Integrators in cybersecurity
<FONT SIZE=2>When his phone rang after midnight Saturday, Jan. 25, Brian Dunphy knew it was trouble. On the phone was the night crew at Symantec Corp.'s Security Operations Center in Alexandria, Va., giving Dunphy, a senior manager at the center, a heads-up that the Slammer worm had begun to attack servers around the world.
[IMGCAP(2)]
When his phone rang after midnight Saturday, Jan. 25, Brian Dunphy knew it was trouble.
On the phone was the night crew at Symantec Corp.'s Security Operations Center in Alexandria, Va., giving Dunphy, a senior manager at the center, a heads-up that the Slammer worm had begun to attack servers around the world.
Slammer, or Sapphire as it was also called, attacked servers through a vulnerability in SQL port 1434. While the worm was not malicious -- it didn't carry a payload intended to damage files, for instance -- it clogged the Internet and slowed traffic to a crawl as it replicated itself. More than 200,000 individual systems around the world reportedly were affected, Symantec officials said.
Dunphy's job was to make sure the center's more than 500 government and commercial customers had been alerted by the company's early warning system. Based on the observations by analysts in the security center, calls went out to Symantec's customers, warning them of the spreading worm, and the company posted a security warning on its Web site, advising visitors what to do to avoid being slammed.
None of Dunphy's customers should have been infected by the virus, but some were. Somebody had logged in remotely and let Slammer in, or perhaps a laptop computer got infected and then passed it around inside the system, he said.
"The front doors were all locked, but [some] back doors were open," he said.
Managed security services, such as those being offered at Symantec's security operations center, are becoming an important piece of a rapidly growing government security market. President Bush's fiscal 2004 budget request includes $4.7 billion for IT security, a 74 percent increase over fiscal 2002, according to budget documents released Feb. 3.
Many analysts think the president's request reflects only a portion of government spending on cybersecurity, because many agencies will beef up security on systems with funding that is not specifically labeled "cybersecurity."
Whatever the final number, industry officials believe much of the growth will be in so-called enterprise security services: agencywide solutions that tie together both products and services, from establishing single sign-on mechanisms for users to managing patches of software bugs to non-repudiated authentication, in pursuit of end-to-end protection.
Sprint Communications Corp., for example, has seen an 80 percent increase in sales of managed network services, which includes security services, from government customers since the Sept. 11 terrorist attacks, said a spokesman for the Westwood, Kan., company. Services Sprint sells include such encryption, firewalls and vulnerability assessments, he said.
Northrop Grumman Corp. operates computer incident response centers that watch for attacks mounted against government networks and advises agencies how to address the threats. The centers monitor the networks of 660,000 seats around the world for the Army, Marine Corps and civilian agencies, said Dennis McCallam, a technical fellow with Northrop Grumman Information Technology. The Los Angeles-based company is the No. 1 provider of security solutions to the federal government, according to Input Inc., a Chantilly, Va., market research firm.
Science Applications International Corp., San Diego, was awarded a contract in 2001 to operate the security watch center of the Federal Computer Incident Response Center, or FedCIRC, the clearinghouse for reporting IT security incidents involving federal civilian agencies.
The company provides around-the-clock support to receive, process and respond to agency information security incident reports, including containment and recovery advice and assistance, alerting agencies of potential threats and performing trends analysis and reporting.
"Customers are starting to look at security more holistically," said John Casciano, senior vice president and group manager for the enterprise security solutions group at SAIC.
One of the biggest opportunities on the horizon for managed security services is the General Services Administration's Multitier Security Profile program. The program essentially is a collection of security enhancements that GSA's Federal Technology Service is adding to the FTS2001 program, the agency's long-distance telecommunications vehicle, and to the Metropolitan Area Acquisition program, which provides local telecom services in numerous regions of the country.
John Johnson, assistant commissioner for service development at FTS, said this collection of security services is an attempt "to embed the security mechanisms necessary to assure a customer that when they transmit bits from point A to point B, they're secure."
Contract holders, such as WorldCom Inc., Sprint, Qwest Communications International Inc. and AT&T Corp. on the FTS2001 contract, and SBC Communications Inc. and Verizon Communications Inc. on their Metropolitan Area Acquisition contracts, can offer security services once the individual contracts have been modified, according to a GSA spokeswoman. The contract ceilings are not being modified, so the addition of these services will not increase contract value.
