Any market out there for outsourcing basic security lockdown/monitoring/IDS services? I'm an expert but just looking to see if there is a market out there for a mid-level service offering to smaller-medium business in the webhosting realm.

This is a tough field. When you secure anything you kind of accept liability for any breach, so the insurance you'd need to make a legitimate go of such a venture might price you out of the market.

A friend of mine is in this industry after retiring from ISS a while back, the money they charge (and get) is pretty rediculous but you need solid security M&P's just to get in the door as a sub-contractor of any financial institution.

There is a market, but I don't think many web hosting companies can really afford it.

I agree with Scott -- I know you have mentioned this idea before, but I really don't think it is the type of service you can offer at a low cost with a one/two person staff. In order to be effective security monitoring requires immediate response an action, something that is very difficult to do without a staff available 24x7.

Of course, the best way to find out if there is a market for the service is to offer it and see if you get any takers :).

The last time I made an offer, I got flamed on the liability insurance issue (why I need a multimillion dollar insurance policy to cover activities at companies that make maybe 20k/yr is beyond me). I'm still trying to see where the market it, I have some people that can handle the 7x24 response issues, that's not the issue. I can do an effective service, just wondering if there are customers out there that want it.

Its not just a matter of response, it is also the ability to analyze the data, which is not something that can be done by just anyone. It is also a matter of hacing the infrastructure to handle the data you will have to look through. Even with one or two customers, it is possible to have gigs worth of logs that have to be parsed.

Liability insurance is definitely a consideration -- especially if you are going to offer any sort of guarantee with your service. You are right, you are not going to need a million dollar policy to cover activities at $20k a year hosting company. But do you have the money to cover the cost of an SLA to that $20k a year company should you miss an attack and they are compromised -- a figure that could easily be $1 - $2k? Do you have the money to cover the SLA for 5 companies? How about the SLA for a $50k company?

I'm interested in it and I would pay a lot more than most on these boards to get it. I'd have to have a really strong SLA in place though to pay hefty fees.

You would also have to assume responsibility and be insured (not for millions in the beginning) but you'd have to have insurance for me to look at it. This is why, say you do security for me and I make $20,000 a month on a ton of $5/month hosting accounts and my billing server gets hacked and someone dowloads all the credit card info and uses it to run up credit card charges to all my clients. Suddently I have 4,000 clients that are all getting credit card statements with bogus charges and they sue ME. Now what? I contracted you to secure the box, so if it isn't, then you get sued. If you aren't covered by enough insurance you are bankrupt.

If the lawsuits do come directly to me, then I would be forced to sue you for any damages I had to pay, plus legal fees. If I were sued by enough customers I could go bankrupt just fighting the suits.

I think that if security is worth doing, it's worth doing right. Now if you want to offer a more affordable solution to smaller companies out there you just have to state up front that you take no responsibility for the server actually being secure to protect yourself. That leaves open the question of "how do I know you're services are any good if you don't warranty them?".

I think what would really be helpful to someone in my position that wants solid security and doesn't want to pay $10,000/month to get it is to charge a good amount for a security contract. A price that will allow you to staff the monitoring of servers 24x7. Then I would have the option to add servers of the exact same setup at a much lower cost then adding more custom/different setups. This way you could keep your costs down by being able to mirror what you do on each server and just passing on those savings to me.

I would be very interested in buying from a company with that type of business model. Expensive to set up, prices go down per server as I add more identical servers. This would be beneficial to any host that offers shared hosting. We already buy identical servers in bulk to get wholesale pricing. Once we find a set up we like we just reproduce it over and over and that should work out easier on us and you.

(edited to add this) Sorting through data does take a long time so I realize that the pricing could not go down below a certain point, but it should be a little cheaper per server if they are all identical, shouldn't it?

Originally posted by 7out

(edited to add this) Sorting through data does take a long time so I realize that the pricing could not go down below a certain point, but it should be a little cheaper per server if they are all identical, shouldn't it?

