5 tenets of effective threat management

Chief security officers obsess about risk management, and who can blame them? But their inclination toward protectiveness regularly crashes head-on with pressure to spread technology's benefits far and wide.

How do you secure critical information and computer systems while extending your networks' boundaries to accommodate field workers, telecommuters, business partners, contractors and suppliers? At the same time, cyberattacks are growing in frequency, cleverness and severity.

Clearly, security managers must implement a threat management strategy that helps them stay aware of the latest threats and establish procedures and technologies to thwart attacks.

The following advice about defending critical resources comes from two security experts: Alan Paller, director of research at the SANS Institute, a training and education organization for security professionals; and Pete Lindstrom, director of research at Spire Security, a consulting firm.

Paller has culled information from extensive discussions with hundreds of security managers who have participated in SANS' WhatWorks program. He has uncovered some useful and little-known strategies for threat management, which involve anticipating and blocking network-based attacks. And Lindstrom deals with those issues as a consultant.

Find all the open doors and lock them tight

Maintain properly configured systems and stay up-to-date with patches that fix vulnerabilities in commercial software. Those two policies will reduce vulnerabilities on your network, Lindstrom said. They're a vital yet often overlooked first step.

You should fortify the systems under your control before you move into a monitoring scheme to track and identify network and system anomalies, he said.

The best way to ensure that your systems are properly configured is to automatically test, quarantine and disconnect systems that do not meet your configuration standards, Paller said.

For example, strong security policies and standards are at the core of MCI's strategy to reduce threats to the telecommunications carrier's network, said Sara Santarelli, the company's vice president of network and information security and chief security officer. Company officials have created an Enterprise Security Task Force with a steering committee of executives from a cross-section of disciplines, including information technology, security, human resources, law and public policy.

Santarelli said managing the volume of data moving through enterprise networks and responding to the alarms triggered by possible threats can be difficult. Therefore, you should prioritize systems that are susceptible to attack and devote the majority of your resources to protecting them.

"Security should be built out like a wave in a pond," she said.

Keep an eye out for suspicious activity

Monitoring networks for attacks and compromises is not easy, Lindstrom said. There's a general perception among security experts that "all sorts of compromises are occurring that no one ever finds out about," he said. In addition, some people believe that high-profile attacks could be a diversion for stealthier ones that steal information unnoticed, he said.

Technologies and services can help. Some detect rogue devices and bot networks, which are large numbers of compromised computers used to send denial-of-service attacks. They also watch out for unusual data activity. In general, intrusion-detection systems have become better at understanding network traffic's content, direction and flow, he added.

Better correlation of security event data is important, Lindstrom and other experts said. MCI brings all of the data from its intrusion-detection and prevention systems, endpoint security devices, virtual private networks, and firewalls into a centralized location, Santarelli said. As a result, security experts at the company can better detect intrusions and network compromises, she said.

Diversify your antivirus defenses

To effectively block viruses, use two gateway products rather than one, especially at your main e-mail gateway, Paller said. If you are particularly sensitive to viruses because your internal network is wide open, three antivirus gateways are even better, he said.

At least one of the gateway products should be from a smaller Eastern European antivirus vendor, Paller said, because the big enterprise vendors often trail the smaller ones by a large margin in distributing updates to block new viruses.

Conversely, those big vendors generally do a better job of helping you manage a large enterprise's complexities. Thus, using a combination of two or three antivirus products is a minimum acceptable practice for organizations that are critically dependent on IT, Paller said.

But experts at two security companies questioned whether deploying three antivirus gateways would be effective. "If you keep piling on more antivirus products every time, you will get an impact on performance," said Sam Curry, vice president of eTrust Security Management at Computer Associates International. "They can interfere with each other."

Curry said deploying two antivirus products sounds reasonable. In fact, CA sells two antivirus engines, one that can be deployed at the gateway entrance into the network and the other on desktop computers.

Alfred Huger, senior director of development at the security vendor Symantec, said he hasn't seen enterprises deploy three antivirus gateways. He agreed that more protection is always better, but in practice, it would be hard for IT departments to get the budget to purchase three products.

Stop intruders in their tracks

An intrusion-prevention system is essential for blocking attacks that come in via the network.

No other technology — except application security gateways, which are special-purpose intrusion-prevention systems — can help you fend off attacks that exploit vulnerabilities in network applications such as Web browsers, Paller said.

He expects that prices for intrusion-prevention systems will decrease in the next nine months to a level that will them affordable for most organizations. Some will even deploy intrusion-prevention systems internally, so that they can monitor operations in a sensitive part of an organization and watch for possible intrusions launched from elsewhere within the entity.

Intrusion prevention is a requirement, not an option, Curry said. Intrusion-prevention systems are host-based or network-based, and it is important to choose the right one for your needs.

The big difference between the two is the security model they apply, Lindstrom said. Host-based systems look at the known, good state of computers so they can block the bad or anomalous activity. Network-based systems look for low-hanging fruit such as viruses and worms. Still, those systems are relatively basic, Lindstrom said.

"I don't disagree with the essential notion of intrusion prevention," he said, but there is much disagreement on a definition for it. Clearly, the capability to identify threats and block them at the network layer is needed, he added.

Huger advises users to consider deploying a multifunction gateway that includes antivirus, intrusion-prevention and firewall capabilities. Not only can these appliances help prevent attacks, but they will also reduce the overall cost of ownership, he said.

Train the first line of defense — your people

In spear phishing, one of the latest computer-related scams, illegitimate e-mail messages that appear to come from an organization's managers or IT department ask recipients to enter passwords or download programs.

Perimeter measures such as firewalls and intrusion-prevention systems will not prevent spear phishing, but an effective employee education program can help defuse it, Paller said.

Education can do far more to reduce the possibility of a breach than any technology, Curry said.

As if worrying about the bad guys doesn't keep you busy enough, managing relationships with security vendors is starting to demand more attention, especially as company and product consolidation increases.

Given those market dynamics, there is a chance that the security products you use now will be enhanced with extra-cost features or merged with other products. To protect your organization against unpleasant financial surprises, security expert Alan Paller, director of research at the SANS Institute, advises that you try to negotiate the following clauses into your security vendor contracts:

• The vendor will give you access to additional capabilities at no cost.
• The vendor will provide maintenance on the product for a cost that will grow no more than 5 percent to 10 percent per year, regardless of changes in the price of the product.
• In the event the product line or vendor is sold to another vendor, you have the right to maintain the rights you have negotiated with the original vendor.

— Rutrell Yasin