home
NEWS       BLOGS       FORUMS       NEWSLETTERS       RESEARCH       EVENTS       DIGITAL LIBRARY       CAREERS  
Network Computing Network Computing Powered by InformationWeek Business Technology Network

IMMERSE YOURSELF:

SOA

  |

Data Center

  |

802.11n

  |

Data Privacy

  |		 APO  |

Virtualization

  |

NAC

  |

Security

  |

Network Mgmt

  |

Enterprise Apps

  |

Storage & Servers


Security
F E A T U R E  
Tactical Security 101

  January 23, 2003
  By Greg Shipley


TOC Issue TOC
Printer Print full article
Printer Print this page
Printer Download as PDF
E-Mail E-Mail this URL
Discuss Discuss this article
flame author Flame the author
 
  In this article
arrow
 Introduction
arrow
 Vulnerability Management
arrow
 Firewalls Get Hotter
arrow
 Control Issues
arrow
 Event Correlation
arrow
 HIP Hosts
arrow
 Technology Areas
arrow
 How We Got Here

You know information security is integral to IT operations and to business success. But infosec's role and resource levels are still up for debate. One thing is clear, though: Building a strong defense isn't cheap, so wise management of funding and resources is crucial.

We'd love to provide a definitive road map stating that Technology A should be chosen over Technology B, but each organization has its own challenges and dynamics. In "Secure to the Core" we painted the big picture. Here's advice on fine-tuning your plan.

ROI vs. Security

A key point of contention, especially in lean economic times, is the lack of clear ROI (return on investment) numbers attached to security efforts. A classic argument is that there is similarly no clear return on life insurance, but that doesn't stop most of us from buying it; still, attempting to formulate operational-security ROI may be a lost cause (see "Desperately Seeking the Security ROI," and "Security Fears Are Up, So Why Is Spending Down?").

Similar but more mature practice areas have adopted different measurement standards. For example, corporate security/financial fraud units frequently measure their effectiveness by comparing audited loss statistics to industry baselines. If their losses are greater than industry baselines, they are doing poorly; if losses are lower, they are performing above average. Although the infosec industry lacks such data, history and methodology, it's clear that smart spending can reduce losses--and, conversely, negligence can cost you big.

Getting a Game Plan

You have to create a security road map centered on policy definition and asset identification before making any major technology investments. Those lacking strong policies should consider hiring a consultant or jump-starting the effort with security-template tools like NetIQ's Vigilent Policy Center (see "Policy Management Hits the Web").

Once you've laid out the basics, determine how far you are from policy compliance and baselines, and where you come up short in terms of access control. Tactical technology solutions can help here, but only if applied in the right order, for the right reasons. For example, host-based intrusion-detection systems do little good if the hosts on which the HIDS agents reside are unpatched and open to compromise. The alarm rates will be constant and the hosts vulnerable, effectively rendering the HIDS worthless. In this scenario, money and time would be better spent solidifying patch management.

You probably face political and organizational challenges as well. For example, many organizations have learned that without antivirus systems, they'll chase faceless demons indefinitely. Antivirus becomes a "must have"--its operators are clear, and the decision on the technology is simple.

When considering firewalls and inline NIPS (network-intrusion-prevention system) products, however, roles and responsibilities come into play. An organization with a centralized operational security unit, for example, will probably have the IDS (which normally sits offline) and firewall administrators on the same team. So, the decision to implement an inline NIPS is a no-brainer.

However, if the NIPS administrators are part of an infosec unit outside IT, putting what would normally be a passive device (an IDS) into a production role (inline with the firewalls) may blur responsibilities. Who operates the NIPS? Who troubleshoots network outages? Do the security staffers lose control of the NIPS or gain control of the firewalls? Roles and responsibilities can become bigger factors than the technology.

Thus, before embarking on any major security technology purchase, organizations must ask a few basic questions:

• What asset does this technology protect?

• How effective is it?

• What's its operational impact?

• Do we have the resources to manage it?

• Will it work with, or against, other security controls?

Once assets are identified and these questions are answered, you can start to prioritize. Without a tiered defense strategy, organizations face few controls between critical digital assets and threats. Various security technologies are a must; the challenge becomes choosing and implementing them.

start top Introduction Vulnerability Management 





Ready to take that job and shove it?

Function:

Keyword(s):

State:
SPONSOR
RECENT JOB POSTINGS
CAREER NEWS
10 Search Engines You Don't Know About
Go beyond Google and get vertical. These specialized search sites will help you find the business information you need -- fast.

Yahoo Profits Fall 23%, Cuts 1,000 Jobs
Ari Balogh was named to the post of chief technology officer as the companys for a "realignment" of employees.

More articles from our career center










InformationWeek U.S. IT Salary Survey 2008
Salaries for business technology professionals are falling. Here's what you need to know in order to make good hiring decisions and personal career choices. Download Today
 
ROLLING RIGHT ALONG
Follow key Network Computing Reviews from conception to completion. This Week: Holistic APM.



Network Computing Reports Emerging Enterprise Podcast Series: Secrets to Success








TechSearch
Microsite of the Week


Powerful Information at Your Fingertips



InformationWeek Business Technology Network
InformationWeekInformationWeek 500InformationWeek 500 ConferenceInformationWeek AnalyticsInformationWeek CIO
InformationWeek EventsInformationWeek ReportsInformationWeek MagazinebMightyByte and SwitchDark Reading
Digital LibraryIntelligent EnterpriseInternet EvolutionNetwork ComputingNo JitterPlug Into The Cloud
space
Techweb Events Network
InteropVoiceConWeb 2.0 ExpoWeb 2.0 SummitEnterprise 2.0 ConferenceMobile Business ExpoSoftware ConferenceCSI - Computer Security Institute
Black HatGTECEnergy CampMashup CampStartup Camp
space
Light Reading Communications Network
Light ReadingLight Reading EuropeUnstrungLight Reading's Cable Digital NewsConstantinopleInternet EvolutionPyramid Research
Heavy ReadingLight Reading Live!Light Reading InsiderEthernet ExpoOptical ExpoTeleco TVTower Technology Summit
space
Financial Technology Network
Advanced TradingBank Systems & TechnologyInsurance & TechnologyWall Street & TechnologyAccelerating Wall StreetBank Systems & Technology Executive SummitBuyside Trading SummitInsurance & Technology Executive Summit
space
Microsoft Technology Network
MSDN MagazineTechNetThe Architecture Journal
space


App Infrastructure   |   Messaging & Collaboration   |   Network & Systems Mgmt   |   Network Infrastructure   |   Security  |   Storage & Servers   |   Wireless   |   Enterprise Apps
About Us  |  Contact Us  |  Site Map  |  Technology Marketing Solutions  |  Advertising Contacts  |   Briefing Centers
Copyright © 2008  United Business Media LLC  |  Privacy Statement  |  Terms of Service  |  Your California Privacy Rights