Symantec’s Internet Security Threat Report published last week analysed the trends in security over the last six months.
It found that a shift in the threat landscape had occurred, with attackers moving away from large, multipurpose attacks on network perimeters towards smaller, more focused attacks on client-side targets. The new landscape consists of emerging threats such as “bot” networks, customisable modular malicious code, and targeted attacks on web applications and web browsers.
Consider the following:
- Before, traditional attacks were motivated by curiosity and a desire to show off technical virtuosity. Now, threats are motivated by profit, and link to crime, such as identity theft, extortion and fraud.
- New methods of using malicious code for financial gain are being adopted with increasing frequency. One malicious code program that foisted adware onto a compromised computer paid the author a fee each time the program was downloaded.
- “Bot” networks are available for hire, and can be used to extort money from e-commerce sites by threatening denial of service (DoS) attacks.
- New threats to confidential information can result in significant financial loss, particularly if credit card information or banking details are exposed. Malicious code that exposed confidential information represented 74% of the top 50 malicious code samples reported, much of it due to the proliferation of bots.
- The number of malicious code variants increased dramatically. Symantec documented more than 10,866 new Win32 viruses and worms, an increase of 48% over the second half of 2004. The huge increase is important because each variant represents a new, distinct threat against which administrators must protect their systems and for which antivirus vendors must create a new antivirus definition.
- Phishing and spam continued to increase over the first six months of 2005, with Symantec blocking 1.04 billion phishing attacks, against 546 million in the last six months of 2004. During this period, spam made up over 61% of all email traffic, a slight increase over the second half of 2004.
- Exploit development and patch development time are a continued worry. In the first half of 2005, the average time between the disclosure of a vulnerability and an associated exploit was 6 days. Yet 54 days elapsed between disclosure of a vulnerability and the release of a vendor’s patch. This means, on average, for 48 days, systems are either vulnerable or administrators are forced to create their own workarounds to protect against exploitation.
These figures must be frightening if you are involved with corporate data security. After digesting all those threats above – and that is without getting onto adware and spyware - ask yourself how well equipped your security is to deal with them.
If you are trying to tackle all these critical issues in-house, can you keep on top of the game, or are you already already struggling to identify security events, provide security event alerts, respond to the threats, and manage the security risks that threaten your competitive advantage?
Given these threats, it is perhaps no wonder that many companies are now turning to outsourcing security – to managed security service providers (MSSP) – for help.
According to Gartner, internal teams have a constant battle to understand and combat the latest threats simply because they need to monitor systems constantly and remain up to date on all system vulnerabilities.
Some companies who believe they can handle security management in-house fall down. That is not a reflection on their abilities; it is simply that despite committing to the tasks, they really lack the time, expertise and technical resources to provide effective, enterprise-wide monitoring and management on a 24x7 basis.
Most major security firms – Symantec, RSA Security, Counterpane Systems, and more recently, Telecity/Prolexic and Cybertrust’s Online Guardian – offer outsourcing services. Even analysts agree that for many companies, given the surge in security threats, managed security services are an option worth considering.
“Most organisations, not just those with sophisticated internet activities, can benefit from continuous management and monitoring of their security operations. Many IT security breaches still come from within companies. An MSSP can help managers develop an enterprise-wide security policy, and set appropriate access control rules governing all employees,” said Gartner in its report, Managed Security Services Bring IT Value.
What should you consider when considering whether an MSSP can deliver secure, cost effective, and flexible security services?
Gartner suggests users should look for a service provider that has a wide variety of security services, including managed firewall, intrusion detection and prevention, consulting, antiviral, vulnerability scanning and mitigation services. A robust web portal and a variety of reporting and monitoring tools is also a prerequisite.
An ongoing issue is the risk of a consolidation of MSSP vendors. According to analysts, one criterion to consider is that a managed security services provider should have a "run rate of £11.3m" in contract revenues to cover growth.
Are managed security services for you? While the promise of outsourcing the IT security headache is certainly attractive, some companies may be reluctant to trust another organisation with protecting their critical systems from harm.
Outsourcing offers cost control and predictability over time, allowing a business to secure its assets with minimal expense and up-front cost. But service level agreements are critical to ensure that service deliverables are met.
What might be the critical issue? Two areas that are tempting organisations to consider selective outsourcing are the need for security audits and regulatory compliance, where the documented monitoring, reporting and remediation provided by managed security services can help. You might have guessed the spectre of Sarbanes-Oxley would crop up somewhere!