Pulling It All Together: Layer IntegrationBy John Moore | Posted 2007-05-14 Email Print
As attacks on enterprise systems grow more sophisticated and diverse, companies need to rethink their defense strategies. In this special report, experts offer new and better ways to protect vital information resources.
Pulling It All Together: Layer Integration
The existence of myriad layers in the typical I.T. security strategy begs the question: Can they interact? The various security technologies have mostly acted in isolation over the years and continue to do so to a considerable degree, say I.T. managers and consultants.
"The struggle is being able to integrate and manage all those technologies as a unified defense as opposed to so many different point solutions in the enterprise," says Bell ICT's Moss.
Integration can be found within layers. At the perimeter, unified threat management appliances fill that role, combining firewall and intrusion prevention, among other functions. Consolidation also occurs at the host layer. Security suites from vendors such as McAfee and Symantec combine functions including antivirus, anti-spyware and identity protection.
Integration is trickier when using multiple vendors. While vendors have begun to build connections between their security offerings, customers still bump into limitations.
Take the case of Booz Allen Hamilton, a strategy and technology consulting firm based in McLean, Va. For vulnerability assessment, the firm uses nCircle Network Security's IP360, which has integration hooks into other products. Stan Kiyota, Booz Allen information security manager, says nCircle integrates with Remedy's help-desk system to smooth the job of addressing vulnerabilities once they surface. The linkage lets trouble tickets generated in nCircle flow into Remedy.
But there's a problem: "We don't use the help-desk software they nCircle happen to be partnered with," Kiyota says.
A class of technology called security information and event management software, or SIEM, promises to provide more coordination among security layers. These systems pull together security log data culled from a range of I.T. security systems and make them available to identify patterns.
Randy Barr, chief security officer at WebEx Communications, went to KlioSoft of Concord, Calif., for a SIEM tool to pull information from the event logs of its various devices to assess intrusion attempts and other security-related incidents. Those devices and systems include routers, firewalls, intrusion detection systems and content monitoring systems.
Minnesota CISO Buse also sees value in SIEM systems. The technology's correlation feature sifts through thousands of events to identify "a handful of things that are actually relevant," he says.
In some instances, the correlation job is assigned to an outside party. Darryl Lemecha, CIO at data broker ChoicePoint, says the company provides data from a vulnerability assessment, intrusion detection and patch management to a managed security services provider that analyzes the data.
Data correlation can bring insight into whether servers are properly patched to withstand a specific attack, as indicated by the intrusion detection system. Armed with this information, Lemecha says, ChoicePoint can choose to ignore some situations cases in which the company has the patches in place to fend off the detected attack and focus on those that are potentially more damaging.