Where Do You Put Your Security Dollars?

By Larry Seltzer  |  Posted 2005-12-13 Print this article Print

Opinion: Security solutions seem to be growing at a faster rate than the problems. How do you tell what approach to take?

In a recent panel discussion I was on it was suggested that spending on the conventional threat mitigation aspects of security was headed for a leveling off, and that the real growth was in compliance issues. This may very well be true. I dont know as much as I should about compliance issues, but when I read about them Im dumbstruck at the burdens and exposures for business. But even so, it looks like the industry hasnt given up on selling the old-fashioned security products, and theyre busy coming up with new types of them all the time.

If we were talking about crackpot ideas it would be easy to dismiss them, but some of them are actually useful things that I cant help but recommend. Here are a few examples: Tops on the list for me is network access control from Cisco or the very cool appliance from Lockdown Networks, which puts qualifications on what is allowed to connect to the network.

And by the way, I hope that those users logging in through your NAC are using an enterprise single-sign-on system, like the one from Imprivata that puts it all in a single, easy-to-manage appliance. By fragmenting the authentication task you greatly increase the risk of exposure as well as your own support burden.

Have you implemented vulnerability/patch management yet on your network? If not you probably have a horrible mess of vulnerable systems, many of which are exposed at one level or another to attackers. Combined with a console like eEyes REM 3.0 you can finally get a sense of what the problems are on your own network.

But of course, someone could still walk in the front door with malware in their pocket on an iPod or USB keychain, How are you going to stop them from using it on your systems, or from using the device to capture confidential data that you might otherwise catch going out the network? Youve got two approaches, and you really need to take both of them. First, you need to implement end-point security on all your PCs and other devices from a company like Safend or Centennial Software. And, of course, for when unknown malware finally does slip through outside defenses to your PC, you need a system like Pandas TruPrevent or ISS Proventia Desktop that blocks unknown threats by monitoring for suspicious behaviors.

If youre a company of any size you probably have a VPN for remote access, but it shouldnt stop there: Your wireless access should also run through a VPN, as many companies like Symantec offer, and it may not make sense for you to use the same tunneling scheme. And if youre using VOIP you should probably run that over a VPN too, as Avayas VPNremote system does. After all, what are you going to do when someone who has sniffed and logged a lot of your company phone traffic offers to sell it back to you?

I love how cheap and easy it is for outsiders like me to demand that you drop all your work and start committing large budgets to these things, and yet theres a great argument for all of them. And I havent even gotten into content filtering, spyware protection, physical access and a long list of others. How can you sleep at night knowing youre exposed due to your dereliction in not implementing these systems?

Just imagine if you were actually to implement all these products that you cant, of course, do without. Thered be no money left for lunch, let alone the actual applications to do work with. And all of them create some new administrative burden for which you probably dont have bandwidth.

I dont have the answer here. Prioritization just has to be a personal matter between you, your companys needs and your budget. But even if you dont plan on leveling off your security spending, youre going to be left behind in something. You just cant win.

Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983. Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog. More from Larry Seltzer
Larry Seltzer has been writing software for and English about computers ever since—,much to his own amazement—,he graduated from the University of Pennsylvania in 1983.

He was one of the authors of NPL and NPL-R, fourth-generation languages for microcomputers by the now-defunct DeskTop Software Corporation. (Larry is sad to find absolutely no hits on any of these +products on Google.) His work at Desktop Software included programming the UCSD p-System, a virtual machine-based operating system with portable binaries that pre-dated Java by more than 10 years.

For several years, he wrote corporate software for Mathematica Policy Research (they're still in business!) and Chase Econometrics (not so lucky) before being forcibly thrown into the consulting market. He bummed around the Philadelphia consulting and contract-programming scenes for a year or two before taking a job at NSTL (National Software Testing Labs) developing product tests and managing contract testing for the computer industry, governments and publication.

In 1991 Larry moved to Massachusetts to become Technical Director of PC Week Labs (now eWeek Labs). He moved within Ziff Davis to New York in 1994 to run testing at Windows Sources. In 1995, he became Technical Director for Internet product testing at PC Magazine and stayed there till 1998.

Since then, he has been writing for numerous other publications, including Fortune Small Business, Windows 2000 Magazine (now Windows and .NET Magazine), ZDNet and Sam Whitmore's Media Survey.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel