It Takes a System to Solve Long-Lasting Problems

Coffee: Ease of automation and informative reports maintain commitment to IT security process.

Coming to market today after months of early-adopter testing, Preventsys 1.0 is a network auditing system whose specifications seem like an echo of eWEEK Labs security process recommendations during the past several years.

I hope to be talking soon with some of the companys customers, but I found early drafts of the companys forthcoming technical documents impressive enough that I wanted to tell you about their product now--with more to follow, I hope, when eWEEK can get some hands-on time with the technology and some from-the-trenches feedback from those who are using it.

Rather than cataloging the past, Preventsys is (as its name suggests) prevention-oriented, using formal manipulation of security policy statements to create a framework for scanning and reporting of network vulnerabilities. Common frameworks and mechanisms, like those promoted by the Common Vulnerabilities and Exposures effort, create a rich ecosystem of data, tools and services from which an enterprise can choose; open-source software resources include an impressive number of highly respected security tools. The Preventsys AudIT Server accommodates this diversity, with an open architecture that can incorporate any number of specialized scanning facilities into its Scan Harness interface.

The upper layers of the system then tie the results together and compare them against security policy statements, initially stated in English but formally represented in XSL. Like HTML, XSL has become more associated with rendering of Web pages than with more abstract applications that enable new uses for data. Its important to realize that XSL is a transformation language, not just a parametric rendering tool.

Id like to hear more from Preventsys about its interoperation with systems based on the emerging XACML, but Im hopeful that both of these approaches will turn out to contain the facilities they need to get along with each other.

Rather than relying on generic security policies, regardless of their representation, Preventsys provides a mechanism for enterprise sites to tailor a policy library to their needs--and to apply those customizations, automatically, to updated versions of that library as they become available through a subscription mechanism.

Rather than requiring up-front trust, Preventsys offers a PolicyLab environment for assembly, testing and validation of policies before theyre put into effect. Unlike binders full of cellulose sheets with ornamental symbols--you know, "policy manuals"?--the security rules at a Preventsys site are executable statements. The testing facilities of the PolicyLab give ambiguity no place to hide.

Preventsys addresses the concerns of front-office managers as well as easing the burden of the overworked engineers behind the scenes. The product puts out management-level reports that detail real-world numbers such as assets at risk, frequency of violations, and time to repair discovered problems, with trend reports and summaries of highest-priority tasks. Managers, who want to know that things are under control, will find these reassuring; corporate counsels, who want to know that they can document the companys due diligence in protecting customer data and meeting other rising expectations, may finally be able to sleep at night.

On the technical side, if you make a list of the fundamental flaws in IT security as its popularly practiced, youll have a list of the flaws that Preventsys appears to avoid. Too many security tools do a brilliant job of fighting last years war, or even yesterdays war, while new attacks continue to emerge on ever more rapid time scales: Preventsys attempts to be ready in advance of changing threats, while giving IT staff the management-level analysis thats needed to maintain commitment to the security process.

The Preventsys approach reminds me of presentations that I attended at several consecutive conferences on artificial intelligence research and applications in the mid-1980s. In the first few years, we heard more than once about the impressive paybacks from Digital Equipment Corp.s XCON, an expert system that aided proper configuration and shipping of the many different components of a VAX minicomputer installation. At the 1987 conference, however, the focus shifted to the system--if anything, somewhat more complex--that the company had been forced to build to keep up with the task of keeping XCONs knowledge up to date.

My point is that its easy to do something once, or even to do it for a while, but that its much harder to establish a process that does that same thing reliably for weeks or months or years at a time. Technical people get bored; financial people get skeptical; and energy, money and other resources wind up being diverted to the next big problem.

People have stayed pretty well focused on IT security for some time now, but we need to use that opportunity to develop and deploy systems with staying power and low recurring costs. Preventsys looks like one possible answer: I invite your comments on others.

Tell me if the novelty of IT security efforts is wearing off in your organization.