Cyber Security Institute

§ Current Worries

Top 3 Worries

  • Regulations
  • Old Firewall Configurations
  • Security Awareness

§ Listening

For the best information

  • The underground
  • Audible
  • Executive Excellence
  • Music (to keep me sane)

§ Watching

For early warnings

  • 150 Security Websites
  • AP Newsfeeds
  • Vendors

Thursday, October 14, 2010

Security’s Risk And Change Management Tools: Drawing A Picture Of Security Posture

It’s a question that business executives love to ask—and IT people hate to answer. “What’s our security status?”  It’s a question that business executives love to ask—and IT people hate to answer.  If you’ve been around IT security for more than a week, then you know there’s no definitive, empirical way to answer that question.  Recently, however, some large enterprises have been getting a little closer to providing some metrics for security posture, using an emerging class of products that is coming into its own.  The technology category—championed by vendors with names such as AlgoSec, RedSeal, Skybox, and Tufin—has been variously referred to as “security risk management,” “security life cycle management,” “firewall configuration management,” and “security posture management” (SPOM), among other names.

At its heart, it refers to tools that track various changes made to an enterprise’s network defenses—principally firewall and router settings, as well as other security system data—and evaluates the potential impact of proposed changes.

SPOM (let’s use that term for now, since it’s the shortest and goodness knows we *need* another acronym) is sometimes referred to as the “preventative” side of security monitoring because it focuses on how enterprises are enforcing their security policies—and what might happen if they change those policies.  This separates SPOM from security information and event management (SIEM), which reports on security-related network activity after it occurs.

“SIEM is a useful tool, but although it’s been around for years, enterprises are finding that their risk is continuing to rise,” says Michelle Cobb, vice president of marketing at Skybox.  “It’s collecting data after the fact—after the horse is out of the barn… What we try to do is reduce the window of risk, reducing the possibility that a bad ‘event’ will occur in the first place.”

Unlike SIEM, SPOM enables an enterprise to set an acceptable level of risk and then tune its security systems and configurations to meet that requirement.

Steve Dauber, vice president of marketing at RedSeal Systems, compared the current evolution of security management systems to the evolution of network management systems a decade ago.

“First we had element management systems that collected data from individual devices,” he recalled.

“Then we had enterprise network management systems that collected all the data from the element management systems into a single console, which is basically what SIEM does.

After that, we saw the development of correlation engines, change management, and service-level management, which allowed you to intelligently set specific service levels for critical applications and business services.

SPOM is sort of the service-level management of security—but you’re using risk as the variable, rather than network performance or uptime.”  At the core of most SPOM systems is the task of firewall configuration, which is how most enterprises “tune” their level of risk.  Coordinating these policies and changes across a whole network of firewalls is no simple task, which is why Tufin’s products are designed to monitor changes in real time, according to Ruvi Kitov, CEO of Tufin.

While the SPOM concept certainly sounds like an attractive one for enterprises that must manage policies and configurations across many firewalls and other security devices, the market for the technology remains nascent.  “I think the need for these products is real, but I suspect that many organizations are put off by the associated price tag,” says Andrew Hay, senior analyst for the enterprise security practice at the 451 Group consultancy.

SPOM technology is generally targeted at large enterprises, where collecting and analyzing configuration and management data from a variety of security devices can be daunting.  “Obviously, if you have hundreds of firewalls, that price is going to go up.  But when you compare it to the cost of a breach, which may be $200,000 or more on average, it’s a pretty good investment.”

RedSeal and Skybox tools are also heavily used by operations staff, but they can also be used to create “dashboards” that allow top executives to monitor the enterprise’s security posture and evaluate potential risks.

“The vendors really should be leading with the compliance pitch,” he says.

Posted on 10/14