Page 1 of 2 12 LastLast
Results 1 to 25 of 38
  1. #1

    Security Services

    Any market out there for outsourcing basic security lockdown/monitoring/IDS services? I'm an expert but just looking to see if there is a market out there for a mid-level service offering to smaller-medium business in the webhosting realm.

  2. #2
    Join Date
    Dec 2001
    Location
    Detroit, MI
    Posts
    1,067
    This is a tough field. When you secure anything you kind of accept liability for any breach, so the insurance you'd need to make a legitimate go of such a venture might price you out of the market.

    A friend of mine is in this industry after retiring from ISS a while back, the money they charge (and get) is pretty rediculous but you need solid security M&P's just to get in the door as a sub-contractor of any financial institution.

    There is a market, but I don't think many web hosting companies can really afford it.
    <!-- boo! -->

  3. #3
    Join Date
    Dec 2000
    Location
    Leesburg, VA
    Posts
    3,209
    I agree with Scott -- I know you have mentioned this idea before, but I really don't think it is the type of service you can offer at a low cost with a one/two person staff. In order to be effective security monitoring requires immediate response an action, something that is very difficult to do without a staff available 24x7.

    Of course, the best way to find out if there is a market for the service is to offer it and see if you get any takers .

  4. #4
    The last time I made an offer, I got flamed on the liability insurance issue (why I need a multimillion dollar insurance policy to cover activities at companies that make maybe 20k/yr is beyond me). I'm still trying to see where the market it, I have some people that can handle the 7x24 response issues, that's not the issue. I can do an effective service, just wondering if there are customers out there that want it.

  5. #5
    Join Date
    Dec 2000
    Location
    Leesburg, VA
    Posts
    3,209
    Its not just a matter of response, it is also the ability to analyze the data, which is not something that can be done by just anyone. It is also a matter of hacing the infrastructure to handle the data you will have to look through. Even with one or two customers, it is possible to have gigs worth of logs that have to be parsed.

    Liability insurance is definitely a consideration -- especially if you are going to offer any sort of guarantee with your service. You are right, you are not going to need a million dollar policy to cover activities at $20k a year hosting company. But do you have the money to cover the cost of an SLA to that $20k a year company should you miss an attack and they are compromised -- a figure that could easily be $1 - $2k? Do you have the money to cover the SLA for 5 companies? How about the SLA for a $50k company?

  6. #6
    Join Date
    Sep 2002
    Posts
    522
    I'm interested in it and I would pay a lot more than most on these boards to get it. I'd have to have a really strong SLA in place though to pay hefty fees.

    You would also have to assume responsibility and be insured (not for millions in the beginning) but you'd have to have insurance for me to look at it. This is why, say you do security for me and I make $20,000 a month on a ton of $5/month hosting accounts and my billing server gets hacked and someone dowloads all the credit card info and uses it to run up credit card charges to all my clients. Suddently I have 4,000 clients that are all getting credit card statements with bogus charges and they sue ME. Now what? I contracted you to secure the box, so if it isn't, then you get sued. If you aren't covered by enough insurance you are bankrupt.

    If the lawsuits do come directly to me, then I would be forced to sue you for any damages I had to pay, plus legal fees. If I were sued by enough customers I could go bankrupt just fighting the suits.

    I think that if security is worth doing, it's worth doing right. Now if you want to offer a more affordable solution to smaller companies out there you just have to state up front that you take no responsibility for the server actually being secure to protect yourself. That leaves open the question of "how do I know you're services are any good if you don't warranty them?".

    I think what would really be helpful to someone in my position that wants solid security and doesn't want to pay $10,000/month to get it is to charge a good amount for a security contract. A price that will allow you to staff the monitoring of servers 24x7. Then I would have the option to add servers of the exact same setup at a much lower cost then adding more custom/different setups. This way you could keep your costs down by being able to mirror what you do on each server and just passing on those savings to me.

    I would be very interested in buying from a company with that type of business model. Expensive to set up, prices go down per server as I add more identical servers. This would be beneficial to any host that offers shared hosting. We already buy identical servers in bulk to get wholesale pricing. Once we find a set up we like we just reproduce it over and over and that should work out easier on us and you.

    (edited to add this) Sorting through data does take a long time so I realize that the pricing could not go down below a certain point, but it should be a little cheaper per server if they are all identical, shouldn't it?
    Lowest priced electronics and game systems on the web. PS3, Wii, Xbox 360, iPhone, and more.
    Contact freegamesystem@yahoo.com for details.

