A trip to the frontline of the security war sounds dramatic, but this one turns out to be nothing of the kind. It starts behind the small glass door of an anonymous business centre based off Edinburgh’s shopping parade, Princes Street, the home of managed security company, dns.
The Scottish company’s HQ houses around 45 people at any one time, in a remarkably quiet and tidy open-plan office full of people staring seriously at flat-screens. There is almost no noise, little fuss, barely anybody moving or even talking. This is an office that appears to be emptied of the usual water cooler socialising, phone slamming, and health and safety cable worry.
In the corner of the office is another door, beyond which lies the company’s main security operations centre, and a four-person team that works shifts to keep a 24/7 eye on the hardware of its 60 or so business clients around the globe. Even this would-be nerve centre contains little to mark it out, save two large flat-screens on the wall which, every now and then, flicker as they clock mysterious statistics.
Nothing is happening on the network today and that makes today a good day.
Spend any length of time in this room and idea that security is a battleground at all becomes fanciful. It is more like a sort of digital Groundhog Day. In this world business security is comfortingly dull, for the most part uneventful, but incredibly important. One of the team at dns compares it to having home insurance and that seems about right. The chances are that even senior staff at the organisations protected by dns will never notice that their network security is run through a third-party out-sourcer until something goes wrong, which is as unlikely as it is rare the dns techies quickly point out.
The company was founded in 1999, an interesting year for startups, but not particularly famous as the birth moment of many security companies. Founders Graeme Cox (managing director) and James Macintyre (chairman), émigrés from one of the UK’s largest energy utilities, Scottish Power, started out selling security consultancy, before moving in the direction of managed and professional services as the business expanded.
At first, the company logo – a cartoon image of three knights in a defensive circle –seems cutely apt not only on the level of business metaphor but of location too. Peer out the dns HQ window, and the outline of Edinburgh’s massive part-medieval fortress looms on its black volcanic rock, dominating the southern skyline. Closer study reveals a more complex business than the drawbridges-drawn stereotype of managed services. More and more of the revenue now comes from intangible security services such as risk, compliance and policy assessment, the unexciting but necessary grey territory in which many organisations nowadays fear getting themselves irretrievably lost.
What keeps the average dns customer worrying at night when the network lights are on but nobody is home? Is it hacking incursion, terrifying distributed-denial-of-service attacks, zero-day exploits, or the fearsome Trojans we are constantly reminded can fly into an unsuspecting network like flocks of angry bats? In fact, it’s something far worse than any of that called ISO 27001 or, almost as bad, IOS 17799, security compliance standards whose simple figures nowadays hover over companies like a numerological curse.
The average public sector or private customer of dns has long ago secured their network – or so they think – what they now have to spend money doing is proving it. That is complex, and having an out-source partner makes the “proof” bit easier to take on.
The exciting client
Life sciences and energy research consultancy Wood Mackenzie is one client touted to talk about its experiences, and like dns headquartered in Edinburgh. Spun out of Deutsche Bank in a management buyout four years ago, the company has since grown rapidly from 160 staff to today’s 470. The company’s problem in building its network was a very simple one – it didn’t have one.
“We started pretty much with a blank sheet of paper,” says infrastructure manager Wood Mackenzie’s David Bathgate, describing the company’s inheritance from its investment banking days. The small in-house team needed to find a way of accommodating rapid growth in headcount, with an equally difficult spike in the number of satellite offices – the company’s business outposts stretch across just about every continent.
Talking to Bathgate and it’s clear that managing security, email, and desktop and LAN infrastructure in-house would have slowed the company’s expansion down, and could even have made it so unwieldy as to be impossible in its current range. “We are a small team and it [outsourcing] has helped in reducing the number of 3am phone calls I receive, he says. “It helps in prioritisation.”
Not having to fuss over complex issues of wide-area security management frees to team to focus on provisioning and managing the almost-as-troublesome desktop networking issues. “Three or four years ago we could have had a stab at it. Now we’d have trouble,” he says of the notion his team could provide global 24/7 management of remote office VPNs, firewalls and other security systems.
Security out-sourcing hasn’t so much helped Wood Mackenzie as it has made its global, information-driven business model viable. And the terror of compliance? Surprisingly, and perhaps unexpectedly, it appears to be a secondary issue for this outfit. The primary motive for using dns remains getting secure global connectivity round the clock for a workforce in flux. Next to public-sector compliance and auditing – which accounts for most of dns’s client base - this is definitely at the excitement end of the scale.
The alert glut
Back at the dns operations centre, all is peaceful, but there is still plenty of hard work to be done. Of the 400 or so devices under management (dns puts a 1U “black box” of tricks on to every customer’s network as a management gateway), there are an estimated 62 million intrusion alerts to be sifted through in an average year, a wall of data the company first strips back to its core 12.2 million real alerts, before further boiling down to 12,900 “real” events that need human intervention. Around 1,000 are sent back to the customer’s admins to be looked into more carefully.
“Our competition aren’t as good at this bit,” says operations manager Iain Pryde, of the process of whittling alerts down from 12,900 to the 1,000 that count. Another and growing concern that’s not easy to quantify is ID theft, which has fed into the company’s recent launch of a managed authentication service.
There are fewer pairs of eyes monitoring company networks these days, out-sourced or not. Technology has reduced their numbers, but they are still there and will be for some time to come because technology can’t do it all. These guys sit in front of screens like the ones at dns, waiting for the rare moments of digital combat that do occasionally emerge from the boredom of screen life. Perhaps the difference between now and years gone by is the acceptance that no matter how rare damaging events are – they were never common in fact – they have a new potential to inflict unprecedented pain.
Networks are riddled with ports these days, and IT has joined everything together through a jumble of software interfaces. Networks have become global entities, spaghetti-like topologies that often oppress as much as they enable and inspire. And the most dangerous element of any network is still the average user, which companies such as dns can’t see directly, and can’t therefore monitor and control.
Impressive though the screen world is, it’s a long way from the chaos that can be wrought on the ordered world of security by human impulsiveness on the inside of an average LAN. That is one security issue that can’t yet be handed over to someone else.