A New Look At LayersBy John Moore | Posted 2007-05-14 Email Print
As attacks on enterprise systems grow more sophisticated and diverse, companies need to rethink their defense strategies. In this special report, experts offer new and better ways to protect vital information resources.
Security is a many-layered thing for most I.T. managers. Attacks may target network, server or application vulnerabilities. Blended threats combine multiple attack vectors Trojan horses, worms and viruses, for example in an attempt to outflank an organization's defenses.
In response, enterprises erect a series of barriers on the principle that an attack that beats one security measure won't get past other protections. This approach goes by several names: layered security, defense-in-depth and, on the folksy side, belt and suspenders. But the underlying premise is the same.
The traditional view of layered security places firewalls at the outermost ring of protection, guarding the corporate network from Internet-borne incursions. Inside the firewall, attention turns to network-based intrusion detection/intrusion prevention systems that aim to snuff out attacks that sneak through the firewall. Antivirus software and host-based intrusion detection/prevention systems protect servers and client PCs, providing still another layer.
While emerging classes of tools may fend off attacks at multiple layers, there are pitfalls if the tools are not properly configured, managed or integrated with existing systems. In effect, chief information and security officers have to be jacks of all trades to implement an effective layered security strategy.
Consider Chris Buse, the state of Minnesota's first chief information security officer. He's been on the job eight months and has spent that time rolling out a layered security strategy built around numerous preventive controls. "We need to be good at all of the areas," he says of the layers of protection. "We need to have good perimeter defenses. We need to have host- and network-based intrusion detection. But we need to have other solutions as well all the way down to the desktop level."
One hitch: Organizations can get caught in a cycle of adding layers of technology every time a new class of security products emerges, says John Pescatore, a vice president and research fellow at Gartner in Stamford, Conn. "If you keep spending on more and more layers, you start eating up more and more of the I.T. budget, leaving less money for meeting new business demands and applications," he warns.
Gartner reckons that the typical enterprise spends more than 5% of its I.T. budget on security. Pescatore says the current pace of security spending is twice that of I.T. spending overall. He pegs the growth in annual security spending at 9%, compared to 4% to 5% for I.T. overall.
Pescatore prefers to define layers in terms of critical security processes tasks such as vulnerability management and intrusion prevention. Process-based definitions like these don't commit I.T. managers to a specific technology approach and also guard against redundant technology.
For example, anti-spyware products entered the market a few years ago as a product set distinct from antivirus. But both support the same infrastructure protection process, Pescatore contends.
"What is so different about the process of blocking spyware from the process of blocking viruses?" he asks, adding that vendors such as Symantec have since consolidated anti-spyware and antivirus on the desktop.
A New Look At Layers
Others are also challenging the layered model. Bruce Gnatowski, practice manager at security consultant Cybertrust, says the perimeter, for example, has become clogged with security products designed to shore it up. One strategy in this segment aims to bolster perimeter security with fewer devices (see Layer 1: Permiter Security).
Gnatowksi identifies blurring of corporate network boundaries as another issue affecting perimeter security. This "de-perimeterization" a description coined by the Jericho Forum, a technology customer and vendor group based in San Francisco that explores cross-organizational security has caused some I.T. shops to revisit the perimeter.
Emerging technology categories such as network access control seek to address the dissolving perimeter, giving organizations greater control over the myriad devices clamoring for network resources. Network access control products check the health of computing devices attempting to enter the corporate network (see Layer 3: ID and Access Management).
There is also an increased emphasis on host security for so-called end points such as servers and PCs so that these devices can defend themselves (see Layer 2: Host Security). Those technologies include host-based intrusion protection systems.
Other security layers let approved users in. That's the realm of identity and access management systems, which provide a mechanism for authenticating users and steering them toward the network resources appropriate to their organizational roles (more on Layer 3: ID and Access Management).
With vulnerability management, I.T. managers can tap an array of software products and professional services that scour networks, servers and applications for security gaps that external attackers or malicious insiders could exploit. Concerns over perimeter security breaches and insider threats have intensified efforts to scour applications for security lapses. Penetration testing and code scanning software are two approaches in this arena (see Layer 5: Vulnerability Management).
Finally, security-minded organizations seek to pull together security layers into a unified whole. Interfaces within and among layers have begun to appear. The advent of security information and event management systems promises to cull pertinent security data from a range of systems to provide a comprehensive view of vulnerabilities and incidents (see Integrating the Layers).
"Large organizations are pushing the vendors and the technology to be much more integrated," says Jon Oltsik, senior analyst covering information security at Enterprise Strategy Group, a market research firm in Milford, Mass. "You don't need layers of security; you need areas of security with integration."
Read on to see how I.T. organizations are managing individual layers and tying them together.