  7. #7
    Join Date
    Dec 2000
    Location
    Leesburg, VA
    Posts
    3,209
    Originally posted by 7out

    (edited to add this) Sorting through data does take a long time so I realize that the pricing could not go down below a certain point, but it should be a little cheaper per server if they are all identical, shouldn't it?
    A lot of it depends on the model you are using. If the target customer is a small host with a single dedicated server then the cost is going to increase as new servers are added because you have to use a HIDS-based solution. On the other hand, if you are talking about a host with 10 servers colocated in a data center, then you can use a NIDS solution as your primary source of information. The NIDS would be placed at the edge of the host's network and it would monitor all of the traffic in and out of the network. With this solution the incremental cost to add a server to the network is much smaller.

  8. #8
    Join Date
    Sep 2002
    Posts
    522
    I know that the costs would go up as you added boxes from 1 to 2 servers in the beginning. I did not mean that you would pay $500/month for the first box and then add a second box and the total cost would go down to $490. I meant that the first box would be say $500 and the second would be $490 and the third would be $475 and then when you get to 10 maybe you're at $300/month per server or something.

    Did you actually think that I meant the total cost would go down when adding boxes? You must have, because I don't see how the second box could cost more than the first box to secure so you must have been trying to tell me that a second box would add to the total cost of the service.
    Lowest priced electronics and game systems on the web. PS3, Wii, Xbox 360, iPhone, and more.
    Contact freegamesystem@yahoo.com for details.

  9. #9
    Join Date
    Dec 2000
    Location
    Leesburg, VA
    Posts
    3,209
    Originally posted by 7out

    Did you actually think that I meant the total cost would go down when adding boxes? You must have, because I don't see how the second box could cost more than the first box to secure so you must have been trying to tell me that a second box would add to the total cost of the service.
    Correct, the point I was trying to make was that using a HIDS-based solution would have a higher incremental cost, than using a NIDS-based solution. Sorry it came out so confusing.

  10. #10
    Join Date
    Sep 2002
    Posts
    522
    So at what point (you used 10 as an example, but is that the real number?) would you move to the more cost effective solution? 10 servers, 20, 30, 100???

    And what is the setup costs for a NIDS-based solution if the host wanted to pay for the system up front so that they would only incur the monthly security fees instead of the fees plus system costs?
    Lowest priced electronics and game systems on the web. PS3, Wii, Xbox 360, iPhone, and more.
    Contact freegamesystem@yahoo.com for details.

  11. #11
    Join Date
    Dec 2000
    Location
    Leesburg, VA
    Posts
    3,209
    Originally posted by 7out
    So at what point (you used 10 as an example, but is that the real number?) would you move to the more cost effective solution? 10 servers, 20, 30, 100???

    And what is the setup costs for a NIDS-based solution if the host wanted to pay for the system up front so that they would only incur the monthly security fees instead of the fees plus system costs?
    Keep in mind that I am not offering an security services, and I am not limited by the realities of cost.

    The answer to your question depends on the situation of the host. For instance a host that has 5 dedicated servers at Rackshack (or any other dedicated hosting provider) most likely does not have the option of using a NIDS. In that case each host would have to have a HIDS installed.

    In order for a NIDS to work, you either have to have your own data center, or at least colocated space in a datacenter. Assuming the host is already colocated I would always recommend a NIDS be used in conjunction with a HIDS. The best approach to security is always a layered one, so if you can combine the two approaches you have the best chance of catching an attacker. I would never want to rely solely on a HIDS solution, because if the HIDS missed an attack data from that device would automatically be compromised.

    As to cost of setting up a NIDS solution, it depends on what you are using. Honestly, SNORT is one of the most extensible and scalable solutions I have seen and it is free (except for the cost of the server ). Plug it in to your switch, mirror the ports of the servers you want to monitor and sit back to wait for the alerts.

  12. #12
    Join Date
    Nov 2001
    Location
    Ann Arbor, MI
    Posts
    2,979
    If you weren't outsourcing this, but had a full time administrator(s) whose job it was to maintain the network/system security, would you expect that employee to have insurance to cover any breaches?

    Is insurance supposedly one of the benefits of outsourcing it? If you expect that, you should be paying a lot more than you would be for having your own in house team.

    So I'm thinking around $15,000 a month would be fair for a two person team.

    My $0.02.
    -Mark Adams
    www.bitserve.com - Secure Michigan web hosting for your business.
    Only host still offering a full money back uptime guarantee and prorated refunds.
    Offering advanced server management and security incident response!

  13. #13
    Join Date
    Dec 2000
    Location
    Leesburg, VA
    Posts
    3,209
    Originally posted by bitserve

    Is insurance supposedly one of the benefits of outsourcing it? If you expect that, you should be paying a lot more than you would be for having your own in house team.
    Unlike having the work done in-house, most companies expect an MSP to offer some sort of SLA for their work. If the MSP fails to meet that SLA, they'll most likely have to compensate their customer...in cases like this having insurance provides potential customer an assurance that the MSP will be able to cover their SLAs financially.

