By Tom Schmidt
How vital has managed security become to today's enterprises? Given the need for quick and effective protection against today's emerging threats, it could be argued that managed security is more important than ever before. According to leading analyst firm IDC, the managed security services market is expected to reach $2.9 billion this year.
"The MSSP [Managed Security Services Provider] market is anticipated to grow incrementally as organizations take a more proactive approach to network security," said Allan Carey, program manager of IDC. "More organizations will look to managed security services providers that offer integrated security solutions and services."
This article examines how the increase in Web-based application and browser vulnerabilities, along with the rise of zero-day exploits, is prompting more and more enterprise IT organizations to outsource their security management, monitoring, and response needs. It also shows how an MSSP helps an organization focus on its revenue-generating core competencies, while ensuring that its information assets are secure and available.
The rise of cybercrime
The new Internet security threat landscape is increasingly dominated by attacks and malicious code that are used to commit cybercrime. The threat landscape is coming to be dominated by emerging threats such as bot networks and customizable modular malicious code. Targeted attacks on Web applications and Web browsers are increasingly becoming the focal point for cybercriminals. Whereas traditional attack activity has been motivated by curiosity and a desire to show off technical virtuosity, many current threats are motivated by profit. They often attempt to perpetrate criminal acts, such as identity theft, extortion, and fraud, for financial gain.
One aspect of the threat landscape that has attracted significant attention concerns new vulnerabilities. Between July 1 and Dec. 31, 2005, 1,896 new vulnerabilities were documented, a slight increase over the first half of the year, according to the Internet Security Threat Report. However, for the entire year, the highest yearly total volume of vulnerabilities was reported since the establishment of the vulnerability database in 1998. There were 3,767 vulnerabilities documented in 2005, compared to 2,691 in 2004, an increase of 40%.
This growth has been driven primarily by an increase in discovery and disclosure of vulnerabilities in Web applications. Some 69% of the vulnerabilities documented in the second half of 2005 affected Web applications. The increased focus on Web application vulnerabilities reflects the shift toward the Web as a platform for applications. Many applications that were once stand-alone software suites or client-server solutions are now being implemented as Web applications.
At the same time, browser vulnerabilities continue to be a serious security concern, particularly due to their use in online fraud and the propagation of spyware and adware. With the Web browser becoming a more critical and ubiquitous application than ever before, organizations need to understand how various browsers -- Microsoft Internet Explorer, Mozilla Firefox, Opera, Apple Safari, and KDE Konqueror -- are being targeted by attackers.
The window of exposure
Not only are Web-based application and browser vulnerabilities increasing in importance, but the window of time between the disclosure of vulnerabilities and the appearance of third-party exploit code designed to take advantage of it continues to narrow. For example, during the second half of 2005, the average time for exploit code development was just 6.8 days.
Of course, when vulnerabilities are announced, the vendor of the affected product must develop and release a patch. During the second half of 2005, the time to patch was, on average, 49 days. This means that, on average, seven weeks elapsed between the publication of vulnerabilities and the release of an associated patch. During this period, computers hosting vulnerable applications were exposed to potential compromise.
Being proactive
If organizations only needed to protect against known threats, the situation would be much simpler. Unfortunately, with attacks today being launched against vulnerabilities that are as yet unknown (i.e., zero-day threats), traditional methods of protection are largely ineffective. Today's threat landscape has evolved to the point where securing information assets from internal and external threats has become a highly complex IT function, demanding significant investment in expertise, systems infrastructure, and 24/7 oversight. That's not a very attractive proposition for any organization.
By providing proactive, "behavioral" prevention technologies, a Managed Security Services Provider can automatically block unknown threats against system vulnerabilities. In certain instances, an MSSP can even predict how vulnerabilities might be exploited; in other instances, it can predict a potential outbreak based on patterns of suspicious activity. A good MSSP can be likened to a meteorologist. It can see patterns emerging, predict that a storm is coming, and therefore alert people so they can act before the storm causes damage.
The bottom line is that the increasing sophistication of today's threats has made the traditional approach of deploying "best-of-breed" solutions insufficient for the kind of split-second, manifold response necessary to keep a network up and running.
An effective MSSP will integrate security, combining advanced virus protection, firewall, spam/content filtering, intrusion detection, and vulnerability assessment into unified, interoperable solutions. The goal is an information management solution that can reduce disruptions, increase uptime, enhance responsiveness, and improve productivity and decision-making.
Conclusion
Today's enterprises face a number of barriers to achieving and maintaining effective security. They include:
- A shortage of qualified security professionals
- Increasingly sophisticated cyber threats
- A lack of resources and infrastructure to support a 24/7 security program
- The increasing complexity of security technology
- A lack of time to focus on persistent security management and operational tasks
As a result, many organizations that manage security in-house are looking for alternatives to overcome these barriers. They require a way to maintain a strong security posture while focusing on core, revenue-generating operations. Outsourcing information security tasks, analogous to outsourcing physical security, is becoming an increasingly attractive option. With the right security partner, an enterprise can realize significant savings while markedly improving its overall security posture.
Tom Schmidt writes frequently about information security topics. He has more than 15 years' experience as a writer and editor in high-tech publishing.