Secure by design?
- Article 2 of 3
- Enterprise Security, June 2004
Most organisations' security infrastructures are complex - and destined to stay that way.
Page 1 | Page 2 | All 2 Pages
IT is a tantalising dream: an integrated security suite that manages the whole security infrastructure, with co-dependencies prioritised and event data automatically analysed for signs of dangerous trends. In this utopian future, the security suite will scan systems and applications for vulnerabilities, monitor the firewall and traffic on networks for intruders, scan files for viruses, monitor mail and web access for inappropriate content, notify when key system files have been modified, and allow organisations to manage the security configuration of their servers and network appliances from a single console.
For the moment, it remains a dream - and may remain so forever - but some parts of it are within the reach of most organisations, through the use of security event management (SEM) technologies from companies such as Computer Associates, GuardedNet, IBM Tivoli and Symantec.
As organisations have protected themselves with firewalls and installed host- and network-based intrusion detection systems and other defences, managing these has become correspondingly more difficult. Administrators are frequently flooded with too much event data to sift through - and forced to confront too many 'false positives'.
Shelfware
Many standalone security products, particularly intrusion detection systems, have simply ended up as 'shelfware' due to the high number of alerts that are generated, with many IT departments either ignoring their output or turning them off. SEM helps companies to weed out the unimportant alerts and to consolidate the data from all these disparate systems, enabling administrators to focus on the genuinely urgent events.
The real power of SEM becomes evident when these systems can understand the complex relationships between different security devices on the network, allowing organisations to uncover anomalies and trends and understand the impact of these events. Companies can have staff spend far less time monitoring individual products and their associated logs, reducing the chance of a manual error in what is often a time consuming and laborious task. IT staff can also react far more quickly when something serious happens and take corrective action before major damage occurs.
Unfortunately, there are limits to the capabilities of SEMs that may never be overcome for technical, business or industry reasons.
For example, the ability to monitor and control heterogeneous devices is limited by the vendors who own the intellectual property of different security and network devices.
Limited integration
This has resulted in only limited integration in some cases or no integration at all in others. The introduction of some standards (such as Check Point's OPSEC) will allow for closer integration of different products in the future, but most of these proto-standards are focused on the corporate perimeter and not the core of the network. Whether this changes will be determined not by anything that happens in the security industry but by issues elsewhere.
There is also some way to go with many products before SEMs have the necessary 'intelligence' to match the skills of a good security expert in analysing data and taking necessary actions. Most systems, for instance, concentrate on integrated monitoring, but lack the ability to manage the security configuration, therefore relying on operators to reset policies appropriately.
Automated analysis of logs from disparate systems to correlate possible breaches does not prevent the problems occurring in the first place; at best, it only ensures they do not happen again. The monitoring activity of these tools is also aimed at technical attacks on networks and systems, more than on the misuse of IT resources by authorised users. At the moment, this latter problem still lacks a viable packaged solution.
Page 1 | Page 2 | All 2 Pages