    Think about it this way, most companies have business insurance to cover something catastrophic (which can include data loss), so your in-house employees don't need special insurance. You would expect at least that from your MSP -- of course I could be completely reading the market bambenek is targetting wrong.

  14. #14
    Join Date
    Sep 2002
    Posts
    522
    well put
    Lowest priced electronics and game systems on the web. PS3, Wii, Xbox 360, iPhone, and more.
    Contact freegamesystem@yahoo.com for details.

  15. #15
    Join Date
    Nov 2001
    Location
    Ann Arbor, MI
    Posts
    2,979
    I would expect that the company's regular business insurance should cover anything catastrophic, whether they've had contractors or an employee working on the project.

    If it's just an argument over whose insurance should cover it, then as long as their was no negligence on the side of the contractor, any catastrophes should not be covered by the contractor's insurance.

    If you need a security contractor that can guarantee no security breaches, as opposed to just guaranteeing to perform it's work in accordance with industry standards, then it sounds like you're looking more to purchase insurance and security, and not just security. It should be priced accordingly, and it's beyond what an employee could offer.

    Same $0.02, clarified, possibly.
    Last edited by bitserve; 11-09-2002 at 02:02 PM.
    -Mark Adams
    www.bitserve.com - Secure Michigan web hosting for your business.
    Only host still offering a full money back uptime guarantee and prorated refunds.
    Offering advanced server management and security incident response!

  16. #16
    Greetings:

    I believe there is a market; however, I believe the following must be in place:

    * Clarification of what certifications along with their current expiration dates.

    * Customer oriented service level agreement (SLA does not equal TOS) telling the customer not only what to expect in terms of service, but what will happen if those services are not delivered as promissed.

    * Errors and Ommissions insurance.

    * Proof that you can be bonded.

    Thank you.
    ---
    Peter M. Abraham
    LinkedIn Profile

  17. #17
    Join Date
    Jan 2002
    Location
    SoCal
    Posts
    71
    Originally posted by 7out
    I'm interested in it and I would pay a lot more than most on these boards to get it. I'd have to have a really strong SLA in place though to pay hefty fees.<snip>
    I think many of you have the wrong idea about how managed security services work.

    I don't know of any MSP's who will specifically state in thier SLA that you won't get hacked. I work for one of the largest MSP's in the world and we don't guarantee it. It would be foolish too. What happens if somebody releases a 0-day <insert major firewall> to the underground? The first line of defenses is now down. What if the customer deploys some website with horribly insecure coding? Is the MSP responsible for thier negligence?

    SLA's will usually spell out, in detailed terms, exactly which services are offered. Additionally they'll limit the MSP's liability as much as possible.

  18. #18
    Join Date
    Dec 2000
    Location
    Leesburg, VA
    Posts
    3,209
    Originally posted by jstout

    I don't know of any MSP's who will specifically state in thier SLA that you won't get hacked. I work for one of the largest MSP's in the world and we don't guarantee it. It would be foolish too. What happens if somebody releases a 0-day <insert major firewall> to the underground? The first line of defenses is now down. What if the customer deploys some website with horribly insecure coding? Is the MSP responsible for thier negligence?
    I agree, the only people who seem to be able to promise that a customer will never get hacked are those in the Job Offers forum who are doing it for $15 a month .

    That being said, my experience has been that they will offer SLA's over things they should be able to control, which primarily means response time. Once an attack is detected the MSP is expected to contact the customer within a certain amount of time, failure to do that will result in SLA violations. Ditto making changes to firewall rules. If the customer detects the attacks and notifies the MSP, the MSP has to be able to quickly parse through the customer logs and track where the attack came from, and take steps to stop a repeat attack from occurring.

    You say you work for a major MSP. I am willing to bet that your company has spent A LOT of time and money developing software and systems to parse logs and alerts so that your SOC staff can respond to alerts as quickly as possible.

    I don't think a 2-3 person company, working with what are most likely rudimentary tools, will be able to meet any sort of reasonable response time SLA.

  19. #19
    Join Date
    Jan 2002
    Posts
    574
    Originally posted by uuallan


    I agree, the only people who seem to be able to promise that a customer will never get hacked are those in the Job Offers forum who are doing it for $15 a month .

    I can offer that for $15....

    100% guarunteed that your server won't be hacked OR MONEY BACK.

    I only need one piece of information... is this the plug leading to your server? *yank*



    In all honesty though, I could offer something like having nessus scan your server for $15/month. Setup a couple cronjobs, one to update the nessus plugin list and one to scan said servers, email a report, etc.

    Or if you want to be even better, use a similar setup with snort. If X ip triggers X rule, drop all traffic from X ip. Setup a cronjob that will download new rulsets from your own server.


    This would be your rudimentary tools.
    It's profitable @ $15/month/server

    However, it is nothing i would ever rely upon, but if advertised for what it is (more like an awareness system), it could be a value for some hosting company out there....