A lot of it depends on the model you are using. If the target customer is a small host with a single dedicated server then the cost is going to increase as new servers are added because you have to use a HIDS-based solution. On the other hand, if you are talking about a host with 10 servers colocated in a data center, then you can use a NIDS solution as your primary source of information. The NIDS would be placed at the edge of the host's network and it would monitor all of the traffic in and out of the network. With this solution the incremental cost to add a server to the network is much smaller.

I know that the costs would go up as you added boxes from 1 to 2 servers in the beginning. I did not mean that you would pay $500/month for the first box and then add a second box and the total cost would go down to $490. I meant that the first box would be say $500 and the second would be $490 and the third would be $475 and then when you get to 10 maybe you're at $300/month per server or something.

Did you actually think that I meant the total cost would go down when adding boxes? You must have, because I don't see how the second box could cost more than the first box to secure so you must have been trying to tell me that a second box would add to the total cost of the service.

Originally posted by 7out

Did you actually think that I meant the total cost would go down when adding boxes? You must have, because I don't see how the second box could cost more than the first box to secure so you must have been trying to tell me that a second box would add to the total cost of the service.

Correct, the point I was trying to make was that using a HIDS-based solution would have a higher incremental cost, than using a NIDS-based solution. Sorry it came out so confusing.

So at what point (you used 10 as an example, but is that the real number?) would you move to the more cost effective solution? 10 servers, 20, 30, 100???

And what is the setup costs for a NIDS-based solution if the host wanted to pay for the system up front so that they would only incur the monthly security fees instead of the fees plus system costs?

Originally posted by 7out
So at what point (you used 10 as an example, but is that the real number?) would you move to the more cost effective solution? 10 servers, 20, 30, 100???

And what is the setup costs for a NIDS-based solution if the host wanted to pay for the system up front so that they would only incur the monthly security fees instead of the fees plus system costs?

Keep in mind that I am not offering an security services, and I am not limited by the realities of cost.

The answer to your question depends on the situation of the host. For instance a host that has 5 dedicated servers at Rackshack (or any other dedicated hosting provider) most likely does not have the option of using a NIDS. In that case each host would have to have a HIDS installed.

In order for a NIDS to work, you either have to have your own data center, or at least colocated space in a datacenter. Assuming the host is already colocated I would always recommend a NIDS be used in conjunction with a HIDS. The best approach to security is always a layered one, so if you can combine the two approaches you have the best chance of catching an attacker. I would never want to rely solely on a HIDS solution, because if the HIDS missed an attack data from that device would automatically be compromised.

As to cost of setting up a NIDS solution, it depends on what you are using. Honestly, SNORT is one of the most extensible and scalable solutions I have seen and it is free (except for the cost of the server :D). Plug it in to your switch, mirror the ports of the servers you want to monitor and sit back to wait for the alerts.

If you weren't outsourcing this, but had a full time administrator(s) whose job it was to maintain the network/system security, would you expect that employee to have insurance to cover any breaches?

Is insurance supposedly one of the benefits of outsourcing it? If you expect that, you should be paying a lot more than you would be for having your own in house team.

So I'm thinking around $15,000 a month would be fair for a two person team.

My $0.02.

Originally posted by bitserve

Is insurance supposedly one of the benefits of outsourcing it? If you expect that, you should be paying a lot more than you would be for having your own in house team.


Unlike having the work done in-house, most companies expect an MSP to offer some sort of SLA for their work. If the MSP fails to meet that SLA, they'll most likely have to compensate their customer...in cases like this having insurance provides potential customer an assurance that the MSP will be able to cover their SLAs financially.

Think about it this way, most companies have business insurance to cover something catastrophic (which can include data loss), so your in-house employees don't need special insurance. You would expect at least that from your MSP -- of course I could be completely reading the market bambenek is targetting wrong.

well put

I would expect that the company's regular business insurance should cover anything catastrophic, whether they've had contractors or an employee working on the project.

If it's just an argument over whose insurance should cover it, then as long as their was no negligence on the side of the contractor, any catastrophes should not be covered by the contractor's insurance.

If you need a security contractor that can guarantee no security breaches, as opposed to just guaranteeing to perform it's work in accordance with industry standards, then it sounds like you're looking more to purchase insurance and security, and not just security. It should be priced accordingly, and it's beyond what an employee could offer.

