Cyber Security Institute

§ Current Worries

Top 3 Worries

  • Regulations
  • Old Firewall Configurations
  • Security Awareness

§ Listening

For the best information

  • The underground
  • Audible
  • Executive Excellence
  • Music (to keep me sane)

§ Watching

For early warnings

  • 150 Security Websites
  • AP Newsfeeds
  • Vendors

Tuesday, August 30, 2005

Integrating automated patch and vulnerability management into an enterprise-wide environment

This article explores the trends that are creating requirements for a strategic - rather than a tactical - approach to information security, patch and vulnerability management among public and private sector organizations.  It demonstrates how an integrated, automated and enterprise-wide strategy that uses best-of-breed security solutions can be most effectively integrated into the operations of organizations large and small.

Despite the headlines, the conferences and the stated objectives of many large public and private organizations, many executives still wrestle with how to effectively deploy security measures that protect critical information assets underpinning their mission critical operations.   It is the position of this White Paper that the challenges many organizations face in markedly reducing the risk posture of their organizations stem from a tactical understanding of risk and vulnerability assessment, perimeter security, threat remediation including anti-spyware, patch management and other critical security activities.

Today, many organizations still treat each of these activities in a distinct and discrete manner, making it difficult to get a big picture understanding of their risk posture, inhibiting their ability to respond appropriately and cost-effectively to threats.

According to analysts at IDC, worldwide spending on information technology will grow at 6 percent a year through 2008 to reach 1.2 trillion dollars, up from 965 Billion in 2004.  That increase in spending is an explicit recognition of the role IT plays in helping organizations to achieve their strategic business objectives.  However, it also represents a growing target of opportunity for those who wish to exploit our growing dependence on technology.   This helps explain why in the United States alone the market for information security will grow at 19 percent a year through 2008, according to recent data from the Freedonia Group.

That is more than three times the rate of the global IT spend.

According to the Freedonia analysts, much of this growth will be driven by efforts to integrate security on an enterprise-wide basis.  It would seem that people are voting with their wallets, and acknowledging that security is indeed a strategic issue.

But is there truly a broad strategic recognition of security’s strategic imperative?  In the summer of 2004, a survey by the Conference Board revealed that almost 40 percent of respondents consider security an overhead activity that must be minimized.

The situation appears no better in the public sector.  Agencies in the federal government continue to struggle with meeting the requirements of Federal Information Security Management Act (FISMA).   In early 2005, the Government Accounting Office (GAO), the investigative arm of Congress, concluded that poor information sharing and management was responsible for exposing homeland security to unacceptable levels of unnecessary risk.The problem illustrated by the above points is not one of effort or discipline.

Millions of dollars are invested on security technology and hundreds of thousands of man hours are brought to bear on protecting critical information assets by IT and security personnel.

The problem, rather, is one of perspective.  In both cases, security measures appear to be treated as stand-alone activities that are divorced from the technologies, business processes and information assets they are meant to protect.

Security, in short, is treated by many organizations as an afterthought.   According to PatchLink CEO Sean Moshir, “One of the greatest threats to enterprises today is that many—- too many—- organizations still consider security the lock they put on the door after the house gets built.”  Blind, in the sense that is difficult to get a clear, complete and accurate picture of an organization’s security posture.It is also costly.

According to recent research from Yankee Group, it can cost as much as $1 million to manually deploy a single patch in a 1,000-node network environment.  The firm has documented an instance in which an organization spent $2 million to rush a patch in a telecommunications network that had 500,000 nodes.  It is the manual labor, the fixing of problems, the downtime for businesses while the patches are being deployed,” explains Phebe Waterfield, Senior Analyst, Security Practice, Yankee Group.

Waterfield confirms that many organizations remain highly reactive in their approach to patch management, and therefore have not developed automated and integrated strategies for making sure that the most current measures are in place within the enterprise to deal with known threats to their IT assets.  This contributes to a reactive and expensive approach to security that does not make progress toward the goal of reducing an organization’s risk posture.

Malicious hackers, authors of viruses and other sources of threats have become a major cost of doing business in the digital economy.  Their handiwork is now covered by the mainstream media as well as the business and technology press.  Their destructive impact on the economy is measured in the billions—if not trillions—of dollars.

We are seeing the rise of hybrid threats in which viruses are used as launching points for initiatives that are designed to gather sensitive corporate data and/or execute identity theft.  For instance, spam is being used for phishing (an online con in which a “fake” site is set up to attract victims and solicit sensitive information from end-users), at which point spyware/malware or viruses are planted on consumer computers, while simultaneously gathering information that makes it easier to hack into the networks of the organizations they are spoofing.

Where once the hacker community may have been seen as kids playing games, today we see malicious activity that is profit driven in some cases, and guided by fanaticism in others,” notes Moshir.

According to PatchLink’s Moshir, an effective strategic response to these threats must consist of four basic elements.  The data gathered by sensors and reporting tools should be presented in ways that are meaningful to the users who must make decisions based on that information.  And the data must be standardized so that information from one security system makes sense to the rest of the organization.Moshir emphatically states, “From a management standpoint, there must clarity and transparency within and between all security systems.

Lane is the founder and director of Cooper Research Associates.

Posted on 08/30