The Lippis Report

Insight number 1: Network Security Can Save Your Corporation Money. Network security is generally viewed as inflationary and in many cases it is just that. But taking control of internal users can result in extraordinary financial gains. CompUSA´s Ken Monroe, Director of IT Communications and Support Services, and Pat Hykkonen, Director of Network Security, both made this point dramatically at the Oct 16th Integrated Networks Security webinar, www.en2004.com. In essence Ken and Pat worked with Blue Coat Systems, www.bluecoat.com to audit and understand traffic flows and security problems on the CompUSA network. What they found was that employees were downloading music, videos, etc. via Peer-to-Peer (P2P) applications such as Kazaa, which was consuming some 30% of their $5M/year wide area bandwidth in addition to clogging computer storage and spewing viruses and worms into the corporate network, not to mention wasting productivity. By installing Blue Coat System´s ProxySG secure proxy appliance which controls user communications over the Web they were able to stop P2P traffic and project a savings of some $20M a year with a $120K annual spend. If we take this analysis and add the following polling information from the webinar we find that chief network architects and planners are starting to focus on internal security where they can not only close their largest vulnerabilities but provide hard economic savings as well.”

Insight number 2: The Small to Medium Enterprise or SME can not build their own network security defenses. The fact is that the speed of security outbreaks and propagation of viruses greatly outpaces the ability of most enterprises to react and contain them. According to Andrew Greenawalt, founder and CTO of Cybergnostic Internetworking www.cybergnostic.net, SQLslammer propagated throughout the globe in just 9.5 minutes. Perhaps large IT staffs can react to a propagating virus on this time scale, but the SME is totally unable to respond until well after the virus has done its damage. This is a factor of the limited security budget, as well as limited expertise and proactive initiatives currently in place within the SME market. In fact, many companies
receive funding for network security well after an outbreak and apply that money to fixing an outdated security problem. In essence, many if not all SME´s find themselves totally unable to respond to new security threats, and thus are always fighting a losing battle as their vulnerability gap grows faster than they can close it. This inability to respond to security incidents results in a vulnerability gap leaving enterprise IT managers constantly running behind security issues, instead of enabling them to establish a solid defensible position. The larger the vulnerability gap the larger the SME is open to lost productivity, increased IT costs and liability issues. Cybernostic is a Managed Security Service Provider or MSSP offering hosting, networking and security
solutions for mid-sized firms. Cybernostic has built its MSSP service with Crossbeam´s integrated security
switches www.crossbeamsystems.com.

Insight number 3: The www.Ready.Gov web site of the US Department of Homeland Security is the most secure site in the nation. Brad B. McCormick of Ruder Finn hired International Network Systems (INS) www.ins.com to build the www.ready.gov site. Anyone who has performed contractual work for the federal government knows that the time scale is nearly always unreasonable and the budget low. The www.ready.gov project was no different. INS was given six weeks to design, implement and test the architecture for one of the most important public safety sites in the nation. Security was obviously a top-level concern for Ruder Finn and INS, as a public defacement of the site would make national and international news. We all know how it ended –
INS delivered and the www.ready.gov site experienced 54 million hits and 3.4 million visits in the first two hours! The bottom line, it´s one of the most secure and visited sites on the Internet. Given the nature of the project, many of the security specifics can´t be discussed, but you can get a better understanding of the project at www.en2004.com.

Insight number 4: Concern over Soft Core, But Spending on Hard Shell. Nearly 54% of webinar attendees said their enterprise network budgets will stay the same in ´04 but on a high note 31% say their budgets would increase between 1 to more than 10%. Network security will get its fair share of that budget spend. But most network managers are planning to spend more on fortifying the hard shell made up of transmission and perimeter network security, rather than the soft inner core of their network which they said is the most vulnerable. So why doesn´t the spending align with the biggest vulnerability? This is simply a matter of budgets
reflecting past experiences. The simple fact is that internal security is high on the list of upcoming projects and the budget cycle is playing catch up.