RealTime IT News

Mercury Can Check on That Protection You're Paying For

After more than a year of monitoring the load balance of its customers' server networks, Mercury Interactive, one of the largest providers of enterprise testing and performance management solutions, plans to extend into an area that very few companies have ventured into: security testing.

On Tuesday, the Sunnyvale, Calif.-based company will introduce what it terms the industry's first hosted security testing service called SecureCheck -- an offshoot service of its successful ActiveTest, which is the ASP version of its load-testing tool LoadRunner. The service, which not only scans but also simulates denial of service (DoS) attacks, will be available on July 16 for $25,000 for up to four IP addresses.

The product initiative is the latest attempt by Mercury to counter views that internal growth is slowing. Since the company announced its plans to acquire closely-held Freshwater Software for $147 million in cash, there has been increasing concern that Mercury's stellar double-digit earnings growth would end. The company two weeks ago unveiled three new products to its performance management suite of services known as Topaz.

"We believe that the new products that [the company] is offering should dispel some of that speculation," according to Thomas Berquist, analyst at Goldman Sachs.

For many network administrators and IT managers, the introduction of SecureCheck comes just in the nick of time. Already, a top CIA official has admitted that hackers can develop techniques and new tools faster than even the authorities can keep up with. Compounding the problem is the arrival of Microsoft's new Windows XP platform, which is due out this fall. Many security experts have expressed concern that the new OS gives remote users easier access to a network's CPU or connections through truncated protocols and IP spoofing -- that is, the ability to send abridged HyperText Transfer Protocol (HTTP) requests that essentially will expose the system to assault.

What makes SecureCheck unique is the hosted service gives Mercury (and the paying client) the ability to monitor its network exactly as a hacker would approach it. From a Silicon Valley-based command center, SecureCheck will scan starting from the Intrusion Detection System (IDS) outside the firewall to the Web server and database within the firewall. Apparently, after 18 months of monitoring the traffic load of a client's network, Mercury's engineers learned a thing or two the security systems at each level of the network.

"About 35 percent of all bottlenecks occur outside the firewall," said David Gehringer, senior product manager at Mercury Interactive. "The reasons for the failures can range from bandwidth to faulty routers and switches or to poor network configuration. "When you want to test a security system, you have to test every aspect."

Among some of the other interesting points that Mercury learned by monitoring its clients are:

  • Security and CPU usage are inversely related -- that is, the greater a system's performance, the weaker the security
  • Unstable applications (and downtime) can compromise security
  • Security performance depends on the load -- that is, the heavier the load, the weaker the security
  • High loads can sometimes mask an attack

Many a time, customers inadvertently assume that default settings of the firewall are suitable for their environment, Gehringer said. In addition, customers often lack the resources and manpower to adequately defend their networks. "We find it's a very hard process for one person to manage," he told InternetNews.com

Once the scan has been performed whether on the software like the Web server or hardware like routers, SecureCheck (with the help of its vendor partner, Qualys) can check to see if patches are up-to-date and in place. Should the client encounter a serious security breach, Mercury also works with Guardent, ASTA Networks and Akamai Technologies as well as management consultants like Ernst & Young or Deloitte Consulting.

So does this mean that systems can now be completely hackproof?

Well...of course not. For example, last week's discovery of a vulnerability in Microsoft's Internet Information Services (IIS) Web server software still could not be averted. However the severity of its impact can be greatly offset.

"It's hard to predict unknown security breaches," Gehringer conceded.