Mercury Can Check on That Protection You’re Paying For

After more than a year of monitoring the load balance of its customers’
server networks, Mercury Interactive, one of the largest providers of
enterprise testing and performance management solutions, plans to extend
into an area that very few companies have ventured into: security testing.

On Tuesday, the Sunnyvale, Calif.-based company will introduce what it
terms the industry’s first hosted security testing service called
SecureCheck — an offshoot service of its successful ActiveTest, which is
the ASP version of its load-testing tool LoadRunner. The service, which not
only scans but also simulates denial of service (DoS) attacks, will be
available on July 16 for $25,000 for up to four IP addresses.

The product initiative is the latest attempt by Mercury to counter views
that internal growth is slowing. Since the company announced its plans to
acquire closely-held Freshwater Software for $147 million in cash, there has
been increasing concern that Mercury’s stellar double-digit earnings growth
would end. The company two weeks ago unveiled three new products to its
performance management suite of services known as Topaz.

“We believe that the new products that [the company] is offering should
dispel some of that speculation,” according to Thomas Berquist, analyst at
Goldman Sachs.

For many network administrators and IT managers, the introduction of
SecureCheck comes just in the nick of time. Already, a top CIA official has
admitted that hackers can develop techniques and new tools faster than even
the authorities can keep up with. Compounding the problem is the arrival of
Microsoft’s new Windows XP platform, which is due out this fall. Many
security experts have expressed concern that the new OS gives remote users
easier access to a network’s CPU or connections through truncated protocols
and IP spoofing — that is, the ability to send abridged HyperText Transfer
Protocol (HTTP) requests that essentially will expose the system to assault.

What makes SecureCheck unique is the hosted service gives Mercury (and
the paying client) the ability to monitor its network exactly as a hacker
would approach it. From a Silicon Valley-based command center, SecureCheck
will scan starting from the Intrusion Detection System (IDS) outside the
firewall to the Web server and database within the firewall. Apparently,
after 18 months of monitoring the traffic load of a client’s network,
Mercury’s engineers learned a thing or two the security systems at each
level of the network.

“About 35 percent of all bottlenecks occur outside the firewall,” said
David Gehringer, senior product manager at Mercury Interactive. “The reasons
for the failures can range from bandwidth to faulty routers and switches or
to poor network configuration. “When you want to test a security system, you
have to test every aspect.”

Among some of the other interesting points that Mercury learned by
monitoring its clients are:

  • Security and CPU usage are inversely related — that is, the greater a
    system’s performance, the weaker the security
  • Unstable applications (and downtime) can compromise security

  • Security performance depends on the load — that is, the heavier the
    load, the weaker the security

  • High loads can sometimes mask an attack

Many a time, customers inadvertently assume that default settings of the
firewall are suitable for their environment, Gehringer said. In addition,
customers often lack the resources and manpower to adequately defend their
networks. “We find it’s a very hard process for one person to manage,” he
told InternetNews.com

Once the scan has been performed whether on the software like the Web
server or hardware like routers, SecureCheck (with the help of its vendor
partner, Qualys) can check to see if patches are up-to-date and in place.
Should the client encounter a serious security breach, Mercury also works
with Guardent, ASTA Networks and Akamai Technologies as well as management
consultants like Ernst & Young or Deloitte Consulting.

So does this mean that systems can now be completely hackproof?

Well…of course not. For example, last week’s discovery of a
vulnerability in Microsoft’s Internet Information Services (IIS) Web server software still
could not be averted. However the severity of its impact can be greatly offset.

“It’s hard to predict unknown security breaches,” Gehringer conceded.

Get the Free Newsletter!

Subscribe to our newsletter.

Subscribe to Daily Tech Insider for top news, trends & analysis

News Around the Web