  20. #20
    Join Date
    Sep 2002
    Posts
    522
    I didn't say the SLA would have to say you won't get hacked. That's an impossible promise. I said it would have to be strong. To me this means that the MSP has to define exactly what services they will offer, what response time they guarantee, what liability they take, what liability I take, what liability is shared, and what procedures are in place to make sure they can meet the SLA plus what I get compensated in the case of them not being able to meet the SLA.

    In case you think that many of us have the wrong idea about how these SLA's work again, maybe you should ask what we think the SLA should cover instead of taking a statement that I made saying I would need a strong SLA to pay a big price and turning that in to me wanting a no hack guarantee before buying services.

    And yes, I know that you did not specifically state that I said I would need this clause, but you did quote me before making a broad generalization that we had the wrong idea so I thought that I should answer to let you know what idea I actually had in mind.

  21. #21
    Join Date
    Jan 2002
    Location
    SoCal
    Posts
    71
    Originally posted by uuallan
    You say you work for a major MSP. I am willing to bet that your company has spent A LOT of time and money developing software and systems to parse logs and alerts so that your SOC staff can respond to alerts as quickly as possible.
    Absolutely. We've spent even more money trying to cut down the false positives. Most alerts aren't even looked at by a human anymore.

    I don't think a 2-3 person company, working with what are most likely rudimentary tools, will be able to meet any sort of reasonable response time SLA.
    I humbly disagree. IIRC our response SLA is 4 hours. All we have to do is contact the customer, notify them there was an incident and that we're investigating. After that we can "officially" take as long as we want to come to our conclusion. This happens occasionaly in cases where an alert comes in during the middle of the night and there are no level 2 or 3 analysts to investigate.

  22. #22
    Join Date
    Jan 2002
    Location
    SoCal
    Posts
    71
    Originally posted by 7out
    In case you think that many of us have the wrong idea about how these SLA's work again, maybe you should ask what we think the SLA should cover instead of taking a statement that I made saying I would need a strong SLA to pay a big price and turning that in to me wanting a no hack guarantee before buying services.
    I was insinuating that many people on this board have the wrong idea about how MSP's work. I wasn't picking on you or even stating that you had the wrong idea. Initially from your first post, I thought you did. Followup posts have changed my mind. If you look at the couple of guys on this board who offer security services you'll see that in thier posts, someone always asks if they can "guarantee that I won't be hacked". It's just not a reality.

    And yes, I know that you did not specifically state that I said I would need this clause, but you did quote me before making a broad generalization that we had the wrong idea so I thought that I should answer to let you know what idea I actually had in mind.
    Like I said previously, followup posts have shown me that you have a good idea on what should be covered in the SLA. No offense was ever intended by my posts.

  23. #23
    Join Date
    Jan 2002
    Location
    SoCal
    Posts
    71
    In response to bambanek's initial post, I definately think there is a market. However, I definately feel that it is impossible to offer the services "properly".

    I've looked into this quite a bit. I've considered starting my own MSP targeted towards webhosts. I've come to two conclusions. One, the smaller webhosts with one of two boxes are running on such tight margins, they can't afford outsourced security services. Maybe they can afford $25 a month or so per box, if they were really interested in security but NO ONE could offer anything more than simple, fundamental security services for this cost. Let's say you somehow manage to get 100 customers. At $25 per month your only pulling in $2500/month. That isn't even enough to cover my salary. Nor any capable security person's. Targeting towards the datacenters would be difficult as the larger MSP's have already sunk considerable resources trying to get all the datacenters to resell thier services. Two, security on a webhost is inherently flawed. There are too many factors which can't be controlled. Things like register_globals turned on in PHP because if it isn't 90% of people PHP scripts would fail. Customers writing insecure web apps. FTP bieng enabled. Blah, blah, blah.

    There definately is some benefit in offering the low end security services to webhosts. Things like firewall management, host security (file permissions, configuration, etc), vulnerability scanning, exploit notification and even patching for those brave souls who want to inherit the liability with having root access on a customer box. Personally I would charge around $100 a month for the above. Even with all those services, the hosts security is only increased marginally. If a host is paying $25-$100/month for security services, don't you think they'd expect and deserve more than marginally increased security?

  24. #24
    Greetings jsout:

    "Maybe they can afford $25 a month or so per box, if they were really interested in security but NO ONE could offer anything more than simple, fundamental security services for this cost. Let's say you somehow manage to get 100 customers. At $25 per month your only pulling in $2500/month. That isn't even enough to cover my salary."

    Thank you for pointing out this crucial fact that is often missed by those trying to service a very low end market.

  25. #25
    Join Date
    Sep 2002
    Posts
    522
    Thanks jsout.
    Lowest priced electronics and game systems on the web. PS3, Wii, Xbox 360, iPhone, and more.
    Contact freegamesystem@yahoo.com for details.

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •