IT Management - eWeek


Battery 500 Project Charged Up over All-Electric Cars
Charting the Final Frontier--Google Maps for Indoors
Get Smarter Technology on Your Mobile!
  IT Management


How to Evaluate Products Based on Appropriate Usage



 By: Christian Stankevitz, CTO NSS Labs
2008-01-15
Article Rating:starstarstarstarstar / 7


There are 0 user comments on this IT Management story.


Rate This Article:
Poor Best
Information security products have evolved rapidly over the last decade. However, according to NSS Labs CTO Christian Stankevitz, the science of evaluating products has virtually stood still during that same time period, creating a knowledge gap that has made it difficult for information security buyers to determine whether or not a product meets specific security and/or compliance needs. By applying a Use Case-based methodology, information security professionals can more clearly identify detailed protection requirements for a given environment.

Use Cases in Product Testing

Use Cases are a concept from software and system engineering that is employed to capture the functional requirements of a system. Software developers identify Use Cases to set the parameters for how a product will behave under various conditions. This method of understanding and defining requirements is an effective method for transforming a need into formal logic (lines of code), and lines of code that then become a functional product.

Applying Use Case-based methodology for testing products based upon appropriate usage provides a clear picture of which technologies are effective against a particular type of attack. Thus, products can be evaluated by comparing their capabilities against specific deployment scenarios and protection requirements.

Measuring products based upon appropriate usage has a number of benefits:

Resource Library:
  • Accurately identify protection capabilities of a specific product.
  • Ensure product protection capabilities match the security requirements for certain types of environments.
  • Provide guidance on technology buying that more accurately matches customer needs with product capabilities.
  • Recommend product usage based upon rational testing methodologies and empirical data.
  • Avoid over or under spending for solutions.

Use Cases in Product Evaluation

For information security products, Use Cases identify what content should be allowed to pass and the types of attacks a given product is designed to protect against. When evaluating such solutions, Use Cases should take into consideration:

  • Functional protection requirements. What implications are there for security coverage for each class of assets? What threats should the solution detect?
  • What compensating controls or existing solutions are already deployed?
  • Specific compliance requirements. Example: Are there specific compliance mandates that apply, such as PCI DSS?
  • Performance: how much traffic must be handled?
  • Administration and reporting: What specific information will be needed/required in logs and reports? Who is allowed access to specific types of data?
  • Once the requirements are understood, comparing Use Case testing results enables quick identification of products that meet functional and performance objectives.

Environmental Usage

With Use Case testing, several environmental factors should be considered when evaluating products:

  • Datacenter Focus on server protection for complex internal applications. In testing such offerings, uptime is mission critical in these production networks and high availability/failover is required. False positives are also unacceptable, and products are often maintained by experienced professionals who custom-tailor policies to prevent false positives.
  • Network Perimeter Focus on client and server protection from internet-based attacks, includes simple DMZs with web, mail, DNS. When evaluating these products, HA/failover is preferable, but always not required. False positive rates are important, but not critical.
  • Retail Storefront Focus on client protection. Uptime is important when testing these offerings, but not mission critical 24x7x365. Network devices need to provide backup network access (via dial-up, ISDN, DSL line) and high availability for operations such as larger retail stores. False positives rates are less important.
  • E-Commerce Site Focus on server protection for complex DMZs that include application servers & database servers that require protection from sophisticated Internet based attacks. E-Commerce sites are tested as "production networks," therefore low false positive rates are required as false positives mean lost business.

The Future of Use Cases in Security

A number of trends are driving increased adoption of Use Cases; including software development best practices, network and systems design, and even compliance auditing against standards like the PCI DSS.

Stakeholders in the information security product marketplace, such as product managers, IT and compliance professionals, product evaluators, and auditors, can all benefit from speaking the same language. Use Cases offer an effective vehicle for unifying the discourse of product needs and capabilities.

As buyers in the marketplace continue to identify new and evolving requirements (whether for compliance or security), the thoughtful application of Use Case methodology will not only make their jobs easier, but provide clearer guidance for product vendors seeking to communicate the benefits of their offerings.

About the author: Christian Stankevitz is the CTO of NSS Labs, the globally recognized leader in independent security performance testing and certification. He can be reached at cstankevitz@nsslabs.com.





  Reader Comments: How to Evaluate Products Based on Appropriate Usage
>>> Be the FIRST to comment on this article!
 

