InformationWeek

The main differences between managing your own intrusion detection and hiring an outsourcing company are manpower and expertise. When intrusion detection is handled in-house, the alarms can be overwhelming. "When an alarm sounds, no one knows what to do with it," says Bruce Schneier, founder of Counterpane Internet Security Inc., an intrusion-detection company that operates similar to the home-security system model.

Schneier says the advantage of a service provider acting as a security guard is that it can analyze all the traffic that gets logged on the intrusion-detection devices-something many enterprise IT departments just don't have the time or resources to do. "The servers, routers, and firewalls log millions of lines of audit logs a day-among all of this are the footprints of an attack," he says. "We're the ones who look through those audit logs and figure out if an event is real."

For startups such as iApex Inc.-an application service provider in Alamo, Calif., that handles transactions for online buyers and sellers-the answer is outsourcing everything, including the network, Web servers, and security technology. The ASP uses Pilot Network Services' VPN service, which comes with intrusion detection built in. "We don't have an infrastructure-Pilot hosts it," says Arun Shrestha, CEO and founder of iApex. "We didn't want to do security on our own. Our strength isn't in keeping up with hacker techniques," he adds.

The company pays Pilot about $2,000 per month for the VPN service, in addition to a per-server charge. Building a secured network would have cost the company more than $1 million, says Shrestha.

Still, many businesses that run intrusion-detection tools typically do a combination of in-house and outsourced security. Take the Depository Trust Co. in New York, which uses IBM Global Services to handle intrusion detection at the entry points of its network, and Axent's NetProwler detection tools for watching the inside of the network.

"The risk is high enough, so why not have a second pair of eyes?" says Stash Jarocki, chief information security officer at Depository Trust. The financial-services firm also subscribes to Global Integrity's Web integrity service, which helps ensure that its site isn't defaced by a graffiti-happy hacker.

IBM Global Services uses a different intrusion-detection tool, Cisco's NetRanger, but the different data formats between NetRanger and NetProwler are a nonissue since IBM sends final reports to Depository Trust. And Jarocki says Depository Trust built its own SQL database for correlating data gathered by Axent's Enterprise Security Monitor, NetProwler, and other packages.

Jarocki says he may bring more of the intrusion work in-house, although he hasn't ruled out outsourcing. Another outsourcing arrangement may depend on whether the potential provider lets him pick his own intrusion-detection tool, rather than being forced to go with a vendor solution. "I still want to be able to pick my own intrusion-detection product," Jarocki says. "I don't want to just use the one they provide."

But staffing can be a problem for businesses that want to keep intrusion detection in-house. The IT labor shortage has been especially painful in the security market. "There's a shortage of experts in intrusion detection, and they don't want to work 24-by-7. That's one of the things that drove me to outsourcing intrusion detection," says Kurt Ziegler, chairman and CEO of eBSure, an ASP that does performance monitoring for Web sites. The company uses RIPTech's eSentry service for running its firewalls and intrusion-detection system.