New Firm Opens Web Security Options

Analysts say a new type of Internet burglar alarm system may raise the bar in the burgeoning and vital field of computer security.

Most e-commerce security systems consist of in-house staffers. But security consultant and author Bruce Schneier’s new Counterpane Internet Security Inc. system, being launched today, uses teams of analysts working around the clock in Mountain View, Calif., and Chantilly, Va., to scrutinize activity logs from customers’ Internet sites.

If the Counterpane analysts notice something fishy at a site--a potential hacking attempt, for example--they call the customer, alert them to the intrusion and help them plug the security breach.

It’s a field Schneier and some analysts say is going to explode as major corporations’ Internet sites become a crucial part of their business.

“Computer security without monitoring is kind of like having a car alarm go off in the inner city,” Schneier said. “It might make a lot of noise, but everyone ignores it.”

The so-called out-sourced monitoring system, which costs $12,000 a month, differs from traditional Internet security systems, which are usually built and staffed in-house either by company employees or consultants.

The current industry leader in Internet security, Computer Associates International Inc., provides customers with automated internal systems to monitor for potential attacks on Web servers, desktop computers and mainframes.

If there is a potential flaw, the system responds automatically.

Simon Perry, security business manager at Computer Associates, said his company is not concerned about competition from Counterpane or similar systems that use human analysts at remote locations to watch for break-ins.

“We have seen in this industry that throwing more people at a problem actually doesn’t solve it,” he said. “Our approach is to apply technology solutions to solve problems rather than throwing more warm bodies at them.”

Perry said Computer Associates’ customer pool has been growing rapidly as cybercrime increases with the e-commerce boom.

Sixty-two percent of businesses and government agencies surveyed reported unauthorized use of their computer systems last year in a survey by the FBI and San Francisco’s Computer Security Institute. That number was up from 42% in 1996.

The Computer Emergency Response Team, or CERT, at Carnegie Mellon University in Pittsburgh said there were 8,268 computer attacks last year.

Corporations spent $7.1 billion in 1999 on security to protect themselves against these kinds of attacks. Those costs are expected to reach $17 billion by 2003, according to Internet analysts at Aberdeen Group in Boston.

Mark Kadrich, director of security for Conxion Corp., a Web hosting company, is an early--and much appreciative--Counterpane customer. Kadrich said the service recently caught “script kiddies” trying to get into his system within 10 minutes of their attempt.

“With the logs being captured and analyzed in real time, we are now able to take immediate action to terminate the activity,” he said. “I’m not aware of any other service that concentrates on log and event correlation and management.”

Other early partners and customers include Axent Technologies Inc., Exodus Communications, PricewaterhouseCoopers and SecurityFocus.com.

John Pescatore, research director for Gartner Group technology consultants, said Counterpane’s system could be a hard sell.

“For companies with high downtime costs and in markets or geographies where hiring and keeping good security people is expensive and hard, $150,000 a year will be worth it,” he said. “That said, the vast bulk of the market thinks anything over $3,000 to $5,000 per month is too expensive, as most other costs of doing it yourself don’t show up on a line item.”

Pescatore said one advantage Counterpane will tout is Schneier’s name recognition.

Schneier is the author of five books including “Applied Cryptography,” the seminal work in its field. He has presented papers at many international conferences and is a frequent writer, contributing editor and lecturer on cryptography, computer security and privacy. He also served on the board of directors of the International Assn. for Cryptologic Research and is an advisory board member for the Electronic Privacy Information Center, all of which Pescatore said boosts his company’s reputation.

“That gives a warm and fuzzy feeling to those companies that are likely to spend $150,000 per year, but not to some unknowns at the other end of the wire,” he said.

Giga Information Group’s Steve Hunt was more optimistic.

“Managed security monitoring will explode over the next three years as corporations realize the extent to which e-business initiatives require a comprehensive security posture,” he said. “Counterpane is kicking off the next big trend in security outsourcing.”