Getting a Game Plan
You have to create a security road map centered on policy definition and asset identification before making any major technology investments. Those lacking strong policies should consider hiring a consultant or jump-starting the effort with security-template tools like NetIQ's Vigilent Policy Center (see "Policy Management Hits the Web").
Once you've laid out the basics, determine how far you are from policy compliance and baselines, and where you come up short in terms of access control. Tactical technology solutions can help here, but only if applied in the right order, for the right reasons. For example, host-based intrusion-detection systems do little good if the hosts on which the HIDS agents reside are unpatched and open to compromise. The alarm rates will be constant and the hosts vulnerable, effectively rendering the HIDS worthless. In this scenario, money and time would be better spent solidifying patch management.
You probably face political and organizational challenges as well. For example, many organizations have learned that without antivirus systems, they'll chase faceless demons indefinitely. Antivirus becomes a "must have"--its operators are clear, and the decision on the technology is simple.
When considering firewalls and inline NIPS (network-intrusion-prevention system) products, however, roles and responsibilities come into play. An organization with a centralized operational security unit, for example, will probably have the IDS (which normally sits offline) and firewall administrators on the same team. So, the decision to implement an inline NIPS is a no-brainer.
However, if the NIPS administrators are part of an infosec unit outside IT, putting what would normally be a passive device (an IDS) into a production role (inline with the firewalls) may blur responsibilities. Who operates the NIPS? Who troubleshoots network outages? Do the security staffers lose control of the NIPS or gain control of the firewalls? Roles and responsibilities can become bigger factors than the technology.
Thus, before embarking on any major security technology purchase, organizations must ask a few basic questions:
• What asset does this technology protect?
• How effective is it?
• What's its operational impact?
• Do we have the resources to manage it?
• Will it work with, or against, other security controls?
Once assets are identified and these questions are answered, you can start to prioritize. Without a tiered defense strategy, organizations face few controls between critical digital assets and threats. Various security technologies are a must; the challenge becomes choosing and implementing them.
RSS
