Threat management: Organizing defense-in-depth strategies
Forget the good old days of Internet security when administrators had time to study vulnerabilities and threats, determine which parts of the enterprise were at risk and devise well-tested ways for handling attacks.
Today, there are many more threats to handle and increasingly less time in which to handle them. And zero-day threats loom on the horizon — attacks that target unannounced vulnerabilities before a patch is available. Such intrusions will make recent fast-moving attacks such as the Slammer, Blaster and Sasser worms look like crawlers.
With changing definitions of the enterprise — in which technologies such as virtual private networks, wireless communications and Web services extend the boundaries of corporate networks — it's clear that organizations need new ways of dealing with security threats.
Threat management is one approach that's catching the interest of many in the security field. Instead of meeting threats as they arise, threat management organizes defenses through an ongoing process.
Threat management tools include data-gathering technologies that are already widely deployed on networks, such as firewalls, vulnerability scanning and monitoring software, and intrusion-detection and protection devices. Newer tools, such as security information management (SIM) and security event management systems, help produce a holistic view of potential problems on the network.
The tools "support many of the tasks the security professional is already performing, allowing those professionals to execute their mission much more thoroughly and quickly, especially for a large network," said a spokesperson for the Defense Information Systems Agency, where officials have been studying the use of threat management.
A threat management system should also provide insight into the activities being seen by other individuals on the network, the DISA spokesperson added, which leads to a more comprehensive view of any given activity.
As with any developing area of expertise, threat management can have different meanings to different people. But several features are central to any threat management system:
n A threat management system should be able to receive activity data from many sources, including applications and various security devices.
n It should aggregate that data and correlate it with other information about
the network, such as assets and known vulnerabilities.
n It must provide security professionals with a comprehensive report of suspicious activity, as free as possible of false alarms.
Given the expansion of opportunities for attacks via the Web and e-mail, most organizations connected to the Internet need to monitor all activity, but most rarely do, said Peter Lindstrom, research director for industry consultant Spire Security LLC.
"The immediate value proposition [of deploying a threat management system] is that it provides monitoring of, and aggregation of data from, these kinds of heterogeneous environments," Lindstrom said.
Edward Schwartz, senior architect for security information management vendor netForensics Inc., said he thinks the term "threat management" is misleading to some degree because the real aim should be to manage vulnerabilities.
Threats will always be part of the communications landscape, he said, so threat management should be used to emphasize the need for complete situational awareness.
SIM is one of the most important components of a threat management system, in that case, he said, because it expands the universe of available resources for providing data about security-related activities.
As useful as that is for threat management, however, it's not the only requirement. Once you have a handle on the
potential threats to your environment, you need to do something about them. That, said Randall Davis, president and chief executive officer of Intellitactics Inc., also requires effective operational control.
Threat management platforms have to provide an assessment of the business workflow that would be affected by security threats and the remediation that would stunt those threats, he said.
The next wave
When ArcSight Inc. officials developed their first enterprise security management software products, the company's customers wanted the products to interact passively with the network, collecting information while not disrupting the network's operations.
That's all changed in the past few years as the speed with which worms and other security threats spread and affect networks has increased, said Larry Lunetta, ArcSight's vice president of marketing and business development.
Zero-day threats will only exacerbate this. They will be able to exploit vulnerabilities before anyone finds them or can develop threat signatures, the basis for most countermeasure technologies.
"Customers now want us to participate in the threat environment," Lunetta said. "When our systems detect policy violations, for example, they want them to interface with their firewalls and block the session."
That type of automated remediation will be the next wave in threat management and security, he said.
Old security technologies are evolving into new devices to meet the cost and performance demands for solutions.
The market for unified threat management appliances — systems that incorporate firewall, intrusion detection and prevention, and gateway antivirus programs — had a value of about $60 million at the end of June, according to market analyst IDC. Demand grew 60 percent in the second quarter.
Traditional appliance vendors such as Fortinet Inc., Symantec Corp. and Secure Computing Corp. are also leading the charge in this new space.
However, others believe the notion of point solutions is probably passé. "Point solutions often don't help that much anymore and may even detract because people think they have answered the [security] problem with this type of solution," said Mark McGovern, a senior analyst at In-Q-Tel Inc. "Instead, they should be putting in solutions that can tell them what is happening over time and that can report on that."
In-Q-Tel is a nonprofit company funded by the CIA to identify and invest in cutting-edge technologies.
SIM systems are a good example of that kind of functionality, he said, "and the good ones can give an overview of what's happening at different levels [in an enterprise] and where organizations can best spend their security dollars." l
Robinson is a freelance writer based in Portland, Ore. He can be reached at hullite@mindspring.com.
***
Implementing threat management
As agency officials look to deploy threat management solutions, they should keep in mind that:
Before you do anything else, you should take an inventory of all of the systems and applications in your infrastructure. Each of them is a potential source of data. The information feeding into the threat management solution will be richer if a greater the number of sources are monitored.
Threat management is a process and not a single technology or system. Start with vulnerability management and fully monitor all of the attack points you can map. Then add intrusion detection. If you still have concerns, add trust management, such as hardened security policies.
You should never think you're finished. As you add new technologies, such as radio frequency identification, voice over IP and others, you will need to extend your threat management model to cover these. Threat management will need to be at least as dynamic as your network is.
It doesn't have to be complicated. The long-term promise of threat management is a better understanding of security needs. But in the short term, the business value can be realized in something as simple as reducing the hundreds of daily alert flags produced by current security devices — most of them false — to a handful of real incident flags.
NEXT STORY: GAO policy reflects security concerns