occur in a year. That tells you how much you should spend to mitigate the risk. A smart company needs to approach security as it would any other business decision: costs versus benefits. In other words: Annualised loss expectancy (ALE) = Single loss expectancy (SLE) x annual rate of occurrence (ARO) Comparing the costs and the benefits on on-premise and managed security On-premise Capex vs Fully serviced Opex On-premise SOC variable costs Security analysts labour Hardware depreciation Software tools licenses Facilities costs Hire/retain expenses Payroll / HR administration Opportunity costs Training / regulatory updates Cost of Certification Managed service benefits 24 x 7 coverage Cash-flow benefits Capex avoidance Access to latest security tools Service cost transparency/visibility Lower TCO Downtime prevention SLAs Regulatory assurances Highest level of Certified skills A case cited by Amalficore assessing the cost-benefits of threat prevention in a healthcare business provides a good working example of balanced risk prevention Dental X-rays stored on a hard drive are backed up to a USB which is taken home weekly by the receptionist. If either the USB or the office system are infected by a virus then the X-rays could be at risk of tampering or loss. Assume backup is available within 4 hours of a disruption. If eight patients are seen within the four-hour period and X-rays are needed for half of them, then four patients will not be able to get proper counsel from the dentist during their visit due to the unavailability of the X- ray system or of the X-rays on file. The loss in revenue from one canceled patient appointment is, say $150. For four patients, that is 4 x 150 = $600 for each occurrence. The hourly wage of one dental assistant and the physician may be $200 per hour. For 4 hours loss time with patients we have 4 x 200 = $800 per occurrence. Software can be purchased for use at the office and at the home to secure the USB used for backup at a cost of $500 per computer per year, so $1,000 annually. 1. The Annualised Rate of Occurrence (ARO) is the likelihood of a risk occurring within a year. The risk of a virus infecting the IT system that is not well protected from intrusion following internet connection may be 80%, so the ARO is 80% or The Single Loss Expectancy (SLE) is the dollar value of the loss that equals the total cost of the risk. In the case of the dentist, the SLE is $5,600, [4 x ( )]. 3. The ALE is calculated by multiplying the ARO by the SLE (ARO x SLE = ALE). In this case, if it occurs four times per year, then multiply $5,600 by 0.8 to give $4,480. Therefore, the ALE is $4, Because the ALE is $4,480, and the cost of the software that will minimise this risk is $1,000 per year, this means that the dentist would save $3,480 per year by purchasing the software ($4,480 $1,000 = $3,480). This sort of quantitative risk analysis uses just two fundamental elements of risk analysis the probability of an event occurring, and the likely loss should that probability occur. The simple point being made here is that the amount spent on threat prevention and security in any system should be commensurate with its risks.
5 Putting managed security to work As a way of managing risk and costs, managed security has a series of attributes that draws enterprise customers to the proposition. As the chart shows the most highly rated reasons are the higher levels of support and availability provide by the MSSP, the predictability of costs, and access to the very latest threat prevention technology: Reasons for Adopting Managed Services Lower costs Higher levels of support and availability Predictable cost Access to the latest technology Access to an enhanced skill base Adaptable to business swings Ability to focus on the core business Avoidance of capital expenditure The most common services provided by MSSPs are managed firewalls, and the other services that can be hosted on the firewall such as intrusion detection and prevention (IDS/IPS), anti-virus, content filtering and virtual private networks (VPNs). This is consistent with the observation that the easiest parts of the corporate infrastructure to secure remotely are the peripheral components. All MSSP services require satellite processes that communicate with the security control centre (SOC) control processes. These satellite processes can be hosted on: the client s servers or desktops in the form of software agents appliances located on the client s premises and dedicated to delivering the security service (customer premise equipment CPE) platforms at the MSSP s SOC, often in the form of a virtual appliance. equipment or software on the client s sites, because these are controlled by service provider staff in the SOC over a secure IP connection, such as an IPSec VPN. Some MSSPs, notably those with telco origins like du, can take the service provision offer one step further away from the enterprise, and can replace the CPE with services in their own switching centres. This requires a secure and clean pipe between the MSSP site and the client sites. For example, these MSSPs have formulated the concept of a virtual firewall that avoids the need to deploy physical firewalls on the client s sites. This approach reduces the customer involvement in providing the services and has attractions for those companies seeking a