As most companies that have recently experienced a security breach will tell you, the Internet is a double-edged sword. It’s enabled businesses to penetrate new markets, support customers around the world and around the clock, and collaborate with colleagues across locations and time zones. It’s also left companies vulnerable to attack from any connection to the Net. With lightning speed, hackers can launch worms and viruses and other malicious activity that can devastate hundreds of thousands of ports almost instantaneously.

So when it comes to network security, even sophisticated financial services giants like Merrill Lynch realize that they can’t do it alone. In May 2003, Merrill Lynch decided to augment its advanced security infrastructure with help from VeriSign, Inc. Though a relative newcomer to managed security devices, the Mountain View, CA, company offers the distinct advantage of being at the nerve center of the Internet. VeriSign already secures the majority of e-commerce transactions and communications for domains ending in .com, .net, and .gov. It also has developed powerful event correlation tools for its team of expert security engineers.

A good view of the Internet
“VeriSign has an unusual window on Internet activity,” explained David Berkowitz, senior manager of corporate communications for VeriSign. “As the registry for three major domain names, we route more than eight billion inquiries a day for people calling up Web pages. We also run two major network operating centers for the Internet, as well as protect Web transactions with our digital certificate technology.”

What does all this mean to Merrill Lynch? “VeriSign gives Merrill Lynch the ability to extend its eyes and ears into events that are occurring beyond their own network,” said Emily Mossburg, product manager for security services at VeriSign. “Since we have a broad customer base and such an extensive Internet infrastructure, we’re able to provide them with trending information and data about events that are happening across the Internet on a wider global base.”

According to David Bauer, Merrill Lynch’s chief information security and privacy officer, working with VeriSign will help his company do a better job of understanding how serious a threat really is. “If we’re seeing some sort of intrusion activity,” said Bauer, “we need to know if it’s happening just to us or to other people. We can’t get that [kind of insight] on our own.”

SQL slammer example
“Because they’re [VeriSign] monitoring scores of networks,” Bauer continued, “we can get analysis of events going on with us in context of what’s going on in the rest of the world. That allows us to make better decisions. It also gives us early warning.”

Mossburg cited a past episode with the SQL slammer in which VeriSign’s early detection capabilities were critical in alerting customers to a potential threat. “Based on the traffic patterns we were seeing across our customers and across the Internet, we were able to warn our customers prior to the attack occurring on their network that there was this worm spreading across the Internet and what they could do to protect themselves,” said Mossburg.

In the case of the SQL slammer, customers were told to block any traffic coming from a particular port on the Internet. “The first thing we do in the case of any worm or any malicious activity that’s penetrating the network is to isolate the kind of traffic that it is and block that traffic at the firewall,” said Mossburg. “The next thing we do is create custom signatures and updates for our customers’ intrusion detection engines.”

Fast response times
Mossburg said that with round-the-clock monitoring of Internet activity, it typically takes VeriSign security engineers less than 15 minutes to identify potentially malicious events, isolate the traffic, determine its source and destination, and find out whether it actually penetrated the customer’s network or if indeed the destination was vulnerable to attack. “Within a 10- or 15-minute period, we’re on the phone to the customer giving them a recommendation on what we believe they should do to protect themselves from this attack,” explained Mossburg. “Or, if they have been breached, we let them know what their next step should be.”

Growth for this market
As companies continue to contemplate their vulnerability to security breaches, analysts predict a rampant growth in security services spending. In the May 1, 2003, issue of ComputerWire Magazine, market research firm International Data Corporation (IDC) projected that worldwide spending on information security services will grow 20.9 percent annually to $23.5 billion by 2007. Gartner Dataquest, another research firm, estimated that in Western Europe alone, the IT security services market will be a $5.2 billion business by 2006.

However, more companies are beginning to acknowledge that they can no longer afford to rely solely on their own internal talents. According to Allan Carey, an analyst at IDC, the market for outsourcing security management services should grow to $2 billion by 2007. The relationship between Merrill Lynch and VeriSign illustrates this growing trend to delegate key security responsibilities to outsiders.

By the fall of this year, VeriSign will be overseeing more than 300 devices that Merrill Lynch has installed around the world to monitor intrusions on its computer networks. Handing over the responsibility of watching the network for signs of attack and checking out every system alarm will free Merrill Lynch to devote more of its energies to its core business. “We can focus on the brain work, the bigger risk-management picture,” said David Bauer. “And that’s where you want to be instead of chewing up resources on the operations side.”

A security partnership
While VeriSign is taking on a lot of the day-to-day administration, Merrill Lynch will continue to play a vital and active role in its own security management. Leveraging what VeriSign can see across the Internet, Merrill Lynch will be able to enhance its own internal security intelligence. “It’s really a partnership between the two groups,” said Mossburg. “Sharing information back and forth will help us ensure that Merrill Lynch’s security remains on the leading edge.”