In-Depth

Case Study: Outsourcing Network Management and Security

How one company found an outsourcer able to manage its network equipment and offer cogent security advice

• By Mathew Schwartz
• 09/22/2004

Staff up or outsource? For many organizations, these are the two options when it comes to dramatically improving their information security posture. That’s especially true at large, global companies, which require larger, round-the-clock security staffs and coverage at multiple locations, or the equivalent in an outsourcer.

At Los Angeles-based AECOM (Architecture, Engineering, Consulting, Operations, and Maintenance) Services Group, the answer was easy, since Michael Bradvica, its director of network planning and IT, was the company’s one-person networking team, and the company mandate was to keep it that way. AECOM, one of the world’s leading design and engineering firms, caters to government and large corporate customers, and has 17,000 employees and multiple subsidiaries worldwide.

The problem was finding an ISP or outsourcer able to manage network equipment AECOM owned, yet also able offer cogent information security advice.

Today over 100 worldwide AECOM locations’ network operations—WANs and LANs—are managed by NetSolve, a remote IT infrastructure company based in Austin, Texas. More sites are also being switched over. “We’ll have every site in the States managed by NetSolve, and we’re making a good go at the rest of the world,” says Bradvica. The connectivity push is on because “we’re beginning a large ERP installation of a single instance.” After almost two years of implementation work, the project is scheduled to go live soon.

Of course, AECOM didn’t just tap NetSolve to handle networking and security for 100 sites, plus WAN security at five points. In 1998, it went shopping for a network provider. “We were deploying a U.S.-only accounting system,” notes Bradvica. The previous LAN had been asynchronous—over modems—and wouldn’t suffice for uptime and reliability. “Our networking team was basically one person—me—and we had 20 sites. How were we going to detect it was down? You’d have to drop everything to fix it.” To get higher reliability, the company investigated outside help.

There were three requirements for a network outsourcer: excellent security, maintaining AECOM’s networking or security staff levels, and getting ongoing, coherent security advice. Prior to using NetSolve, AECOM “was in denial … about the Internet being a business function,” says Bradvica, and chose an ISP to manage Internet connectivity and firewalls that turned out to be “horrible.” So when AECOM began evaluating new companies, “we were looking for someone who was an extension of our IT department, to help us learn as well.”

The firm selected NetSolve, which began managing 20 WAN locations for AECOM in 1998. Besides meeting AECOM’s initial requirements, Bradvica says the firm is also easy to work with. He contrasts that with some other network management vendors he’s worked with, including AT&T, Cable & Wireless, plus an Australian ISP, and a British Cisco gold partner. NetSolve, he says, is “unlike any carrier I’ve seen.” For example, “there’s no carrier that will allow you to access your own routers” like it does.

Bradvica says NetSolve also gives him timely security advice. “If you want to do something stupid, they’ll say, okay, here are the risks … At least they’ll tell you it’s not a prudent thing to do.” By contrast, he says, such former ISPs as Cable & Wireless and PSINet would just make any network change he requested.

According to NetSolve’s chief security officer, Chuck Adams, a 10-year veteran of the U.S. Air Force Information Warfare Center, the firm “can do as much or as little as they want.” That goes from perimeter management services to maintaining asset control of the environment.

NetSolve’s security methodology, he says, is “risk equals threat times exposure.” The firm categorizes all threats on a scale of 1 to 10, scans to discern customers’ exposure, then triages accordingly. For example, say the next SQL Slammer appears and it’s deemed a severe threat; exposed customers are alerted. “We’ll say we see this threat … [and] for those of you who have given us administrative control, we’ve already applied [a patch]. For others … we recommend you do it now.” NetSolve will also lock down network endpoints to prevent the threat from spreading.

Keeping networks secure is “just another IT network management challenge,” notes Adams. “Many companies adopt a pure patch-management strategy, and that’s their only line of defense. You can almost concede they’ll be compromised by some sort of sexy attack.” He recommends a balance between time spent on preventive work, as well as response and monitoring techniques. That’s why NetSolve also maintains extensive monitoring logs, looking for historical trends, and performs preventive maintenance on customers’ networks, frequently checking systems to ensure they have such things as “proper access level controls [and] security access controls.”

Beyond securing many of AECOM’s WANs and LANs, NetSolve also helps with more mundane chores. By accessing NetSolve’s portal, for example, Bradvica can view all relevant network component licensing, maintenance, and circuit information, and also make changes. “When I’m bringing up new sites, as I’m doing now, the biggest pain is gathering the information, since I’m not actually doing the [onsite] work,” says Bradvica. The portal gives him such information—otherwise difficult to obtain—as device serial numbers and specific phone numbers at sites.

For the future, Bradvica hopes NetSolve will keep expanding its threat mitigation capabilities by “getting data from more points in the network and correlating [even more] what’s going on.” For example, he wants to keep better tabs on what remote sites are doing, so when there’s a traffic spike, if it’s because of a worm infestation, it can be contained more quickly.

Then, of course, he hopes NetSolve will “get it to a point where cost-wise,” AECOM can implement it. “Cost-wise, I think they’re very reasonable. But the problem in our company is, anything that costs money, they all scream. But if we can get the cost … of intrusion detection to where we can deploy it in more places, and get it to where we can have even more levels of automated response to events,” he’d jump at the chance, he says.

Related Articles:

Case Study: Law Firm Isolates Potential Threats
http://www.esj.com/security/article.asp?EditorialsID=1119

Yankee Group Says Security Outsourcing Set to Explode
www.esj.com/news/article.asp?EditorialsID=1112