Security Service Interruptions
If you have read my previous blog entry concerning the demise of High Tower Software, you probably detected some degree of sadness and remorse in my tone. The main reason is that all things considered, High Tower had a very good product. I honestly do not believe that any competitor’s product performed event correlation as well as High Tower’s product did. What also saddens me is that fact that so many customers who relied on High Tower’s product for threat detection and remediation as well as for proof of compliance are now to various degrees out of luck.
This brings up a bigger issue—what happens to customers and their impact upon security when their security service provider ceases operations. Unbeknownst to the customer, risk can skyrocket. The collapse of intrusion detection monitoring service provider Pilot Technologies in the mid 1990’s is an excellent example. Many Pilot customers suddenly found themselves with no intrusion detection monitoring operations whatsoever; getting new operations in place often took weeks if not months. Former High Tower customers are another good example. Many had extensive monitoring operations based on the output of the High Tower tool. This tool is still usable, but because no one is providing maintenance, its shelf-life is diminishing. At some point in time, former customers are going to have to decide to buy another Security Information and Event Management (SIEM) product, or to move in a completely different direction, perhaps by trying out an alternative technology such as an intrusion prevention technology. Whatever these customers decide, the change will invariably elevate their risk.
A few High Tower customers overcame their nervousness concerning High Tower not being a major vendor and bought the product anyway, but under the condition that should High Tower fail, they would receive a copy of the source code. These organizations did well in anticipating the worst case scenario. However, even if these organizations obtained a copy of the source code, I seriously wonder whether they will be able to turn having this code to their own advantage. Having to perform code maintenance by turning software engineers loose on code they have never worked with before can, after all, be a daunting task.
All stories aside, there are some important lessons here to be learned. Anyone who purchases software or services that mitigate security risk must recognize and deal appropriately with the new level of risk in their information security practices that sudden non-availability due to the collapse of the vendor. Tracking changes is in and of itself a gargantuan task, so massive that it is often easy to overlook and thus fail to deal with the additional risk that result from a security vendor going out of business. Additionally, the business continuity function must also plan and be ready to act accordingly. Nobody likes it when a vendor that an organization uses goes out of business, but at least being adequately prepared to deal with such a situation can help reduce risk to an acceptable level.