Securing your enterprise IT infrastructure can be a complex task. If your computing environment is like most, it is heterogeneous and contains a number of security products from many vendors. You may have diverse intrusion-detection systems, VPNs, firewalls, antivirus software and modems allowing remote users to dial into your network, along with offices in different geographic locations. Potential problems with this scenario arent hard to find. Without a holistic view of the current security structure, how do you go about managing security? Security tools may work well on their own, but how do they work together to protect your network, and how do you monitor their performance?
With todays organizations becoming more global, connected and dynamic in nature, the idea and practice of information security has never been more complex.
Consider the following challenges IT faces in protecting the corporate networking environment:
- Each week, 60 new software vulnerabilities and 100 new viruses are identified.
- Customers and stakeholders continue to demand greater levels of services via online systems.
- Organizations face significant time, budgetary, and personnel constraints.
Traditionally, organizations have relied on a point-product approach to address these issues. However, this has led to a new and seemingly impossible challenge: how to effectively and efficiently manage and mitigate the complexities of this security environment.
Enforcing security policies and regulations
Enterprises need to establish security policies, standards and procedures to enforce information security in a structured way. Conducting a risk assessment will help you to identify and manage the vulnerabilities in your environment. From there, you will be able to develop a proper policy framework and standards and begin constructing a set of policies tailored for your enterprise.
ISO 17799 is one of many government- and industry-based regulations and standards that enterprises are incorporating into their security policies. Your enterprise may also be subject to industry-specific security regulations such as HIPAA and GLBA. These outside policies need to be enforced, in addition to your own in-house policies. Establishing a security policy is one thing—effectively managing and enforcing them is quite another. Keeping access controls, authentication and authorization measures up-to-date on all levels of your network is critical for a security policy to be effective. Any gaps in this information can increase your exposure to threats. Companies may have information security policies in place to protect critical assets and sensitive data, but they rarely have the means effectively to monitor compliance in accordance with that policy.
Continued on Next Page
Great security software, but
tough to manage”>
Great security software, but tough to manage
It can be difficult to get real-time information concerning what is happening across your enterprise network. If you have deployed various security devices on your network, you know it takes time to sort through the data coming in carrying thousands or even millions of events—and finding the most important incidents in time to take action is a challenge. Whats more, you need to have qualified employees who possess the expertise to interpret the data, regardless of whether they are performing a trend analysis or simply deciphering the important from the non-important series of events.
It is a common problem: you have installed separate security components, and each comes equipped with their own management console. But time is of the essence: You know that security incidents wont wait for your team to discover them. Without a single view of events occurring in the network, security threats such as attempts to crack into your corporate server or a blended threat crossing into your network could happen right under your nose.
Controlling blended threats
In 2001, we were introduced to blended threats, including Code Red and Nimda, and since then weve witnessed the impact of others like Bugbear, Klez and Slammer. What differentiates these sophisticated threats from other Internet worms is that they use multiple methods to attack or propagate. If nothing else, these threats have taught us that a “one threat, one cure” approach is outdated. Defending your enterprise from blended threats requires protection on all parts of the network, and an ability to respond on the gateway, server, and client levels. Typically, blended threats exploit known vulnerabilities such as buffer overflows, HTTP input validation vulnerabilities, known default passwords and so on, all of which can be mitigated with existing operating system and application security patches. How do you ensure that all of your systems are up-to-date with the latest security patches?
Getting the most out of your security staff
Managing enterprise security today is a difficult process, delivered through a combination of disparate commercial products from different vendors that lack integration and interoperability. The result is a high degree of complexity and increased operational costs. Your administrators may be spending a lot of time focusing on redundant tasks that are required to manage the complex security infrastructure of your network. In this economic climate, there is increased pressure to do more with less from both a financial and resources viewpoint. Think of the possibilities—if you could free up your staff to focus on higher value activities, it would mean improved and more proactive security for your enterprise.
A disciplined approach
Given the above challenges, the complexities of todays security challenges require a holistic approach within the following four security disciplines:
Alert. Alert systems must be implemented to provide early warnings of threats—before operations can be infected.
Protect. Protection requires the integration and deployment of security solutions at every tier of the network.
Respond. A response infrastructure should be in place immediately to address threats that materialize.