WorldCom's contract will be the first modified for security services, probably in early February, the spokeswoman said. GSA also will look to identify other contracts that can serve as vehicles for security services, she said.
GSA implemented its first standalone security vehicle in March 1999, when it awarded 27 companies a place on the Safeguard contract. This four-year, $250 million contract provided a mechanism for agencies to obtain security services, such as identifying critical infrastructure assets, assessing vulnerabilities and finding threats, protecting important cyber and physical infrastructure and contingency planning.
A new request for proposal for Safeguard II is under development, but GSA has not set a release date. It has been delayed by the realignment of GSA's Federal Technology Service and Federal Supply Service, a GSA spokeswoman said.
"A contract vehicle review board has been created and must approve any plan for a new governmentwide acquisition contract," she said. Once the review board signs off on the RFP for Safeguard II, the Office of Management and Budget will have to approve it.
In April 2001, the Department of Veterans Affairs awarded a 10-year, $103 million contract to a joint venture of eight companies to provide cybersecurity services in support of its computer incident response capability. The joint venture, called the VA Security Team LLC, provides 24-hour incident handling and response capabilities for the VA's networks at facilities around the country.
THE RIGHT STUFF
Agencies are increasingly relying on contractors to help them evaluate security products and find the right combinations of solutions. Customers want to know, for example, whether products work as advertised, are interoperable and meet the standards established by the National Institute of Standards and Technology.
"There are lots of companies out there with point solutions that come knocking at the door, and naturally they think their solution is better than anyone else's," SAIC's Casciano said. "We invest a lot of time within my group talking to niche vendors. We invite them to give us a test version of their product so we can test it in our laboratories."
Michael Rasmussen, director of research-information security at Giga Information Group in Cambridge, Mass., said the rapid turnover of security product vendors makes it a challenging marketplace. Four or five years ago, the company tracked about 450 security venders. While that number has not changed over the years, the companies have.
"Only 20 percent to 30 percent of them are the same vendors," Rasmussen said. "There are some great small company startups with great technologies, but they may not be there for the long haul."
The risk that these small providers might go out of business -- or be acquired -- makes it attractive for federal agencies to turn to systems integrators to do the sorting out, Rasmussen said.
One growing opportunity in IT security is certification and accreditation, or testing products to make sure they adhere to the standards that NIST promulgates. This is a big part of SAIC's security business, Casciano said.
About two and one-half years ago, SAIC was certified under the National Information Assurance Partnership, an alliance between NIST and the National Security Agency for evaluating security products, as a laboratory that could certify operating systems and software to different levels of security for use within government and commercial settings, he said. SAIC has one of just seven certified common criteria testing labs.
"We just successfully helped Microsoft through certification of their Windows 2000 operating system at [level four]," the strongest security level you can get without NIST or the National Security Agency doing the certification, he said.
BALANCING ACT
At its core, the cybersecurity opportunity is not about reselling pieces of technology. It is about finding the balance between risk and cost for customers.
"It doesn't make sense to build $1 million of security to protect $5,000 of value," said Arnie Shimo, chief security architect with Lockheed Martin Corp.'s NexGen Solutions unit, which provides security services for government projects across all the company's eight divisions. "You can't protect every aspect of a system."
Customers expect integrators to design solutions that mitigate risks as much as possible with the available funding, and then outline the tradeoffs to the customer, Shimo said.
Lockheed Martin's government customers include the departments of Justice, Defense and Energy, Shimo said. Most agencies do not ask for security solutions as part of a separate contract, but almost always request them as part of larger projects. For instance, "almost every outsourcing proposal we're seeing now has some aspect of security," he said.
Shimo's observation corresponds with what other contractors are seeing as well. Although there are some large contracts for security services, such as GSA's Multitier Security Profile program and Safeguard, agencies are trying to include security as part of every project.
"Lots of people have the impression that there will be a big contract for security. I think almost every time [it's that] we get add-on tasks to existing contracts," said Carl Latham, chief technology officer of NCI Information Systems Inc., McLean, Va. *
Staff Writer Patience Wait can be reached at pwait@postnewsweektech.com.
In late January, Brian Dunphy and his operations team at Symantec, a security software and services firm, got a late-night cybersecurity test when the Slammer worm invaded servers around the world, including those of its government clients.
Olivier Douliery
Agencies are increasingly relying on integrators such as SAIC to help them evaluate security products, said SAIC's John Casciano.
Olivier Douliery
On the phone was the night crew at Symantec Corp.'s Security Operations Center in Alexandria, Va., giving Dunphy, a senior manager at the center, a heads-up that the Slammer worm had begun to attack servers around the world.
Slammer, or Sapphire as it was also called, attacked servers through a vulnerability in SQL port 1434. While the worm was not malicious -- it didn't carry a payload intended to damage files, for instance -- it clogged the Internet and slowed traffic to a crawl as it replicated itself. More than 200,000 individual systems around the world reportedly were affected, Symantec officials said.
Dunphy's job was to make sure the center's more than 500 government and commercial customers had been alerted by the company's early warning system. Based on the observations by analysts in the security center, calls went out to Symantec's customers, warning them of the spreading worm, and the company posted a security warning on its Web site, advising visitors what to do to avoid being slammed.
None of Dunphy's customers should have been infected by the virus, but some were. Somebody had logged in remotely and let Slammer in, or perhaps a laptop computer got infected and then passed it around inside the system, he said.
"The front doors were all locked, but [some] back doors were open," he said.
Managed security services, such as those being offered at Symantec's security operations center, are becoming an important piece of a rapidly growing government security market. President Bush's fiscal 2004 budget request includes $4.7 billion for IT security, a 74 percent increase over fiscal 2002, according to budget documents released Feb. 3.
Many analysts think the president's request reflects only a portion of government spending on cybersecurity, because many agencies will beef up security on systems with funding that is not specifically labeled "cybersecurity."
Whatever the final number, industry officials believe much of the growth will be in so-called enterprise security services: agencywide solutions that tie together both products and services, from establishing single sign-on mechanisms for users to managing patches of software bugs to non-repudiated authentication, in pursuit of end-to-end protection.
Sprint Communications Corp., for example, has seen an 80 percent increase in sales of managed network services, which includes security services, from government customers since the Sept. 11 terrorist attacks, said a spokesman for the Westwood, Kan., company. Services Sprint sells include such encryption, firewalls and vulnerability assessments, he said.
Northrop Grumman Corp. operates computer incident response centers that watch for attacks mounted against government networks and advises agencies how to address the threats. The centers monitor the networks of 660,000 seats around the world for the Army, Marine Corps and civilian agencies, said Dennis McCallam, a technical fellow with Northrop Grumman Information Technology. The Los Angeles-based company is the No. 1 provider of security solutions to the federal government, according to Input Inc., a Chantilly, Va., market research firm.
Science Applications International Corp., San Diego, was awarded a contract in 2001 to operate the security watch center of the Federal Computer Incident Response Center, or FedCIRC, the clearinghouse for reporting IT security incidents involving federal civilian agencies.
The company provides around-the-clock support to receive, process and respond to agency information security incident reports, including containment and recovery advice and assistance, alerting agencies of potential threats and performing trends analysis and reporting.
"Customers are starting to look at security more holistically," said John Casciano, senior vice president and group manager for the enterprise security solutions group at SAIC.
One of the biggest opportunities on the horizon for managed security services is the General Services Administration's Multitier Security Profile program. The program essentially is a collection of security enhancements that GSA's Federal Technology Service is adding to the FTS2001 program, the agency's long-distance telecommunications vehicle, and to the Metropolitan Area Acquisition program, which provides local telecom services in numerous regions of the country.
John Johnson, assistant commissioner for service development at FTS, said this collection of security services is an attempt "to embed the security mechanisms necessary to assure a customer that when they transmit bits from point A to point B, they're secure."
Contract holders, such as WorldCom Inc., Sprint, Qwest Communications International Inc. and AT&T Corp. on the FTS2001 contract, and SBC Communications Inc. and Verizon Communications Inc. on their Metropolitan Area Acquisition contracts, can offer security services once the individual contracts have been modified, according to a GSA spokeswoman. The contract ceilings are not being modified, so the addition of these services will not increase contract value.
WorldCom's contract will be the first modified for security services, probably in early February, the spokeswoman said. GSA also will look to identify other contracts that can serve as vehicles for security services, she said.
GSA implemented its first standalone security vehicle in March 1999, when it awarded 27 companies a place on the Safeguard contract. This four-year, $250 million contract provided a mechanism for agencies to obtain security services, such as identifying critical infrastructure assets, assessing vulnerabilities and finding threats, protecting important cyber and physical infrastructure and contingency planning.
A new request for proposal for Safeguard II is under development, but GSA has not set a release date. It has been delayed by the realignment of GSA's Federal Technology Service and Federal Supply Service, a GSA spokeswoman said.
"A contract vehicle review board has been created and must approve any plan for a new governmentwide acquisition contract," she said. Once the review board signs off on the RFP for Safeguard II, the Office of Management and Budget will have to approve it.
In April 2001, the Department of Veterans Affairs awarded a 10-year, $103 million contract to a joint venture of eight companies to provide cybersecurity services in support of its computer incident response capability. The joint venture, called the VA Security Team LLC, provides 24-hour incident handling and response capabilities for the VA's networks at facilities around the country.
THE RIGHT STUFF
Agencies are increasingly relying on contractors to help them evaluate security products and find the right combinations of solutions. Customers want to know, for example, whether products work as advertised, are interoperable and meet the standards established by the National Institute of Standards and Technology.
"There are lots of companies out there with point solutions that come knocking at the door, and naturally they think their solution is better than anyone else's," SAIC's Casciano said. "We invest a lot of time within my group talking to niche vendors. We invite them to give us a test version of their product so we can test it in our laboratories."
Michael Rasmussen, director of research-information security at Giga Information Group in Cambridge, Mass., said the rapid turnover of security product vendors makes it a challenging marketplace. Four or five years ago, the company tracked about 450 security venders. While that number has not changed over the years, the companies have.
"Only 20 percent to 30 percent of them are the same vendors," Rasmussen said. "There are some great small company startups with great technologies, but they may not be there for the long haul."
The risk that these small providers might go out of business -- or be acquired -- makes it attractive for federal agencies to turn to systems integrators to do the sorting out, Rasmussen said.
One growing opportunity in IT security is certification and accreditation, or testing products to make sure they adhere to the standards that NIST promulgates. This is a big part of SAIC's security business, Casciano said.
About two and one-half years ago, SAIC was certified under the National Information Assurance Partnership, an alliance between NIST and the National Security Agency for evaluating security products, as a laboratory that could certify operating systems and software to different levels of security for use within government and commercial settings, he said. SAIC has one of just seven certified common criteria testing labs.
"We just successfully helped Microsoft through certification of their Windows 2000 operating system at [level four]," the strongest security level you can get without NIST or the National Security Agency doing the certification, he said.
BALANCING ACT
At its core, the cybersecurity opportunity is not about reselling pieces of technology. It is about finding the balance between risk and cost for customers.
"It doesn't make sense to build $1 million of security to protect $5,000 of value," said Arnie Shimo, chief security architect with Lockheed Martin Corp.'s NexGen Solutions unit, which provides security services for government projects across all the company's eight divisions. "You can't protect every aspect of a system."
Customers expect integrators to design solutions that mitigate risks as much as possible with the available funding, and then outline the tradeoffs to the customer, Shimo said.
Lockheed Martin's government customers include the departments of Justice, Defense and Energy, Shimo said. Most agencies do not ask for security solutions as part of a separate contract, but almost always request them as part of larger projects. For instance, "almost every outsourcing proposal we're seeing now has some aspect of security," he said.
Shimo's observation corresponds with what other contractors are seeing as well. Although there are some large contracts for security services, such as GSA's Multitier Security Profile program and Safeguard, agencies are trying to include security as part of every project.
"Lots of people have the impression that there will be a big contract for security. I think almost every time [it's that] we get add-on tasks to existing contracts," said Carl Latham, chief technology officer of NCI Information Systems Inc., McLean, Va. *
Staff Writer Patience Wait can be reached at pwait@postnewsweektech.com.
NEXT STORY: GAO challenges cost of FAA STARS program