 
 
>>> More IT Management Articles          >>> More By Christian Stankevitz, CTO NSS Labs
 


x}v6EW-Ȗִmy,u{:gR$$1HIξ>VMZәm'mKX( Bw?H9sur&56%3E]"I͝{#(p(IFA)v@{iFuۚ8A&q@~sfwD%x_@jG D.Rk2 Z575'47'x2)X$8kzZC'AjZ$l(P8 w(ZB; ?*B4m$oqT}:XQ=2rН3ݟXBTuK41QDO(г;/PQ~DXVٮq4]"X'[vRB(#bF]߂CCHͤNޤ@d`jĤI2-XD2K*-a;ӑkux55\ap)zXY6n@w(\'p}j bArxư#4ie$DJH n>,uQj%?IH8CEnU [۾twy@f2Z2'l"R ?q7`JaCzJ&5\_-׉E>7 ˁ,ft0eʆ}sʾVWR\W╻]`[©;ht??S)y{zY !􏂺lݹڎжk%m{|NsvN59 ]:N7Rߘ 0QR&jt8K3Q Ԙ:a5 u P%op~y)ڡVR]F[V@aF`%pfQUe9gsKbй;d9>=vN}1fPk5M~"3h ؕgxk4X:O݋vONzW=>sو&lXaV|YkU[_{_CMnXCEC0ʾ~Ff;|io]~<:$ץcYn3`םBm۲ܹ(BZKEןȃ+a(7fhX@?$eR2z[&q* 1@/)4V4XliJuV!`FC 0sn6 @kiFkPYTak6R\ 9jb)6B̄H )'7Rަ,-|y"brݠHPs>Χ+foF"> ef"ȅQ.%M> g|8JKu=bapY<^uڤٻyoǫ$uw#вnZDIqM}sQU1W*P\?,Ëʾb(7ZdL,5,{Ltp6 0hv?3Ϩig89yt$ࠣM/C˥yj1@ L^0i| V8;t#uӹ=W45(h`GI l"]LR}l8d$n)s>sLn-`VwMGHb1L{TM`@# ,zC @l߽5#~[-[Y6x O͹A ]x9-WRC/0t[@>H@Bt"AђF )4 g #X"K"'GA7gw$]Vi+RaD4T*nOu$wV*2ڹLX)gQY,p[/)͙J2d0U Q򍜘=b`&Qea*0pRx5Vn.ZU٦ByQY$*O\YWU!}j3s6ˁ)tC_F8,? Gxljt0τ{8wc˰`xҚhyFu!SLar if`@&=2齅l&GYLiPLAuߝ1h jd7`Wv:edң%?h*JOC_jVzq}vMAV?Ry |;pG9#rUϚX 5<9.&B#57cSʚLqUUIYiJ U3լ LyK (.ESwFl㜜;F]s;tOk{_f]ZЬ{QE/:A']օVP+=o@x# X{K/,è+A*K_ji lùbX6X>}iȜ^ftTRo?mM!v3tpȞZcS+%UVLG,m+ȣ[)ZPr X;7l ʸfJY Yr>:u>]ȃ`w!ۮ|pf:s?'نdp$DhS+}ne@IuU[13R%<T2.Q\&V,'`##NW酥k?t'[B`VA`Ng43aJ[6 ~XGM{R^ /0ktg gjE)jB4'P/#[յ /S+wڶ{Ot]QGXZ1B-g @?QQ>5 \!EX+̂L׃RUad[s5/ +?wdNp+\qW["LJ}ܑe Nl*I qۻ(Se&;Ql˘ʓ@/-𞆌c)gpIl_Às!a*/W+ )Z;Oz^*k 9ɡUUR;,Z 8;z%^AAqQet5MQ:9tc~y09Mř1FtYkJo?Cu >pɥK-ޫp)cZ$ c?`׊._{kOWrB ['ɂXw hO7`sc'(k=z&:pJTnЬ 0ԴgKZ/V:lv'< hr͵m7;"c'ۭ̍oe?F85)VRQXu VI^A3FyˡYF s_6f^u,σ2wnɕG: aI0@{EY*..?JuTjjEIz,`wE]kc`WPF4`W&{\x&\_sK(bo(Q^~ TmZx*+iQ/ dw! $&if qg5iv<nvg=Fkni:a{F*ݔY`'\%T/IjYt>80xnD N WqIT2N=ymO5Oumf`<$ɝ?5p_P7|*i7IղAk JZ8~G+a#rn&3 {G ɲ\' ׫UVگp.g$ ,$DBs9ǣ۷BlpH75 SXp| ޠkPHXXD`⨵J3)aǰ^Tk㘘= XkueajsE16ԆkH~Zg^pZ t(Е﮻)ilw1NZݳxDŽst'_Awq@Dyit~_KKxi{T J>}hK? F&;fB,&8oI ӸWsQ=-#v{^F:'(BZ@F޹s޺z߽_xzW!9^t4 AR`&!Mu}qU4)$Yu~|hq\3nmƛ&%L_=0<;fW쐶Cڝ+,SVXKs!