Vigilar’s Press Releases - July 3, 2007

CHAT WITH EWEEK'S MIKE VIZARD ON SECURITY-AS-A-SERVICE
Vigilar's CEO James Fox and Joel Hart sat down with eWeek's Mike Vizard to discuss Security-At-A-Service. The following is the official transcript of that chat.

Joel Hart: Good morning.

James Fox: Hello Mike

Mike Vizard: Hello, Welcome to Ziff-Davis IT-Link. Why don't you introduce yourself and tell us a little about Vigilar?

James Fox: Sure, I am Jim Fox the CEO of Vigilar. With me is Joel Hart the Chief Architect behind ATLAS what we are here to talk about. Vigilar is a focused IT security company that has been around since 2001. We are focused on delivering consulting and services tot he enterprise around core IT security solutions.

Mike Vizard: We hear a lot of talk about security as a service these days? Is this going to become the dominant model going forward?

James Fox: We are seeing this and it is where our 250+ enterprise customers are going. Also all of the spend analysis from the research firms shows that this is a major trend. We took this path ourselves about 12 months ago.

Mike Vizard: Doesn't the customer lose the benefit of local touch in this model as the types of attacks become more complex to deal with?

James Fox: Based on the feedback from our customers.

Joel Hart: We believe that Security-As-A-Service will become a predominant model for business that need their people to be more agile towards business goals, but still need to complete the mundane tasks that are required on a day to day basis.

James Fox: That is a great point. Pure MSS will always have this flaw.

Joel Hart: I think that the customers still maintain a lot of control in this model. We are doing the things they don't want to have to do. They still have control, but get the help in doing the things that are tedious and time consuming.

Mike Vizard: So what we're really talking about is a need for some types of blended model using remote service and local touch. Is that right?

Joel Hart: With MSS, a lot of engineer types feel like someone is trying to replace them and they don't get to do any of the "fun" stuff and gain the experience. With ATLAS Security-as-a-service, we do what they need to do, but don't want to. We feel that it is a great compromise. That is absolutely correct, Mike.

James Fox: Yes what our customers asked us to do was develop a platform that allows them to maintain control but unloads the compliance, maintenance and other time consuming tasks from their plate.

Mike Vizard: How does approach differ from what say Symantec, IBM or McAfee are trying to do?

Joel Hart: Those vendors sell lots of software aimed towards the compliance market, but it doesn't actually help you get there. Software alone does not make you compliant. We try to provide deliverables rather than software that gives you what you need. This is what you can supply to the auditors when they ask for proof.

Mike Vizard: Can you explain how that works exactly?

Joel Hart: With pure software, there is no accountability to the vendor. With the ATLAS offering, we are "on the hook" for the deliverables. This ensures that this gets done. Let me give you an overview of how it works: ATLAS is comprised of several different modules. I'll use the Log Monitoring Module as an example.

James Fox : Joel will give you a rundown of one of the ATLAS modules, Logging as an example.

Joel Hart: With the service, we provide a on-premises box that acts as a log collector and then encrypts and compresses the data to send back to the ATLAS analytics module. From there, the data is correlated and massaged into useful information. This data is then presented in automated reports as well as being available in near real time views from the web based interface. We also have people behind the software that actually look for abnormalities and alert on inconsistencies that need further attention.

Mike Vizard : So you generate all the necessary reports and audit trails for the customer, thereby automating the tedious tasks associated with the compliance process?

Joel Hart : This information is able to be used when auditors come around. Let's take PCI for instance. For compliance, PCI dictates that logs must be stored for a period of a year for all devices that handle card holder information.

James Fox : Yes we put real people behind the service and MAKE you compliant.

Joel Hart : That is correct. We enable compliance for them rather than giving them another box to maintain in their network.

James Fox : This differs from another tool or applicance that one must maintain and use... That creates more work not less for the NOC or SOC.

Mike Vizard: How do you help people cope with a world where the broad based attacks are pretty well defended against, but the attacks aimed at specific sites or even users are becoming more targeted, complex and lethal?

James Fox: Our customer advisory board was adamant that we not simply give them "another box!"

Joel Hart: ATLAS has modules for Asset & License Management, Technical Support Concierge Services, Log Management, Authentication Management, and Systems Maintenance. According to Gartner, 95% of the production issues are caused by misconfigured systems and patches that are released but have not been applied in a timely manner. We aim to fix that. Contrary to popular belief, the biggest threat is not the zero day exploits.

James Fox: There will always be the risk of the Day Zero attack... but if you look at the major exploits in the press, it is lack buttoned up and patched systems that are the root cause.

Mike Vizard: Do you help people by providing some kind of on going audit of their security defense?

Joel Hart: Our team of top notch security engineers work behind the scenes of ATLAS to make ATLAS function as a real expert system, not just another piece of software that you have to manage day in and day out.

James Fox: Yes we do.

Joel Hart: The ATLAS service provides a real time look at system patch levels, firewall audit trails (via logging), and trouble tickets that are created for each of the different platforms in the environment.

Mike Vizard: How much do these services cost versus trying to roll your own security strategy?

Joel Hart: Combined, those things help give real visibility to devices that are having recurring problems, the real (not perceived) status of patching, and what our perimeter defenses are really doing to thwart attacks.

James Fox: Our service costs less than half of what it would cost to purchase the technologies and manage them in-house.

Joel Hart: We wanted to make our service a no brainer from a cost standpoint.

Mike Vizard: How do customers create and execute security policies on top of a remote service?

Joel Hart: Their security policies are still enacted at their premises. I assumed you meant firewall policies rather than overall policies

Mike Vizard: Either one. Security policies and IT policies are becoming joined at the hip.

Joel Hart: In this case, they still manage their firewalls. We keep the firewalls up to the latest patch levels, but their engineers still maintain the rules, which enables them to react faster than if they were using a pure MSS player.

James Fox: We have been helping our customers for years to create both levels of policies. We then ensure that the configurations, etc support those policies.

Mike Vizard: What if somebody or something changes a configuration? Does this generate an alert?

James Fox: You will find that in most companies, they do not have one single place to view and maintain the policies or score them against their security posture. We give them that capability in ATLAS.

Mike Vizard: When do you think we will have that one place to view policies?

Joel Hart: Our professional services staff helps create organizational security policies as well as additional things like incident response plans, BCP, and DRP items that help them maintain their overall policies.

Joel Hart: Right now, we allow them to consolidate their configuration changes, but we will be offering the change configuration notification in an upcoming version.

Mike Vizard: Cool, thanks for the chat! I have to go now. Best of Luck!

James Fox: Thanks for your time.

Joel Hart: Thanks for your time. It was great chatting with you.

About Vigilar
Since its inception in 2000, Vigilar, a leading provider of information security solutions and services, has focused solely on improving its customers’ security postures. Vigilar’s security expertise is all-encompassing and includes regulatory compliance services, risk assessments, IT security audits, managed security services, security architecture design, product selection and delivery, implementation services, technical support, and IT and security training. Vigilar partners with the industry’s most innovative information security technology providers to offer fully integrated solutions that meet risk management, network infrastructure, and compliance needs. Vigilar has offices throughout Georgia, Texas, Tennessee, North and South Carolina and Florida. For more information, visit www.vigilar.com.