It’s the Most Wonderful Time of the Year
By Toby Weir-Jones, Vice President of Product Development, BT Counterpane
As the year winds down, IT managers look at their project plans for the past several months and evaluate which ones are finished. If you’re lucky, you’ve not only completed projects on time, but under-budget, and now you may have the delicious prospect of additional capital you can allocate to purchases that were culled during last year’s fiscal review.
The question is — what should you buy? Think of this piece as a simple buyer’s guide for the IT holiday season, and feel free to use it whether your fiscal year ends in just a few days, or not until the end of March 2011 or beyond.
Web Application Scanning (WAS): This is a technology you should explore if you haven’t tried it already. It’s not perfect, but it provides you with a lot more information than traditional vulnerability scanning; and it’s pretty straightforward to build internal processes your team can use to make use of the results. If you’re going to go down this path, don’t overlook the need to build in formal feedback loops to the application developers as well. Ideally, you want management on both sides to agree to remediation targets – because WAS can help everybody do a better job at a reasonable cost.
Host IDS/IPS: Many vendors have sold product into companies that ends up collecting dust on the shelf. But with the renewed integration of endpoint protection technologies into the traditional kernel-oriented HIDS agents, these products are now genuinely powerful and useful. They not only add policy enforcement capabilities to operating systems which otherwise lack them, but they provide a logging and alerting vocabulary to describe what’s going on, a factor that will make your auditors and IT helpdesk people happy. They won’t spend nearly as much time chasing down vague alerts and otherwise trying to figure out what really happened; and the policy-oriented management tools offer a simple way to define and deploy policies across the enterprise.
Behavioral Analysis: This is more of a technique than a tool, but it’s something you should look for in any general security product category you’re investigating these days. The idea is pretty simple — build a statistical model of “normal” behavior, and then alert the user whenever actual behavior deviates from what’s expected. The better tools will also model your “deviant” behaviors and compare them to macro-level views of activity from elsewhere in the world, either in real-time (via a managed service model) or via a local library of problematic behavior patterns. You can apply this to anything that generates a consistent volume of activity messages characterizing device behavior or performance, and it’s a cheap and useful way to see how you’re doing compared to everyone else.
Botnet and Malware Detection: The last item on the list has become important enough that not only IT but Finance and Legal have a vested interest in ensuring it’s done correctly. Any shrink-wrapped product that doesn’t have live updates to its blacklists is going to become a limitation fairly quickly, so look for vendors who maintain live data on the latest research, command and control hosts, and detection techniques. Make sure you get good, unambiguous reporting that highlights whether or not you have an infected node in your network, and how to confirm positively that you’ve cleaned it up. Finally, ensure you have suitable policies defined about when to notify those same Finance and Legal folks about botnet exposure on your company’s network.
BT extends best wishes to all our readers at SecureThinking – we hope you have a 2011 full of mitigated threats and proactive notifications! If you’d like to discuss particular vendors for any of the above solutions, please feel free to provide links in your comments!