Ӹj,49Eψa6nlC/a֭ Bf-.3bB!bNgCj?$Y^:gÍ7G jEާpZIS"9oթ-8iCly0;ƶ{wa!d)bvҩ($-0m1결tC%<1ON)gtJē$=)jښIմg"8I5F4A2 uID? Mt4DPW Pق/[5=۴8^]=uyt2kEIe85(AuMH>ڢG-&GXuT䵴f[YUHO~OJ>lj9l0`&(9-rq]4_toXGQ$.sntwÝԎ+^@(NEVp2k7x/_Y.t0믁 !_zǜGoIM21B? Pݘ~zNh53 \cQ Suvp7߁؉H*Ero5 W8J-sB]O}0]vYfNA ̯> H-Э>y{ho&|)s'A֚uha`Jofm6EL07)_۝,v7*ApMG-3ӸO:6;x5tl0̰@ b@Vf7g\#9S><#P` ƔI ic$H)Z4 M _56 Z;a6 *|ZbZyba $\}5 ߈;6bE#Ɠt-c򽱢rp:ip*9;_PE?\=3q Fȗqi+Bn (f&O^#;߇0o -L,ʌ #&LM9C^+l,>s -8HBٳƆ2`@ ^6_wjJmeX~˙HfB#6\:K{b=w;IsVN.% F<5t/qԵH9&9ɹ>`D%:AllR@It!#J"=0 Dva+vW/6ߠ.Uߦ0tf[閃f~L=`aJd{t$Hīn;.kJժZQk u,6$9a0 %t=G _^*A6zsr*M90)# }1.t0FJ|k@UcE I" ձSIa'pƺtJBDZ9%RFɻ)*ɦ'G"TXT?Fy eO@g~8Hߒ6UΎ.x%{M"Ey:MO~5y<MzAERgտ.YٟXBVXURb姪ԑ0,3%Cn9hM֔zUlBa2h"Яnz2U~ٴ͍>A=oY㬮caA ݹڦ d!А1C^JZ}#N !v5n,algS-ȞL_ݒS8eQpyxn(_G͉͉͉͉ĭ*5|'n_—5qkǫ2p]݉+ IV>x{QP,gf<[w y@/cD'LK:Jz{qljNe%/ICߐմb5YcVVWT%}9gxD=L ̚^77!'^:|,K*D܈'}~G[-@j Ef4?0Te DC$0$ȃ5B~zxyC{1m*hh--䥠gijd3N>Iz(/@拁ڐO+_H7Eotw3XMعGX+*2s:H"$b-0S| 7%*;4yf% t`2]q=GxIh{ x Ti> 9S'xm} YtNu0}2G e qH_@:mvs VHm+&ھ +vL~@U^%U~b(~uDP AopG{|ʗv.붭ǫ`GTY4Z|G>#֏:@$B$ MV}o_ 3$"<(ͧ~Xr1"&]sCr'~į!k}ksM hn&@ EW$BS []d~@xx6u߂M\8–8OxyB5_ȗcfKA#RӍh] *Bf}ŵC}! "AlHq_͌BHdz4{*H)^ $s84t4ί# P/Jn/DY D ;+4w6e|9i'Rsܷj6>ogkX*Z3$.(D ]p\Rtş Y{{I-NCn]D@9obZëbZAd6LksOoz{$TZ)a y;BSk~YԈmCl(I#ۀچձևyxQ_|Ȫhƞ}:soRy,徯XZu)z{ !(g ƗkEI3Ʊ)+{i45T1,,dnK>6HyL-Nxtowwv]gs 2ֵ7nɏ'~ׂmxi/^xȧjܒ`<2Fc˶뿓$}qcn9^,C$&Hm(Ŕ!̈L7bF=2\NƀT"I8O:'-xQ)./; $.$xv;"^(W#BמSN|l:oûjj}ܷ.d$/z)V@#.kjcIA4#z.!@]o7,G?PM}яwĈ>58E-=6;A#샒=%xeg ,q},Dw$QQ?:-ĻWAXz- UŌU9DNE07vEa7`8(ĒI .@FpxIg(hb3, Y.Kc.;ZMWWK.`܋%,-c 2^8O&wXSj9椷 O=#TH`|HU% & <ZGZk>A51ڣsr3#mz^C GJk&t];xVy {k+mLt^8Ow| e޼vod"(ͪNTpdͪ81t[tlQNab,1rWo"nKN#%ZK`miXx:>H'ªFwifӠzVv_ )5^V3QFlYJ#gsnM"OBO .