Getting the Most from Your UTM

New research from Aberdeen shows how Best-in-Class companies are getting the most out of unified threat management technologies and services.

By Derek E. Brink, CISSP

During August and September 2008, Aberdeen Group examined current industry practices for Unified Threat Management (UTM) technologies and services. The experiences and intentions of approximately 110 organizations from a diverse set of industries are represented in this study. Aberdeen supplemented this online survey effort with interviews with select survey respondents, gathering additional information on UTM strategies, experiences, and results.

Aberdeen's recent research in vulnerability management (see shed new light on how organizations are keeping pace with the never-ending flow of threats and vulnerabilities to their networks, computers, and application software. The scale of the problem is massive: on average, industry sources reported more than 120 new vulnerability disclosures per week (nearly 90 percent of which could be exploited remotely over the network), and over 400,000 new examples of malware (including viruses, worms, back doors, key loggers, Trojans, spyware, and rootkits) were identified in the last calendar year.

Aberdeen's research shows that trying to keep up with these vulnerabilities and threats is consuming about 14 percent of the average IT security budget. Most organizations are trying to balance the need to secure their IT infrastructure and safeguard their critical data with the need to increase efficiency and minimize total costs, a matter of heightened importance given the current challenges in our global economy.

Unified Threat Management

Unified threat management (UTM) is an IT security product category originally coined to describe the integration of multiple threat and vulnerability management functions within a single solution (typically, a network appliance). In other words, UTM reflects a deliberate shift from deploying and managing multiple, dedicated IT Security devices/services to deploying and managing a single, multi-function IT Security device/service.

In the current market, selecting a unified threat management solution is like making a selection sfrom a box of chocolates -- you never know what you're going to get. Baseline UTM functionality is generally agreed to include network firewall, anti-virus, intrusion detection/prevention, and virtual private network -- the core capabilities for securing your IT infrastructure. Aberdeen's research shows that buyer attention for new UTM functionality is clearly turning to capabilities that will help them address the many "channels" (including e-mail, Web, instant messaging, peer-to-peer file sharing, and voice over IP) for the potential loss or exposure of their sensitive data.

Vendors (and some analysts), in their efforts to explain and differentiate the expanding range of UTM offerings, have expanded their names for this solution category, including UTM, UTM+, UTM 2.0, Extended UTM, xTM, all-in-one security, multi-function security, and integrated security, resulting in a confusing array of marketing messages and competitive positioning. All are aimed at a similar value proposition, however: secure your IT infrastructure, safeguard your critical data, and lower your total cost of management.

Organizations should look past any confusion about names, however, to the tangible benefits that best-in-class companies are realizing from adopting the UTM approach. In the current study, companies with top performance gained significant advantages in the last 12 months over those whose performance lagged:

  • 20 percent reduction in actual threat/vulnerability related incidents
  • 14 percent reduction in audit deficiencies
  • 11 percent reduction in unscheduled downtime
  • 5 percent reduction in total associated staff
Current challenges in the global economy heighten the importance of balancing the unrelenting need to secure your IT infrastructure and safeguard your critical data with the equally important need to increase efficiency and minimize total costs. The research confirms that "Best-in-Class" performance in the UTM approach is one clear path to achieve both of these ends.

What are the factors driving the "unified" approach versus the "dedicated" approach? Across all respondents, reducing cost and reducing complexity are the top drivers for adopting the UTM approach, along with the obvious need for specific functionality. Factors identified by the research, listed in relative order of importance within each group, include:

Reducing Costs

  • Reduce the cost of managing multiple dedicated solutions
  • Reduce the total cost of service and support contracts for dedicated solutions
  • Reduce the total cost of licenses for dedicated solutions
  • Reduce power consumption of multiple dedicated devices

Reducing Complexity

  • Reduce the number of service and support contracts for dedicated solutions
  • Reduce the number of licenses for dedicated solutions
  • Reduce the number of physical devices
  • Preference for a single-vendor solution
  • Lack of sufficient IT, Network, or Security staff for dedicated solutions
  • Reduce physical space requirements for multiple dedicated devices

Expanding Functionality

  • Need for specific security functionality (e.g., anti-spam)
  • Flexibility for future expansion of security functionality
  • Expansion or changes to network topology
  • Upgrade/replacement for existing firewall
  • End-of-life announcement for existing firewall

