Counterpane Internet Security, the San Jose, Calif.-based provider of managed security monitoring services, is progressing in its efforts to offer 24x7 security monitoring for customers from its Secure Operations Centers (SOCs) staffed by expert security analysts, says Carolyn Turbyfill, director of software for Counterpane.

Counterpane's customers rely on the company to monitor events at the network boundary, and on application servers and network devices distributed through the corporate network. The company's Managed Security Monitoring (MSM) service monitors all network devices, from firewalls and intrusion detection systems (IDS), to routers and servers. It collects information that can be used to detect security penetration and respond.

Counterpane was founded in 1999 by entrepreneur Tom Rowley and security technologist and author Bruce Schneier. The company is funded by a number of venture capitalists, including Accel Partners.

Recent customer wins include Conxion Corp., an Internet infrastructure services provider, and Keynote Systems Inc., which has services around Web site performance measurement.

Counterpane's partners include Exodus Communications Inc., the Internet hosting and managed service provider, which in May entered a reseller agreement with the company. The Exodus offering combines MSM with the Exodus Incident Response Service to mitigate the risks created by expanding networks.

The rationale for the managed security monitoring is the difficulty of interpreting information from security systems. "IDSs give out a lot of false positives," says Turbyfill, who worked at several startups and at Sun Microsystems for eight years before joining Counterpane in June of 2000. "You want to know if you need to respond. You are attacked all the time. What's important is to know when you need to respond."

In Counterpane's system, its Sentry offering collects information from client networks and presents it in a form that analysts can understand quickly. Next, the network information is matched with a diagnosis or a series of diagnoses, employing the Socrates system. The Socrates information and diagnosis are matched with client-specific information about types of network events. Finally, Sentry and Socrates are updated with new information about attacks, vulnerabilities, and products, in a network intelligence function. The company is constantly monitoring information about potential attacks, including information from the hacker community.

Counterpane operates two SOCs, one in Chantilly, Va., and another in Mountain View, Calif. They are physically hardened facilities under constant audio, video, and clickstream surveillance in order to provide an unambiguous audit trail if necessary.

An overall trend is that the expertise an attacker needs to launch an attack is going down, while the sophistication of attacks is on the rise. "Now any script kiddie who finds an automated attack can wreak havoc," says Turbyfill, who while at Sun was on the development team for SunScreen SPF-100, a firewall that won awards in 1996. "Firewalls were not built for detection," she says. "They can pass and drop packets quite frequently."

Counterpane can perform security assessments for companies for a fee of approximately $75,000. The company charges by the month for its monitoring services; a typical fee is $10,000 per month, but varies based on the number of devices monitored.