hands free situation. It also has the potential to lower costs by rendering the economies of scale from using few, but very powerful, platforms to deliver the services. It is particularly suited to providing protection against distributed denial of service (DDoS) attacks, as it generally stops the traffic before it enters the zones where network bandwidth is a critical factor. It can also be more effective than CPE-based services at delivering defensive strategies that are based on traffic analysis. Boundary protection Platform security Secure communications Content filtering Firewalls Intrusion detection systems Intrusion protection systems Application-level firewall Application-level firewall Encryption of stored data Directory Secure execution platform Encryption of communications PKI Reliable messaging Transactional integrity VPN The delivery location for a particular service is normally determined by the architecture of the service technology. It is rarely something that can be selected independently. The location may influence the customer s choice of service or service provider. The CPE is normally owned by the MSSP and supplied within the service contract, but it is possible for the MSSP to use existing appliances or software owned by the client. The concept of a remotely managed service is not invalidated by using Security management User management Forensics Policy administration Security assessment Version, configuration and patch mgt. Access control Authentication Federation Identification Physical access control User provisioning
6 The contrary argument is that some companies are uneasy about sharing security platforms with other organisations. The granularity of control over the traffic, and the detail of reporting, may also be less than is possible with client-based delivery platforms. Although the MSSP market is currently centred on providing managed firewalls and value-added services built on top of firewalls, there are many opportunities for organisations to request their MSSP to layer on higher-value services. One example is secure messaging and there are verticalspecific services such as Identrus (banking) and SAFE (pharmaceutical industry), and generic services such as managed PKI, time-stamping and e- invoicing. management is another service that is often provided. Managed user provisioning, covering both IT resources and physical resources such as identification and access cards, is another example. This can be brought together with the secure messaging services, providing document-signing capability. Security assessment, and server and client security can also be added. The MSSP is at an advantage when dealing with mobile devices such as laptops, or devices that are located away from major IT centres in the client organisation, such as in branch offices, as these are relatively hard to reach from the central data centre. The MSSP services can include device patch management and enforcement of corporate policies about the configuration of those mobile devices. The technical expertise of an MSSP is its most important asset. It is the main differentiator over alternatives less able to gather comprehensive intelligence about what is happening throughout the internet all the time. du s security professionals are fully certified with industry recognised competencies to meet any and all security challenges; staff are ITIL certified, CCIE security certified, CISM & CISSPs, GIAC and GCFA certified, BS25999 lead auditors, and ISO 2700X certified. Indeed, the company has auditable proof in its Security Maturity Assessment (below) that its security practice has evolved to a best-in-class position for security management among global service providers. Vulnerability & Patch Management Security Monitoring Security Audit & Penetration Assurance Security Risk Management Compliance Security Maturity Business Continuity Management Security Policy Information Security Incident Management Organization of Information Security Access Control InfoSys Acquisition Development and Maintenance Asset Management Human Resource Security Physical and Environment Security Communications and Operations Management Conclusions: A mandate for managed security threat prevention Agenda item 1 Establish the cost of on-premise IT security operations to develop a cost of ownership model for comparison with out-tasked options provided by a managed security supplier, taking account also of the impact on Capex and Opex. Agenda item 2 Assess the market availability in the UAE of managed security services, paying particular attention not just to the portfolio of services on offer, but for evidence of strong relationships existing between the supplier and its existing enterprise customers. It is not just about technology, but about the supplier s people and its processes. Agenda item 3 Engage with your preferred service provider to carry out a security risk assessment in order to consider how best to enhance current security operations to more effectively mitigate security risks and attacks through managed firewall, managed IDS, managed content security solution, vulnerability analysis, etc. This is the fifth in a regular series of Leadership Perspectives White Papers, produced by du enterprise marketing in association with Ovum, a preferred knowledge partner For more information, please or visit