Guard the Gates!<br>Setting Up Fortifications to Protect Your Enterprise

MelindaDevers is a harried chief information officer at a paper products company innorthern Wisconsin. She is far away from the bustle of busy urban centers youmight think that attacks on her network by unscrupulous types would be a remoteconcern. “Nonsense,” she says. “I worry about it all the time. Our networkconnects us with all our partners, remote sales force, and some potentialcustomers. The connection that makes our e-commerce projects work is the veryconnection that someone could use to attack our business.”

Devers hastrained a network specialist in the basics of information and network security,but she’s still worried. “For me, I wish we could avoid the constant strain ofkeeping up to date and worrying about new threats to our network. To be honest,I’d really just like to be assured that the security for our network connectionis appropriate, current, and vigilant. The details, well, I’d just as soon notknow.”

A networksecurity system where you simply set it and forget it? “That’s about right,”and she gives the bleak smile of a manager who knows what she wants, but nothow to find it.

Gatesand Gatekeepers

At theboundary between networks -- the place where the sensitive insides of anenterprise are joined to the rough and tumble real world -- many companies havelearned to build gates. These network drawbridges are built to let good trafficpass and to keep problems out. These gates can even identify attempts to gainunauthorized access or attempts to introduce malicious code and viruses intothe network. Still, they remain gates.

Someone hasto decide when the drawbridge can be let down and allow good traffic to pass.Today, many security solutions focus on the gate and the rules that govern it.For strapped system administrators there’s an additional problem: Not only doessomeone have to continuously update the configuration of the barrier, but thereare separate barriers for every threat. Enterprise networks often have onesolution in place for virus detection, another for intrusion detection, andstill another for access control. Each typically has its own configurationtools.

The resultis a never-ending set of administrative chores for the security officer. Dailyupdates of configurations and virus definitions are common in manyorganizations. Is it possible to relieve the beleaguered security administratorby implementing a single, integrated solution that addresses the enormousvariety of security concerns? Is it possible to move one step forward and havean intelligent gatekeeper instead of just a gate?


RichTelljohan of Internet Security Systems thinks so. The provider of securityservices and software says, “I think this is the right direction to head. Weneed to have automated, integrated tools with active alerting capabilities. Forinstance, we should be able to have software that identifies a particularattack and responds automatically. In fact, baby steps toward this goal havealready started to appear in the marketplace.”

Telljohanstresses a gluing together of existing products that address individual threatswon’t get the job done. “We don’t want to simply take a bunch of products andservices, wrap them in a common look-and-feel, and then call thatintegration," he says. "Instead, interaction is the key. Integratedsecurity tools have to help identify and solve cross-product security problems.We need better integration of security tools with the underlyinginfrastructure. For instance, just because a tool automatically identifies andresponds to a potential security problem -- can it also make the operationalchanges needed to fix the problem?”

ShawnAbbott, chief technology officer at Rainbow Technologies, a provider ofsecurity services for Internet and e-commerce customers, says, “There’s a realchange in the level of sophistication of new tools. In the not too distant pastthe tools were always based on rules that stopped certain actions. That meantif we didn’t have a rule explicitly in place, the default action was to allow anetwork connection to proceed. Today we are seeing a series of tools thatsupport both integration and the ability to specify which activates areexplicitly allowed.”

Rob Clyde,vice president of security management at Axent, a large systems security toolbuilder recently acquired by Symantec, says this is starting to happen.“Integration is crucial. Our perspective is that the individual tools are goingto come together. Naturally, things are easier to integrate in an individualproduct line from a single company, and we’re seeing continued consolidationbetween security software companies. But we are also seeing interaction acrosscompanies.”

“One of thekey reasons is that APIs are being put into place that act as the glue betweendifferent systems,” Clyde says. “In the end what we need is a central consolewhere we can see the entire security posture for an organization. Even today wecan already link events in the security environments to management systems suchas Hewlett-Packard’s OpenView and Tivoli. But even that’s not enough. When asecurity system identifies a weakness or exposure it should be able tocommunicate with a help desk system like Remedy to immediately build a troubleticket. That way changes in the security environment can be immediatelyintegrated with the operational processes that support the data center.”

