Network and data security is evolving.
With the proliferation of distributed environments, and the necessity of organizations to open up their internal network to the internet, companies are faced with a daunting task - providing simple, efficient access to some information while keeping other information away from both legitimate users and determined hackers.
In addition to this, there are a myriad of other security issues to deal with - physical security, internal threats, privacy concerns, content security, among others - all of which, if not handled properly, can put the company at risk, both legally and financially. It is no wonder that the sale of security products remains strong, and that more and more of the typical IT budget is being devoted to security.
As security requirements grow, companies are faced with the need to be more proactive in dealing with security issues. No longer can a company implement a firewall, rely on operating system authentication and expect that to be sufficient. Not only are the threats more frequent and severe, but also the costs of potential attacks are growing. As companies are being forced to open themselves up more in order to remain competitive, they are potentially exposing information that could damage their ability to remain competitive. It is this double-edged sword that makes security management so critical to organizations.
Coupled to this, customers who use the services of companies that have been attacked suddenly see themselves as being at risk. Not reporting potential security risks is no longer an acceptable option. Customers, both large and small, want to see reports on the security health of their vendors, and see security as one item on the list of requirements for doing business.
So what can an organization do to secure itself and still provide the online services that its customers, vendors and employees need?
The answer is to move from a reactive security model to a proactive one. Setting up your security perimeter and hoping for the best is not acceptable anymore. Companies need to actively monitor their security infrastructure, in real time and all the time. In the same way that a company has real-time monitoring tools to watch their network, systems and applications, they also need to active monitoring for their security infrastructure.
A large variety of security point products exist to solve the different problems in building and maintaining a secure environment. Firewall, intrusion detection systems (IDS), content security, authentication/authorization, encryption - there are robust products on the market now to fit just about every security need. However, the problem with these products is that they each have their own tools, their own way of collecting information, and their own way of alerting on potential security breaches. And because of the plethora of data that is collected by each individual product, it becomes virtually impossible to keep track of them all individually, and in real time.
As the size and complexity of security environments grows, it becomes harder and harder to keep track of all the information. More often than not, security breaches are discovered after the fact, and it is only then that the logged data is analyzed to find out what happened.
This daunting problem has spawned a new type of security tool - the security manager of managers (SMoM). The SMoM's job is to collect all the security data from all the tools that are implemented and provide a single point view across all security issues. It provides access to all the necessary tools, intelligently organizes the information, and will alert security professionals to potential attacks before they become damaging.
In reality, the SMoM is not a security tool at all, but an event consolidation and correlation tool. It needs to be able to keep up with the huge amount of information that security products can generate, have tools that can correlate disparate events to pinpoint a single breach, provide operators with a real-time event management interface, and collect and present the historical information in the form of security reports. The SMoM also needs to have the flexibility to embed security specific correlation and notification logic into the system. An added bonus is the ability to provide real-time, web-enabled reports to customers detailing the status of their security environment.
The idea of the SMoM - like all good ideas - is not new. The world's largest telecommunications companies, such as BT, AT&T, Deutsche Telekom and others, rely on a manager of managers technology to alert operators to potential service-affecting problems in their infrastructure. The MoM software enables the telcoms company to invest in the best technology without training an army of operators to monitor each type of equipment. Similarly, the security manager of managers - when based on the same robust, ultra-scalable technology - can help large companies to get the best out of today's leading security technology, while consolidating the various security systems to present a complete, end-to-end view of the security infrastructure.
Richard Lowe is senior vice president, Europe, Middle East and Africa for Micromuse (www.micromuse.com).
Micromuse are exhibiting at Infosecurity Europe, Europe's largest and most important information security event. Now in its 8th year, the show features Europe's most comprehensive FREE education program, and over 200 exhibitors at the Grand Hall at Olympia from April 29- May 1, 2003. www.infosec.co.uk
