Blanket security: Ernst & Young spins off security venture

Network security breaches can be costly to a service provider in terms of revenue and reputation. Recent highly publicized attacks, viruses and denials of service have left the public increasingly skittish about the Internet. And telecom networks are increasingly entwined with that Internet. Some analysts estimate that $256 million were lost in 1999 as a result of security attacks.

To help service providers and corporations combat security violators and manage the risk associated with network vulnerabilities, Ernst & Young spun off a new venture last week called eSecurityOnline.com. Led by CEO Jon Darbyshire, eSecurityOnline.com will be an application service provider (ASP) that supplies network operators and security professionals with online network vulnerability information, which they can tailor to their specific needs.

eSecurityOnline.com's flagship product is the Online Vulnerability Service. It is now used by Sprint and USinternetworking. The company's other services will include a minimum baseline service, which provides best practices for configuring network infrastructures within an organization, and a managed services offering for firewalls, intrusion detection and incident response.

"If you are a company that wants to be e-business-enabled and have a 100% uptime mandate, you need a perpetual solution that is always keeping you abreast of your vulnerabilities," said Anthony Spinelli, vice president of online services for eSecurityOnline.com.

Using its 1200 security professionals and subject matter experts, the online vulnerability service detects potential problems with network elements down to specific versions of various manufacturers' equipment. Users of this service already have realized the benefit of outsourcing this time-consuming task.

USinternetworking is an ASP that has a variety of operating systems and large numbers of applications and devices in its network. eSecurityOnline.com "provides us with alerts regarding vulnerabilities that pertain speci fically to our network," said Ron Freedman, vice president of information assurance for USinternetworking. "They take the huge number of vulnerabilities that are identified every day and whittle it down to those that would have an impact on USinternetworking."

In addition to identifying vulnerabilities, eSecurityOnline.com tests them, assigns risk levels and recommends ways to fix them. The service scans more than 300 security and underground Web sites, has a database of more than 2000 vulnerabilities and covers more than 40 operating systems.

"We have just about one of every type of equipment that is made, and being able to use tools that [eSecurityOnline.com] has is like a one-stop shop for all my vulnerabilities and threats," said John Giubileo, director of information security for Sprint.

Keeping a step ahead of the hackers has created a challenge for all service providers, one that must be met through internal staffing or outsourcing. Sprint and USinternetworking chose outsourcing. "I don't have to staff my organization to go out and watch for vulnerabilities all the time," Giubileo said. "It allows me to focus on my real charter, which is protecting the network."

USinternetworking already had a dedicated staff and saw the same benefit. "Prior to subscribing to this service, I had people in my organization who, on a daily basis, had to go out to all the various sites, track down the vulnerabilities, weed out the ones that pertained to the USinternetworking environment, then go find the patches, do the research and only then could we implement a fix," Freedman said. Using the online vulnerability service, his company now focuses on implementing the fix as opposed to doing the research.

Both service providers receive some security alerts from their primary equipment vendors but say that is not enough. "Our vendors contact us quickly, but it's better to have the one-stop shop where I get all my information flowing from one direction into one place," Giubileo said.