Same $0.02, clarified, possibly. :)

Greetings:

I believe there is a market; however, I believe the following must be in place:

* Clarification of what certifications along with their current expiration dates.

* Customer oriented service level agreement (SLA does not equal TOS) telling the customer not only what to expect in terms of service, but what will happen if those services are not delivered as promissed.

* Errors and Ommissions insurance.

* Proof that you can be bonded.

Thank you.

Originally posted by 7out
I'm interested in it and I would pay a lot more than most on these boards to get it. I'd have to have a really strong SLA in place though to pay hefty fees.<snip>

I think many of you have the wrong idea about how managed security services work.

I don't know of any MSP's who will specifically state in thier SLA that you won't get hacked. I work for one of the largest MSP's in the world and we don't guarantee it. It would be foolish too. What happens if somebody releases a 0-day <insert major firewall> to the underground? The first line of defenses is now down. What if the customer deploys some website with horribly insecure coding? Is the MSP responsible for thier negligence?

SLA's will usually spell out, in detailed terms, exactly which services are offered. Additionally they'll limit the MSP's liability as much as possible.

Originally posted by jstout

I don't know of any MSP's who will specifically state in thier SLA that you won't get hacked. I work for one of the largest MSP's in the world and we don't guarantee it. It would be foolish too. What happens if somebody releases a 0-day <insert major firewall> to the underground? The first line of defenses is now down. What if the customer deploys some website with horribly insecure coding? Is the MSP responsible for thier negligence?


I agree, the only people who seem to be able to promise that a customer will never get hacked are those in the Job Offers forum who are doing it for $15 a month :D.

That being said, my experience has been that they will offer SLA's over things they should be able to control, which primarily means response time. Once an attack is detected the MSP is expected to contact the customer within a certain amount of time, failure to do that will result in SLA violations. Ditto making changes to firewall rules. If the customer detects the attacks and notifies the MSP, the MSP has to be able to quickly parse through the customer logs and track where the attack came from, and take steps to stop a repeat attack from occurring.

You say you work for a major MSP. I am willing to bet that your company has spent A LOT of time and money developing software and systems to parse logs and alerts so that your SOC staff can respond to alerts as quickly as possible.

I don't think a 2-3 person company, working with what are most likely rudimentary tools, will be able to meet any sort of reasonable response time SLA.

Originally posted by uuallan


I agree, the only people who seem to be able to promise that a customer will never get hacked are those in the Job Offers forum who are doing it for $15 a month :D.



I can offer that for $15....

100% guarunteed that your server won't be hacked OR MONEY BACK.

I only need one piece of information... is this the plug leading to your server? *yank*



In all honesty though, I could offer something like having nessus scan your server for $15/month. Setup a couple cronjobs, one to update the nessus plugin list and one to scan said servers, email a report, etc.

Or if you want to be even better, use a similar setup with snort. If X ip triggers X rule, drop all traffic from X ip. Setup a cronjob that will download new rulsets from your own server.


This would be your rudimentary tools.
It's profitable @ $15/month/server

However, it is nothing i would ever rely upon, but if advertised for what it is (more like an awareness system), it could be a value for some hosting company out there....

I didn't say the SLA would have to say you won't get hacked. That's an impossible promise. I said it would have to be strong. To me this means that the MSP has to define exactly what services they will offer, what response time they guarantee, what liability they take, what liability I take, what liability is shared, and what procedures are in place to make sure they can meet the SLA plus what I get compensated in the case of them not being able to meet the SLA.

In case you think that many of us have the wrong idea about how these SLA's work again, maybe you should ask what we think the SLA should cover instead of taking a statement that I made saying I would need a strong SLA to pay a big price and turning that in to me wanting a no hack guarantee before buying services.

And yes, I know that you did not specifically state that I said I would need this clause, but you did quote me before making a broad generalization that we had the wrong idea so I thought that I should answer to let you know what idea I actually had in mind.

Originally posted by uuallan
You say you work for a major MSP. I am willing to bet that your company has spent A LOT of time and money developing software and systems to parse logs and alerts so that your SOC staff can respond to alerts as quickly as possible.
Absolutely. We've spent even more money trying to cut down the false positives. Most alerts aren't even looked at by a human anymore.

I don't think a 2-3 person company, working with what are most likely rudimentary tools, will be able to meet any sort of reasonable response time SLA.
I humbly disagree. IIRC our response SLA is 4 hours. All we have to do is contact the customer, notify them there was an incident and that we're investigating. After that we can "officially" take as long as we want to come to our conclusion. This happens occasionaly in cases where an alert comes in during the middle of the night and there are no level 2 or 3 analysts to investigate.

Originally posted by 7out
In case you think that many of us have the wrong idea about how these SLA's work again, maybe you should ask what we think the SLA should cover instead of taking a statement that I made saying I would need a strong SLA to pay a big price and turning that in to me wanting a no hack guarantee before buying services.
I was insinuating that many people on this board have the wrong idea about how MSP's work. I wasn't picking on you or even stating that you had the wrong idea. Initially from your first post, I thought you did. Followup posts have changed my mind. If you look at the couple of guys on this board who offer security services you'll see that in thier posts, someone always asks if they can "guarantee that I won't be hacked". It's just not a reality.

And yes, I know that you did not specifically state that I said I would need this clause, but you did quote me before making a broad generalization that we had the wrong idea so I thought that I should answer to let you know what idea I actually had in mind. Like I said previously, followup posts have shown me that you have a good idea on what should be covered in the SLA. No offense was ever intended by my posts.

In response to bambanek's initial post, I definately think there is a market. However, I definately feel that it is impossible to offer the services "properly".

I've looked into this quite a bit. I've considered starting my own MSP targeted towards webhosts. I've come to two conclusions. One, the smaller webhosts with one of two boxes are running on such tight margins, they can't afford outsourced security services. Maybe they can afford $25 a month or so per box, if they were really interested in security but NO ONE could offer anything more than simple, fundamental security services for this cost. Let's say you somehow manage to get 100 customers. At $25 per month your only pulling in $2500/month. That isn't even enough to cover my salary. Nor any capable security person's. Targeting towards the datacenters would be difficult as the larger MSP's have already sunk considerable resources trying to get all the datacenters to resell thier services. Two, security on a webhost is inherently flawed. There are too many factors which can't be controlled. Things like register_globals turned on in PHP because if it isn't 90% of people PHP scripts would fail. Customers writing insecure web apps. FTP bieng enabled. Blah, blah, blah.

There definately is some benefit in offering the low end security services to webhosts. Things like firewall management, host security (file permissions, configuration, etc), vulnerability scanning, exploit notification and even patching for those brave souls who want to inherit the liability with having root access on a customer box. Personally I would charge around $100 a month for the above. Even with all those services, the hosts security is only increased marginally. If a host is paying $25-$100/month for security services, don't you think they'd expect and deserve more than marginally increased security?

Greetings jsout:

"Maybe they can afford $25 a month or so per box, if they were really interested in security but NO ONE could offer anything more than simple, fundamental security services for this cost. Let's say you somehow manage to get 100 customers. At $25 per month your only pulling in $2500/month. That isn't even enough to cover my salary."

Thank you for pointing out this crucial fact that is often missed by those trying to service a very low end market.

Thanks jsout.

Originally posted by jstout

I humbly disagree. IIRC our response SLA is 4 hours. All we have to do is contact the customer, notify them there was an incident and that we're investigating. After that we can "officially" take as long as we want to come to our conclusion. This happens occasionaly in cases where an alert comes in during the middle of the night and there are no level 2 or 3 analysts to investigate.

How dare you try to carry on a respectful intelligent conversation :D -- I expect to see some flaming, and see it now ;).

What you are saying kind of plays into my point. Lets say you set up a company like this, with 2 or 3 people using giving customers the option of using a HIDS or NIDS -- with a 4 hour SLA. Any NIDS/HIDS is going to generate a good amount of false positives, so you cannot automatically forward all alerts to the customer and consider the SLA satisfied. Which means you have to manually review every alert (remember there isn't a million dollar program sitting behind these people filtering out most of the false positives). With 3 people you could conceivably shedule it so most hours of the days covered as long as none of the people need a day off.

Lets say with 10 servers you are generating 1,000 alerts a day, which is not unreasonable -- especially considering that these are hosting companies. No problem, the three people can handle it. Now, the service takes off and they have 100 servers, that's 10,000 alerts a day. 10,000 e-mails is a lot more difficult to sort through within that SLA even with 3 people. At only $25 a server, you are still only generating $2500 a month, not enough for 3 people to live off of...and certainly not enough to hire a 4th person to help sort through those e-mails.

Originally posted by bambenek
The last time I made an offer, I got flamed on the liability insurance issue (why I need a multimillion dollar insurance policy to cover activities at companies that make maybe 20k/yr is beyond me).

The insurance isnt for you, but rather your clients. Lets say you pick up a client that makes $420 per second (http://www.webhostingtalk.com/showthread.php?s=&threadid=87015) and becuase he wasnt secure, as you said he was, they were down for over 5 hours. And lets say credit card numbers are accessed. Now several million in sales are rung up on them fraudently.

Thats why you need millions in insurance, beucase you are liable if something like that happens.

Here's my 2 bob :D

Think of your server like a shop. You can have different levels of security for your shop, depending on how much you're willing to pay and how valuable the contents of your shop is etc.

You can have a simple alarm system that notifies you of issues. Nothing wrong with that. It's cheap, effective and does the job that's intended of it.

You could also have a gaurd that patrols the perimeter 24/7. He's not armed, but is an extra pair of eyes and a good deterant.

Or you could have a fully armed swat team with gaurd dogs, camped around the perimeter. Different levels of security for different purposes. The swat team might cost you a tad more than the single gaurd and the single gaurd costs more than the alarm system. It depends on what you can afford etc. The security for Fort Knox is a tad stronger than the security for your local shopping center, which is a tad stronger than the security for most homes. :)

nice analogy Bob

Originally posted by Aussie Bob
You can have a simple alarm system that notifies you of issues. Nothing wrong with that. It's cheap, effective and does the job that's intended of it.


Nice analogy. I'd like to add a little bit though...

The simple alarm system only monitors the front and back doors because it wasn't cost effective at the charged rate for the alarm company to put sensors on the windows as well.

Originally posted by Acronym BOY
Thats why you need millions in insurance, beucase you are liable if something like that happens.

Not exactly. Any well run MSP will have provisions in place to prevent them from bieng liable. Read 7out and my earlier posts for a good idea of what a customer should expect in regards to SLA's.

I'm not saying that in the example you gave, the security company would not be sued. On the contrary, I could pretty much assure you of a lawsuit. I'm also not saying that carrying insurance is not necessary. It definately is. I'm saying that a "properly run" MSP will not be successfully sued because they will be able to provide evidence of due diligence in regards to thier stated SLA agreements.

Originally posted by uuallan How dare you try to carry on a respectful intelligent conversation :D -- I expect to see some flaming, and see it now ;). Blow me :-)

What you are saying kind of plays into my point. Lets say you set up a company like this, with 2 or 3 people using giving customers the option of using a HIDS or NIDS -- with a 4 hour SLA. Any NIDS/HIDS is going to generate a good amount of false positives, so you cannot automatically forward all alerts to the customer and consider the SLA satisfied.
Well...... you can. My previous employer did just that. The customer went through a tuning period where alerts which generated large amounts of false positives/negatives were removed from the ruleset. Alerts were classified by severity level. Customers were given the option of automatically blocking or bieng notified depending on the alert level. After that point, when an alert came in it was either blocked immediately or a canned email was sent to customers asking them what to do. Very rarely did a customer actually ask for some background on the attack.

Which means you have to manually review every alert (remember there isn't a million dollar program sitting behind these people filtering out most of the false positives).
Actually it's pretty simple to filter out the common stuff. Not only that but commonly entry level computer techs are trained to do the front line analysis. With several hundred customers we're lucky to get a truly interesting attack a day.

With 3 people you could conceivably shedule it so most hours of the days covered as long as none of the people need a day off. Theoretically you could automate everything, link alerts to the CVE database, provide a customer friendly detailed explanation of the attack, and let the customer choose to block or ignore from some web based portal.