Once the UTM approach has been selected, however, what are the selection criteria for UTM solutions? Across all respondents, performance and technical features, cost considerations and vendor attributes are the leading UTM selection criteria identified in the research. We found the leading selection criteria for UTM solutions, listed in relative order of importance, to be:

Performance and Technical Features:

  • Performance characteristics (e.g., network throughput)
  • Technical feature set for current needs
  • Technical feature set for anticipated future needs
  • Vendor flexibility/time to support new capabilities

Cost Considerations:

  • Total cost of ownership over a multi-year period
  • Ongoing management/operational costs
  • Price/performance ratio
  • Deployment costs
  • Acquisition costs

Vendor Attributes:

  • Vendor support
  • Vendor reputation
  • Vendor references/case studies

Performance is essential. "UTM is either incredibly beneficial," commented one IT admin, "or it can take the network to its knees." In terms of technical features, flexibility is what UTM is all about. An organization may initially deploy a UTM solution to address a specific problem, such as spam, but in doing so it has also established a flexible and cost-effective path for future expansion. It should also be noted that the features of the UTM must be at least adequate in comparison to those of the equivalent point solution to avoid the "dancing bear" phenomenon: everyone wants to see it, but it doesn't actually dance very well.

Conventional wisdom is that based on factors such as cost and performance, UTM solutions appeal primarily to the small (less than $50M in annual revenue) or mid-sized (between $50M and $1B) segment of the market. Based on this study and data from previous Aberdeen research, however, current UTM deployments are well established in the large (>$1B) segment as well. Nearly half (48 percent) of respondents from large companies indicated current deployments of UTM, with a healthy 17 percent of large organizations indicating plans to deploy in the next 12 months.

Overall, very strong year-over-year growth is projected to come from all size organizations, with the strongest relative growth coming as conventionally expected from the mid-sized and small segments. Regardless of company size, the sequence of steps summarized below will help drive Best-in-Class performance.

Step 1: Establish a Baseline

In this step, you will conduct regular vulnerability assessments, establish consistent policies for network access, and collect, normalize, and correlate security and compliance information.

Step 2: Manage Proactively

This step focuses on developing standardized responses for exceptions, security incidents, and audit deficiencies as well as eliminating root causes for exceptions, security events, and audit deficiencies.

You'll also need to maintain current support contracts and subscription services from your UTM solution provider.

Management is an ongoing process. You'll need to regularly review the log, information, and event data pertaining to securing your IT infrastructure and periodically review all policies, practices, and procedures.

Step 3: Educate Users

Education includes investing in documentation, awareness, and training programs to educate end users about policies and expectations for behavior, and generating end-user alerts about activities that are in violation of established policies.

Step 4: Automate Enforcement

Leverage the technical capabilities of the UTM solutions to automate enforcement of security policies, both for securing your IT infrastructure and for safeguarding your critical data

Step 5: Raise the Bar

UTM projects are never complete. There's always more work to do. For example, we recommend that you continue to optimize the deployment and management of core UTM functionality (network firewall, anti-virus, intrusion detection/prevention, and virtual private network). Look for opportunities to expand the use of additional UTM functionality, particularly to address the many "channels" for potential data loss or exposure (including e-mail, web, instant messaging, peer-to-peer file sharing, and voice over IP).

In addition, you'll want to continue to monitor services that are allowed, for potential misuse (e.g., instant messaging) and evaluate the implementation of behavior-based policies, in addition to rules-based policies.

Final Thoughts

Organizations must look past any confusion about names for the UTM solution category and examine the tangible benefits that Best-in-Class companies are realizing from adopting the UTM approach.

A complimentary copy of the full report is available through the end of November 2008 (a short registration is required) at:

- - -

Sidebar: UTM and Green Security

Is there a "Green" element to Unified Threat Management? Based on the current study, the findings are mixed on this point. For example, cost is a leading driver of the UTM approach, but "reduced power consumption" (a legitimately green result) is viewed as much less important than reducing the total cost of management, support, and licenses compared to dedicated solutions.

At the same time, Best-in-Class organizations rated "reduced power consumption" 14.2 percent higher compared to all respondents as a driver for selecting the "unified" versus the "dedicated" approach. Just as food, clothing, and shelter take precedence in the hierarchy of human needs, it seems that once the enterprise needs for performance, security and cost are adequately addressed, the "green" aspects of UTM are genuinely appreciated by the companies with top results.

- - -

Derek E. Brink, CISSP is a vice president and research fellow for IT security at AberdeenGroup, a Harte-Hanks company. You can reach the author at

Must Read Articles