Manage. A management system will enable corporations to see their security posture and ensure the effectiveness of their investments.
Continued on Next Page
Early Warning Alerts
Early warning alerts
Symantecs Internet Security Threat Report—an analysis of more than 30 terabytes of attack data gathered in real time from the worlds most extensive network of intrusion detections systems (IDSs) and firewalls—found the average-size enterprise is being attacked 32 times per week, up from 25 times per week last year and a 28 percent increase from the previous six months. Annualized, this represents 64 percent growth rate in attacks on organizations. While it is clear that security threats are on the rise, consider the complex revelation of the following analysis of one of Symantecs mid-size customers:
Nine-point-five million log entries and alerts were generated each month by the firewalls and intrusion detection devices across the customers enterprise. After correlating the data from various sources, 620 security events were identified for further investigation. After removing false positives, 55 events were determined to constitute security threats to the enterprise. Further analysis showed that just two threats posed a risk critical enough to require immediate action.
The fraction of legitimate critical security risks to events is miniscule—two out of millions—but imagine the time, resources and expertise necessary to arrive at such a determination.
To eliminate the complexities of such a task, organizations require an alerting system that provides early warnings about threats that exist in the computing environment, along with possible tools to prevent those threats from impacting the network. In order for security threat information to be accurate and credible, early warning systems should literally include thousands of global touch-points backed by sound statistical analysis and methodologies. Alerts should be delivered quickly through a variety of media, and mitigation steps such as patches and countermeasures must be provided immediately.
Integrated security protection
Business-critical information resides at each level of the network-gateway, server and client—and as security threats continue to increase, each of these tiers is a viable target for the entrance of malicious code and exploitation of vulnerabilities.
In the past, organizations have addressed this issue through a collection of point-products, each working independently. Because each product must be purchased, installed, deployed, managed and updated separately, this approach has proven to be an inefficient use of IT staff and a costly remedy to the complexities of security.
In contrast, integrated security solutions eliminate these inefficiencies at each tier of the network by combining key technologies-antivirus, firewall, VPN, intrusion detection, content filtering and vulnerability assessment-to offer more comprehensive protection while reducing the complexity and cost of securing enterprises.
Continued on Next Page
Ask any IT administrator what his mission is and it is highly likely the answer will come back, “To ensure business and service continuity.” It is critical that organizations utilize a rapid-response infrastructure that leverages both technology and expertise to address new and emerging threats. It is not enough just to detect threats as they appear; definitions and signatures must also be made available quickly and easily, and mission-critical security products also need to be supported 24 X 7.
Organizations also need to be aware of the breadth of their security providers response offerings. An ideal response infrastructure will broaden its offerings beyond product and support, to encompass other beneficial services like analysis, threat management and managed security services.
Early-warning systems, integrated security and expert response mechanisms are all parts of the complex security equation, but their synergy is most effective when tied together under an open, comprehensive and standards-based management system that spans all the network tiers and runs on multi-platforms.
Organizations must have a way to sift through the hundreds of simple security events that are generated every minute by their disparate security products, view them together to discover whether they represent a true incident, gauge the relative business impact of the incident and then take steps appropriately to allocate the resources necessary to address the problem. Further, they must follow each incident to closure in order to eliminate possible recurrence of the problem. And since closure often requires the application of patches or changes in security policy, the verification of these changes must be assured. Without such a system, the process of aggregating and normalizing security event data will remain inefficient and difficult.
Continued on Next Page
Making security manageable
An optimal security posture, and one that eliminates the complexities of security management, is one that takes into account each of these four security disciplines. Adherence to best practices within these four fronts will reduce the costs of enterprise protection and lower risks while enhancing security resource allocation and inefficiencies.
First of all, organizations need an early-alerting system. Because ideally, you want to be alerted before threats damage your business. Next and most fundamentally, you want to protect your business. You need a variety of security solutions at all tiers of the network.
Third, you need to respond when threats emerge. And here the key word is fast. Finally, you have to manage this far-flung and seemingly unmanageable security environment. Its not an easy task – thats the ultimate understatement – but its complexities can be lessened and mitigated by addressing each of these strategic components.
Craig Rode is a senior director of product management at Symantec, where he oversees the development of the companys vulnerability assessment and policy compliance products, as well as components of the Symantec Security Management System. He can be reached at [email protected].