Lets say with 10 servers you are generating 1,000 alerts a day, which is not unreasonable -- especially considering that these are hosting companies. No problem, the three people can handle it. Now, the service takes off and they have 100 servers, that's 10,000 alerts a day. 10,000 e-mails is a lot more difficult to sort through within that SLA even with 3 people. At only $25 a server, you are still only generating $2500 a month, not enough for 3 people to live off of...and certainly not enough to hire a 4th person to help sort through those e-mails.

Agreed, if your getting 10,000 alerts a day your screwed. I don't think there is an MSP out there which can support 10,000 alerts bieng manually examined a day. You have to automate. One of the troubles with automating is your bound to miss some interesting traffic which brings down the quality of your service.

On a seperate tangent. NIDS is worthless. It's a reactive security control which provides very little benefit. You will NEVER see an ROI on a properly run NIDS deployment. It can't be done. It amazes me that people still get off having the reinforcement of an email telling them that someone is attacking them.

Originally posted by jstout
NIDS is worthless. It's a reactive security control which provides very little benefit. You will NEVER see an ROI on a properly run NIDS deployment. It can't be done. It amazes me that people still get off having the reinforcement of an email telling them that someone is attacking them.

If you have your NIDS tied into your firewalls (many can do this), and some script kiddie is trying to send some suspicious, executable shellcode to your network and your setup drops the source ip from the entire network, i'd say that's a somewhat effective measure.

Take action, report later.

Originally posted by jstout

On a seperate tangent. NIDS is worthless. It's a reactive security control which provides very little benefit. You will NEVER see an ROI on a properly run NIDS deployment. It can't be done. It amazes me that people still get off having the reinforcement of an email telling them that someone is attacking them.


Interesting that you say this because most of the MSPs I have worked with, including Counterpane and ISSS, rely heavily on NIDS -- of course they are not waiting for e-mail alerts ;).

Originally posted by clockwork


If you have your NIDS tied into your firewalls (many can do this), and some script kiddie is trying to send some suspicious, executable shellcode to your network and your setup drops the source ip from the entire network, i'd say that's a somewhat effective measure.

Take action, report later.

I couldn't agree with you more. But you've combined the product and you no longer have a typical "nids" solution. Most people are pretty paranoid about automatically dropping traffic.

What your talking about doesn't yet have a common name. Although implementation is becoming more and more common. Check out Hogwash http://hogwash.sourceforge.net/ as an example. Additionally other vendors are doing similar things. Check Point is working on something similar. It really is the future in my opinion. At the lowest level, all your doing is packet filtering except your looking more at the payload then at the headers. I don't see why more people aren't doing this. There is traffic which should NEVER be seen on a network. If it comes across, what would be better, an alert telling you someone just sent shellcode to your unpatched IIS install or to have the packet dropped and an alert sent?

Originally posted by uuallan


Interesting that you say this because most of the MSPs I have worked with, including Counterpane and ISSS, rely heavily on NIDS -- of course they are not waiting for e-mail alerts ;).

Absolutely true. Someone did a stellar job marketing IDS as an effective security control.

Originally posted by jstout

Check out Hogwash http://hogwash.sourceforge.net/ as an example. Additionally other vendors are doing similar things. Check Point is working on something similar. It really is the future in my opinion. At the lowest level, all your doing is packet filtering except your looking more at the payload then at the headers. I don't see why more people aren't doing this. There is traffic which should NEVER be seen on a network. If it comes across, what would be better, an alert telling you someone just sent shellcode to your unpatched IIS install or to have the packet dropped and an alert sent?

I've been watching over hogwash, I personally haven't thrown it into any production environment yet, but it looks promising (...still in beta phases, doh).

I think the future is going to be more of a host-based security stance. Why? That's where most of the problems are occuring... in the flaws of operating systems. People certainly don't want to run around having to patch their software every month (read: IIS), so there is a demand for products which interact with an OS at the kernel level (grsecurity.net for instance) that block certain attacks on that level... so you can theoretically be running insanely old, insanely exploitable software, but due to kernel modifications, the exploit will never escalate.

NIDS is going to become more and more like a research tool for suspicious traffic than a form of defense :)

Of course, all of the above is IHMO

I agree completely.