Rulingthe Gate

There aretwo distinct ways of outfitting a network gatekeeper with the knowledge neededto keep a network secure. First, one can set up a clear set of rules thatdefine what things can happen and what events are not allowed to take place.This model, called the deterministic model, establishes clear cause-and-effectrelationships between network access and the rules that govern that access.Unfortunately for the overwhelmed administrator, the rules that define thedeterministic model must continually be kept up to date to remain effective.

Anotherapproach, usually called heuristic, tries to define behaviors rather thanrules. This method relieves the hardship of continually updating a set ofrules, but its downside is that it can result in “bad guesses” about behaviorwithin the organization. False positives can result in denied access in caseswhere it should have been allowed, but was triggered by unusual behavior.

Axent’s RobClyde worries about what happens after heuristic tools have made their access decisions.“Heuristic tools tend to fail when you’re asked to do follow-up support,"he says. "It’s hard to explain to someone the specific rules you brokethat got your access denied. That’s the beauty of the deterministic model: Youcan always explain why the security system denied or allowed an activity.”

CentralizedSecurity Services

While thepromise of automated security tools is great, some are not so sure integratedand automated solutions will ever work. Paul Proctor, director of technology atCyberSafe and author of a book on intrusion detection, is skeptical. “Automatedsystems simply fail; AI [artificial intelligence] and other allied tools simplyaren’t effective," he says. "In the end those systems work well inthe safe environment of a lab, but they end up failing in the real world.” Butthey aren’t a complete waste Proctor explains. “From the integrated tools it’spossible to generate lots of great feedback, but in the end you always needgray matter for the most effective security.”

Amit Yoran,president of RIPTech, a provider of outsourced security monitoring, agrees.“Newer detection systems allow customers to write their own scripts, but that’sfar from having the software adapt to changing conditions on its own,"Yoran says. "In that regard, the industry isn’t quite there yet.”

CyberSafe’sProctor says, “There are always going to be point solutions for specificsecurity threats. One of the key reasons is that each of the individual -- say,intrusion detection -- threats is very different from the others. Integrationis a valuable and desirable goal, but in the end we’ll still need specifictools for specific threats.”

InOthers We Trust

For thosewho find it hard to believe that we will ever reach a point where an automatedintelligent gatekeeper will protect us, there is another option: managedsecurity. As CyberSafe's Proctor points out, “You simply cannot find the peopleyou need to effectively do security today. Even if you could, you couldn’tafford them. And even if you could afford them, you wouldn’t be able to retainthem!”

RIPTech’sYoran echoes Proctor’s analysis: “Even for enterprise-class customers, itsometimes doesn’t make much sense to implement your security services in-house.It’s a waste to use highly specialized staff to configure firewalls and monitorgateways. Instead, they ought to be used for strategic things such asidentifying new security technologies and developing corporate security plans.Maintenance shouldn’t be their focus -- strategy should.”

There areadvantages to outsourcing security management beyond the staffing advantage.Third-party security management teams have full-time connections to thesecurity community and can leverage their skills and expertise across a varietyof customers. A team of experts -- something that even a large company wouldfind difficult to field -- can be made available to even a modest sizedorganization. According to Yoran, the difference is obvious. “These teams havestronger relationships with vendors, research teams, and the security communitythan security staff inside the typical company could hope to have.”

But isn’tit odd to trust a third-party with something as sensitive as security? “In someindustries -- like the financial industry -- it will never make sense to usemanaged security,” Rainbow’s Abbott says. “Even so, for many companiesoutsourced security is going to make more and more sense over time.”

Whether ornot security is automated, intelligent gate keeping is done by in-house staff,or management of sensors and security agents is handled by an outside thirdparty, there remains the issue of commitment on the part of the organization.Proctor says, “If you don’t have good security policy, it’s not going to workanyway. Neither automated tools nor managed services are going to deliver up toan organization’s expectations.”

While thepromise of both automated and outsourced security is great, beware of the overhyping of potential. That’s what concerns Devers: “I really believe securitytools and services are getting better.” Does she believe in them enough tospend money on them? “No,” she says and that pained smile returns. “I guess I’mwaiting for them to evolve just a little more.”

Internet Security SystemsInc., Atlanta,
Rainbow Technologies,
Axent Technologies Inc., Rockville, Md.,
CyberSafe Corp., Issaquah, Wash.,
RIPTech Inc., Alexandria, Va.,