NWC | Feature | Security | Tactical Security 101 |


				HOT PICKS • U.S. IT Salary Survey 2008 • Rolling Review: SOA Appliances • XKL Brings New Life To Dark Fiber

IMMERSE YOURSELF:

Storage & Servers

F E A T U R E

Tactical Security 101

January 23, 2003
By Greg Shipley

	Issue TOC
	Print full article
	Print this page
	Download as PDF
	E-Mail this URL
	Discuss this article
	Flame the author

	In this article
	Introduction
	Vulnerability Management
	Firewalls Get Hotter
	Control Issues
	Event Correlation
	HIP Hosts
	Technology Areas
	How We Got Here

You know information security is integral to IT operations and to business success. But infosec's role and resource levels are still up for debate. One thing is clear, though: Building a strong defense isn't cheap, so wise management of funding and resources is crucial.

We'd love to provide a definitive road map stating that Technology A should be chosen over Technology B, but each organization has its own challenges and dynamics. In "Secure to the Core" we painted the big picture. Here's advice on fine-tuning your plan.

ROI vs. Security

A key point of contention, especially in lean economic times, is the lack of clear ROI (return on investment) numbers attached to security efforts. A classic argument is that there is similarly no clear return on life insurance, but that doesn't stop most of us from buying it; still, attempting to formulate operational-security ROI may be a lost cause (see "Desperately Seeking the Security ROI," and "Security Fears Are Up, So Why Is Spending Down?").

Similar but more mature practice areas have adopted different measurement standards. For example, corporate security/financial fraud units frequently measure their effectiveness by comparing audited loss statistics to industry baselines. If their losses are greater than industry baselines, they are doing poorly; if losses are lower, they are performing above average. Although the infosec industry lacks such data, history and methodology, it's clear that smart spending can reduce losses--and, conversely, negligence can cost you big.

Getting a Game Plan

You have to create a security road map centered on policy definition and asset identification before making any major technology investments. Those lacking strong policies should consider hiring a consultant or jump-starting the effort with security-template tools like NetIQ's Vigilent Policy Center (see "Policy Management Hits the Web").

Once you've laid out the basics, determine how far you are from policy compliance and baselines, and where you come up short in terms of access control. Tactical technology solutions can help here, but only if applied in the right order, for the right reasons. For example, host-based intrusion-detection systems do little good if the hosts on which the HIDS agents reside are unpatched and open to compromise. The alarm rates will be constant and the hosts vulnerable, effectively rendering the HIDS worthless. In this scenario, money and time would be better spent solidifying patch management.

You probably face political and organizational challenges as well. For example, many organizations have learned that without antivirus systems, they'll chase faceless demons indefinitely. Antivirus becomes a "must have"--its operators are clear, and the decision on the technology is simple.

When considering firewalls and inline NIPS (network-intrusion-prevention system) products, however, roles and responsibilities come into play. An organization with a centralized operational security unit, for example, will probably have the IDS (which normally sits offline) and firewall administrators on the same team. So, the decision to implement an inline NIPS is a no-brainer.

However, if the NIPS administrators are part of an infosec unit outside IT, putting what would normally be a passive device (an IDS) into a production role (inline with the firewalls) may blur responsibilities. Who operates the NIPS? Who troubleshoots network outages? Do the security staffers lose control of the NIPS or gain control of the firewalls? Roles and responsibilities can become bigger factors than the technology.

Thus, before embarking on any major security technology purchase, organizations must ask a few basic questions:

• What asset does this technology protect?

• How effective is it?

• What's its operational impact?

• Do we have the resources to manage it?

• Will it work with, or against, other security controls?

Once assets are identified and these questions are answered, you can start to prioritize. Without a tiered defense strategy, organizations face few controls between critical digital assets and threats. Various security technologies are a must; the challenge becomes choosing and implementing them.