ړ{z^Nz:(-^a̷𥳐fgAC؈ GW1q_85$x^+jB_7"|tfs':QFth'&vUZtRtjT}>#4I cĞ뛫uك +K,w0̊ۼUd[hlowAQgg)9 @ȩ莥rmt G KOHG*_[GJzVOz6و۳jM\Q=@%=0]LaL_ňVSR>dDk9m44.<8d %)rUewޠ~z*ޟOe~f#nZ]}{FGȚZGst(bJ wsݲY&Jį?o;ɀ }Nrt'7%eZS[ٓr8G Pm¼DR )4}o ,ӴiLLRO׆g\I\ؐ!,E|E|0XV$ʽOg->-RWldb"@՘^N_ٹt> ?gs? >zxX2b9k `FCߑ?s@G]GљF9asH ]\W\Af.!FZ xtT$l.43.V!G\oX|J7o8fkHג s؇*|c4:.ʾR HE>p4.pgj9UtK/M+2&Bs879?_}&i[ք ၰ 5"  B<)ۈ) ӣcs_/N[6ք:݋0O%cZ|G"1^#&3)- 9F_A R*( *@`g*o#cn Q&@Ԕ͍$u~1Hh8u\0C(-ŌCZS*ѓȤ+t!dW` cUR (_? (z;ͪGb8~/)UH+^@0Q3:%@0>6#&Twn`9˳wEZ!Gۻ G5¶V |G ^qIsyսmf>|i5v9sCsyNρ?s>ʯʁsڿi:s$CPʑ%.N pr+QT/ޯ<$|sYU~vïUX^йZ*4*Я#Uw2~62A^u CFW\=o /dt^k8&ֲnwp_l(Σ_xi +ɤ\= xEB+gٔ@#X{#u'NW6#\]Mb}+r>VĘq22#s"qǾJ5BfaO@Njt0 %Y#/]#=D)r/e.o opf@ @9z_\pm`n,0 4OW=M͚\ڎwڝGf{ueePsvdmoCdxqٝzÀ}G]xZ@&n\ef(/@FAwȎj'܌3X^A7\]ΆЙ%†>ga#f^*gB8D#w_a%a/xI=c"wEm鄅~54]M4pGm`'ߙ?|#纗Nr .LE+zq՞;N8,U`Y\_TE?}&lyjmbӿ+ H|XU$'뽷 ^B3s{̪{ydaw./] }a \gYO&EF00_nf-+n'1=}l%),56f\32 o/ }J)1-$dᣍA;=4FsЯ"9ݜS*aѡ(YHw9ӈqef{{^d0/4=Y^~m@-PZp1d`6Nώ;[9{+Qݎ;3!HO^!Nm:r&9!cBrg'4WBMxYU7ԹM&+~Д2/XSVT#cE ^2PzSA۽$}מ k _}L]PxUE0H;CfJq=GcБ_45ﵰtZзkdY9Hz&zU x$.7=j"1DwΆbOMozc{[/EI)H[QT6vo V8<}"Hv!$KVTp|"$7ΌLU"zʴw{DqKNޒۍƾ8 ;>>=ub<#U:.~i/\*IxҍHIh/>~ElC`A0^̑k0yNmv8)tvwb;9˖ȝ[QYɶy S7O(#oݒ珸6x}°҂nV̂[OulÝg8C dCͽi{;X9-S/p,ZftGG6CF|'JPo!zQ;`Kg}v0u=ĦrR4kepwR K?93/9~sg_(LWv:yDt-] E hymӕ/y9" B#VJrX}P?) ]'[Sܟ?Ba҇fFo_X ( LIN8u vAѪ N7"aaNo0n,$9@ Rs;=V*)vfe6r.*l XGڦZ-Qa[An`Pm+A4'X3'5cb@8f{9rW=wEYf#9uVedg)d̅2 !IZxyU~ҥN.I,'_aQd+$*)ؐW m5G0X1+ (NRLf7`N*)Asa#El [ApV7.]28LgK1E~2㡺_ V~\ʩku ^cdKX$_֬-LE")0ON= !_5>g~C{%9:n0>~0/rX>e5räη`=`Z^}.<,(`F,$v"VTHkMΡmlqR!fƲ"7cP!Xd]-noB@w:S .xBDZ,ɋ|P cyx ^ŧ$NSbSFt&W.rs+R Sq||>,݉S,w1NZݳ<|;Xit0y'c*FRqOR|?(>3u㆗?}hKQEe遢%!ڝ,!ջl݋xOο`(m\}l4{n&_1!?[e6TRA$ᑭ7}@ƦI:1q0WFs(1{l~ )#Us̥D/4^JC\qrx6 }Tar?,qgM.2a-d-