As is the case with the wider discipline, IT security strategies need to move from being a reactive model to one that is proactive. In the same way that a company has real-time monitoring tools for watching over its network, systems and applications, its managers also need to actively monitor the security infrastructure. According to Peter White, one security tool is available that will allow managers to do just that – the Security Manager of Managers.
Network and data security is evolving. With the proliferation of distributed environments, and the necessity for organisations to open up their internal network to the Internet, companies are faced with a daunting task – providing simple, efficient access to some information while keeping other data away from both legitimate users and determined hackers.
In addition to this, there are a myriad of other security issues to be dealt with, including physical security, internal threats, privacy concerns, content security and evolving legal requirements. All of which – if not handled in the correct manner – can place the company at great risk, both legally and financially.
Little wonder that the sale of security products remains strong, and that more and more of the typical IT budget is being devoted to security issues.
As security requirements grow, so client organisations are faced with the need to be more proactive in dealing with those issues. No longer can a company implement a firewall, rely on operating system authentication and expect that to be sufficient. Not only are the threats more frequent and severe, but the costs of potential attacks are also growing.
Double-edged sword
With companies being forced to open themselves up still further in order to remain competitive, they are potentially exposing information that could damage their ability to remain competitive. It is this double-edged sword that makes security management so very critical for many organisations.
Coupled with this, customers who use the services of companies that have been attacked suddenly view themselves as being at risk. Not reporting potential security risks is no longer an option. Customers, both large and small, want to see reports on the security health of their vendors, and see security as one item on the list of requirements for doing business.
In the same way that a company has real-time monitoring tools to watch its network, systems and applications, its managers must also actively monitor the security infrastructures in place
That being the case, what can end user organisations do to secure themselves and yet still provide the online services that their customers, vendors and employees need?
The simple answer is to move from a reactionary security model to one that is proactive in nature.
Proactive security policies
Setting up your security perimeter and hoping for the best is no longer acceptable. Companies need to actively monitor their security infrastructure, in real-time and all the time. In the same way that a company has real-time monitoring tools to watch their network, systems and applications, they must also actively monitor their security infrastructure.
A large variety of security point products exist to solve the different problems in building and maintaining a secure environment. Firewalls, intrusion detection systems, content security programs, authentication and/or authorisation systems, encryption – there are now robust products on the market to fit just about every security need.
However, the problem with these products is that they each have their own tools, their own way of collecting information and their own way of alerting security staff about potential security breaches. In addition, due to the plethora of data that is collected by each individual product, it becomes virtually impossible to keep track of them all individually and in real-time.
More often than not, security breaches are discovered after the fact. Only then is the logged data analysed to find out what has actually transpired
As the size and complexity of security environments grow, it becomes harder and harder to keep track of all the information. More often than not, security breaches are discovered after the fact. Only then is the logged data analysed to find out what has actually transpired.
This somewhat daunting problem has spawned a new type of security tool – the Security Manager of Managers (SMoM). The SMoM’s task is to collect all of the security data from all of the tools that are implemented and offer a single point of view across all security issues. It provides access to all of the necessary tools, intelligently organises this information and will then alert security professionals to potential attacks before they escalate to the damaging stage.
The pros and cons of SMoM
What are the obvious pluses and minuses of going down the SMoM route? In simple terms, the pros are as follows:
- consolidation of all real-time event data into a single view;
- allows correlation with network management events;
- huge security event volumes become manageable, allowing even Denial of Service issues to be handled;
- the collation of log file information provides a long term historical archive for trend and threat analyses and forensics;
- allows integration with knowledge bases, asset bases and remediation strategies.
There are downsides, however. Security information/event management tools do not have the detailed integration for active configuration management of disparate devices. Also, the tools are only as good as the quality of data they receive, while vendors’ specific element managers do not integrate on a seamless basis.
In truth, the SMoM should be based on the raw consolidation and correlation powers of the established event management vendors, but this alone does not deliver a security tool at all. It needs to be able to keep up with the huge amount of information that security products can generate, have tools that can correlate disparate events to pinpoint a single breach, provide operators with a real-time event management interface and collect and present the historical information for legal review, trend and forensic analysis.
Potential pitfalls exist with all security management solutions, and the SMoM is no different from the norm. Interruptions to the flow of data can leave the system running blind, while the architecture must be able to respond to component failure with fault tolerance and data buffering such that no data is lost
The SMoM also needs the flexibility to take in highly granular security information, embed security-specific correlation and notification logic into the system and then call to action engineers or automate remediation policies.
Potential pitfalls exist with all security management solutions, and the SMoM is no different from the norm. Interruptions to the flow of data can leave the system running blind, while the architecture must be able to respond to component failure with fault tolerance and data buffering such that no data is lost. By their very nature, SMoMs are also reactive to events occurring around them. Some solutions are beginning to address potential proactive approaches which, in time, will allow sophisticated correlation to optimise the processing of event flows.
Problems can be pinpointed
Like all good ideas, that behind the SMoM is not new. The world’s largest telecommunications companies (such as BT, AT&T, Deutsche Telekom and others) rely on the Manager of Manager technology to alert operators to potential service-affecting problems in their infrastructure. The SMoM software enables the telecommunications company to invest in the best technology without training an army of operators to monitor each type of equipment.
Similarly, when based on the same robust, ultra-scalable technology, the SMoM will help larger companies to eke the best out of today’s leading security technologies while consolidating the various security systems to present a complete, end-to-end view of the security infrastructure
Security management solutions such as this one prove that a firm has acted to secure its data whenever a threat arises, and that managers have full knowledge of what is happening across their IT systems.
Anything less than that is not acceptable.
Source
SMT
Postscript
Peter White is vice-president of packaged IT security solutions at Micromuse