Where Do You Put Your Security Dollars?

Opinion: Security solutions seem to be growing at a faster rate than the problems. How do you tell what approach to take?

In a recent panel discussion I was on it was suggested that spending on the conventional threat mitigation aspects of security was headed for a leveling off, and that the real growth was in compliance issues.

This may very well be true. I dont know as much as I should about compliance issues, but when I read about them Im dumbstruck at the burdens and exposures for business. But even so, it looks like the industry hasnt given up on selling the old-fashioned security products, and theyre busy coming up with new types of them all the time.

If we were talking about crackpot ideas it would be easy to dismiss them, but some of them are actually useful things that I cant help but recommend. Here are a few examples: Tops on the list for me is network access control from Cisco or the very cool appliance from Lockdown Networks, which puts qualifications on what is allowed to connect to the network.

And by the way, I hope that those users logging in through your NAC are using an enterprise single-sign-on system, like the one from Imprivata that puts it all in a single, easy-to-manage appliance. By fragmenting the authentication task you greatly increase the risk of exposure as well as your own support burden.

Have you implemented vulnerability/patch management yet on your network? If not you probably have a horrible mess of vulnerable systems, many of which are exposed at one level or another to attackers. Combined with a console like eEyes REM 3.0 you can finally get a sense of what the problems are on your own network.

But of course, someone could still walk in the front door with malware in their pocket on an iPod or USB keychain, How are you going to stop them from using it on your systems, or from using the device to capture confidential data that you might otherwise catch going out the network? Youve got two approaches, and you really need to take both of them. First, you need to implement end-point security on all your PCs and other devices from a company like Safend or Centennial Software. And, of course, for when unknown malware finally does slip through outside defenses to your PC, you need a system like Pandas TruPrevent or ISS Proventia Desktop that blocks unknown threats by monitoring for suspicious behaviors.

If youre a company of any size you probably have a VPN for remote access, but it shouldnt stop there: Your wireless access should also run through a VPN, as many companies like Symantec offer, and it may not make sense for you to use the same tunneling scheme. And if youre using VOIP you should probably run that over a VPN too, as Avayas VPNremote system does. After all, what are you going to do when someone who has sniffed and logged a lot of your company phone traffic offers to sell it back to you?

I love how cheap and easy it is for outsiders like me to demand that you drop all your work and start committing large budgets to these things, and yet theres a great argument for all of them. And I havent even gotten into content filtering, spyware protection, physical access and a long list of others. How can you sleep at night knowing youre exposed due to your dereliction in not implementing these systems?

Just imagine if you were actually to implement all these products that you cant, of course, do without. Thered be no money left for lunch, let alone the actual applications to do work with. And all of them create some new administrative burden for which you probably dont have bandwidth.

I dont have the answer here. Prioritization just has to be a personal matter between you, your companys needs and your budget. But even if you dont plan on leveling off your security spending, youre going to be left behind in something. You just cant win.

Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.


Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.

More from Larry Seltzer