I have talked with a great deal of IT leaders in recent months, small to large organizations who all have security concerns on their mind. I always express to many of them the great value of UTM technology. I have had a Fortinet UTM device in the office here for several years, and always impressed with the capability of the device.
Unified Threat Management was originally designed to help protect the networks of small and medium sized businesses, but recently UTM firewalls have been expanding to corporate networks as well. The term UTM is used to describe network firewalls that contain many different features in 1 box.
Such features include e-mail spam filtering, an intrusion prevention system, anti-virus capability, internet filtering, and the functions of a traditional firewall. Basically, what this means is that a UTM firewall can perform the same functions in 1 box that would otherwise require 2 or 3 boxes. In addition, central management, and web based administration.
What are the benefits of UTM Firewalls?
1. The main benefit of Unified Threat Management is the fact that so many necessary functions are combined into one box. This reduces the complexity of the firewall system and saves businesses time and money. In addition, complexity brings risk and opportunity for errors.
2. Since all the security features are in one device, you do not need to spend time figuring out how all your security devices work and then how they all work together. Once you understand how your UTM firewall works, you understand your entire security system.
3. Also, because the whole security system is in one device, there is much less to buy. In fact, the only thing that you have to buy is the UTM firewall. This significantly reduces the cost that needs to be spent on a security system.
4. Maintaining network security can often become complex and confusing, but when all the security features are combined into one system, it is easy to see how all the functions are integrated and how they work together. Also, because it is only one system coming from one vendor, training for the entire system also only comes from one vendor. This means that when you need help, there will only be one company you need to go to. This is much easier than having to contact three or four different companies if the system fails.
The ease that is created by Unified Threat Management as well as the time and money that the system saves makes it a worthwhile investment for any business. If you need to protect your network, get started with a UTM firewall today.
Stay positive!
Scott Arnett
scott.arnett@charter.net
About Me
- Scott Arnett
- Scott Arnett is an Information Technology & Security Professional Executive with over 30 years experience in IT. Scott has worked in various industries such as health care, insurance, manufacturing, broadcast, printing, and consulting and in enterprises ranging in size from $50M to $20B in revenue. Scott’s experience encompasses the following areas of specialization: Leadership, Strategy, Architecture, Business Partnership & Acumen, Process Management, Infrastructure and Security. With his broad understanding of technology and his ability to communicate successfully with both Executives and Technical Specialists, Scott has been consistently recognized as someone who not only can "Connect the Dots", but who can also create a workable solution. Scott is equally comfortable playing technical, project management/leadership and organizational leadership roles through experience gained throughout his career. Scott has previously acted in the role of CIO, CTO, and VP of IT, successfully built 9 data centers across the country, and is expert in understanding ITIL, PCI Compliance, SOX, HIPAA, FERPA, FRCP and COBIT.
Friday, December 17, 2010
Friday, December 10, 2010
Security - Do you have inside threats?
I talk with many IT leaders over the course of a year, and everyone is focused on Firewalls, IDP, IDS, DLP, and the list goes on. No one really talks about inside threats. What about that risk? When IT pros think of securing networks, they typically concern themselves with outside attacks and hackers. But, the easier attack or hack is inside your office or a branch office. They also face threats from their employee’s, especially their internal staff. The threats can be intentional with malicious employees or they can be accidental, when staff will mistakenly leave sensitive information open and available to hackers. What about social engineering - not just an outside attack.
New Threats
The majority of data breaches will involve outside criminals. Verizon’s 2010 Data Breach Investigations Report stated that 70% of breaches in 2009 where from outside criminals. The most surprising number is insider threats reached 48% more, that is double of what it was in 2008. Some of that number is overall with people from both inside and outside the company involved.
The question becomes how can IT Managers reduce the risk of insider threats? The best place to start is your employee’s inside the IT department. Most IT staffers have the highest level of access and the technical knowledge of how to steal data. In addition, some IT staff are over worked, under appreciated and feel negative towards their employer.
To protect against threats within the IT Staff, industry experts recommend the following best practices…
Enforce a Policy of least privilege
48% of the security breaches in the Verizon study involved the misuse of privileges by employees. Help limit the attack by giving them only the access that they need to do their job. That typically means assigning privileges individually, not based on employee groups.
Conduct thorough background check
Make sure your HR department is aware of the positions in your IT department that require access to critical and sensitive data. You can appropriately filter out candidates before they are hired.
Terminate Properly
A recent survey by Cyber-Ark, 63% of IT staffers admitted they would steal passwords, financial reports and other sensitive information if they knew they were about to be fired. Disable account access right away if employees are going to be fired.
Watch for signs of a suspicious employee
Employees involved in cybercrime will often show signs such as absences from work, changes in work habits and a change in temperament.
Enforce your policies
A lax environment can convince some staffers that they can get away with fraud. Make sure you are enforcing all of your polices and violations are dealt with appropriately.
Unknowing accomplices
Staffers and IT professionals might also put their company’s network at risk. The Verizon study shows the cybercriminals are less reliant on malware to steal data. More often, they are gaining access with social engineering or exploiting poorly configured networks. In addition, some staff members can take equipment or company assets home and conduct attacks after hours.
Keep your staff informed….
Provide Training: Watch for hackers’ latest tactics for tricking staffers into providing sensitive data or access credentials. Most IT Pros should know better, but you still need to remind them from time to time.
Conduct Audits:
This can help detect potential fraud and catch holes that IT staffers may have overlooked. Encourage Staff to Report Problems so they can be addressed and fixed.
Keep in mind the human side of the environment. Employees that are happy at work, feel fair compensation, rewards, and apprciation are less likely to do harm to the company. They feel part of the overall success and appreciate the financial rewards of their hardwork, and dedication.
Keep positive!
Scott Arnett
scott.arnett@charter.net
New Threats
The majority of data breaches will involve outside criminals. Verizon’s 2010 Data Breach Investigations Report stated that 70% of breaches in 2009 where from outside criminals. The most surprising number is insider threats reached 48% more, that is double of what it was in 2008. Some of that number is overall with people from both inside and outside the company involved.
The question becomes how can IT Managers reduce the risk of insider threats? The best place to start is your employee’s inside the IT department. Most IT staffers have the highest level of access and the technical knowledge of how to steal data. In addition, some IT staff are over worked, under appreciated and feel negative towards their employer.
To protect against threats within the IT Staff, industry experts recommend the following best practices…
Enforce a Policy of least privilege
48% of the security breaches in the Verizon study involved the misuse of privileges by employees. Help limit the attack by giving them only the access that they need to do their job. That typically means assigning privileges individually, not based on employee groups.
Conduct thorough background check
Make sure your HR department is aware of the positions in your IT department that require access to critical and sensitive data. You can appropriately filter out candidates before they are hired.
Terminate Properly
A recent survey by Cyber-Ark, 63% of IT staffers admitted they would steal passwords, financial reports and other sensitive information if they knew they were about to be fired. Disable account access right away if employees are going to be fired.
Watch for signs of a suspicious employee
Employees involved in cybercrime will often show signs such as absences from work, changes in work habits and a change in temperament.
Enforce your policies
A lax environment can convince some staffers that they can get away with fraud. Make sure you are enforcing all of your polices and violations are dealt with appropriately.
Unknowing accomplices
Staffers and IT professionals might also put their company’s network at risk. The Verizon study shows the cybercriminals are less reliant on malware to steal data. More often, they are gaining access with social engineering or exploiting poorly configured networks. In addition, some staff members can take equipment or company assets home and conduct attacks after hours.
Keep your staff informed….
Provide Training: Watch for hackers’ latest tactics for tricking staffers into providing sensitive data or access credentials. Most IT Pros should know better, but you still need to remind them from time to time.
Conduct Audits:
This can help detect potential fraud and catch holes that IT staffers may have overlooked. Encourage Staff to Report Problems so they can be addressed and fixed.
Keep in mind the human side of the environment. Employees that are happy at work, feel fair compensation, rewards, and apprciation are less likely to do harm to the company. They feel part of the overall success and appreciate the financial rewards of their hardwork, and dedication.
Keep positive!
Scott Arnett
scott.arnett@charter.net
Thursday, November 18, 2010
You a top dog leader?
So you say you are a good boss? Really? What makes a good boss? Many things out there to rate what you shouldn't do, what about what should you do?
As we discovered in being a leader, bosses aren’t usually aware that they are bad bosses. The fact is that nobody wants to believe they’re the problem. Nevertheless, there’s a bell curve for all things involving people, which means there are few really bad bosses, few really good bosses, and most of you fall somewhere in the middle.
To me that says, for the vast majority of you, there’s lots of room for improvement. Including myself. So if you’re not exhibiting any of the 7 Signs of a bad boss, that’s great; pat yourself on the back. Still, if you really want to up your management game, maybe even vault into the executive or ownership ranks someday, you’d better start doing at least a few of these 10 Things That Good Bosses Do.
Incidentally, this isn’t from some academic study. These are real attributes of real bosses, culled from decades of observation, which motivate and inspire employees to perform at their best. Including some of my own real life experiences.
Top 10 Things that make a top dog boss -
1: Pay people what they’re worth, not what you can get away with. What you lose in expense you gain back several fold in performance.
2: Take the time to share your experiences and insights. Labels like mentor and coach are overused. Let’s be specific here. Employees learn from those generous enough to share their experiences and insights. They don’t need a best friend or a shoulder to cry on.
3: Tell it to employees straight, even when it’s bad news. To me, the single most important thing any boss can do is to man up and tell it to people straight. No BS, no sugarcoating, especially when it’s bad news or corrective feedback. People can see through the smoke and you just damage the relationship long term.
4: Manage up… effectively. Good bosses keep management off employee’s backs. Most people don’t get this, but the most important aspect of that is giving management what they need to do their jobs. That’s what keeps management away.
5: Take the heat and share the praise. It takes courage to take the heat and humility to share the praise. That comes naturally to great bosses; the rest of us have to pick it up as we go. Pat them on the back, shake a hand, say thank you.
6: Delegate responsibility, not tasks. Every boss delegates, but the crappy ones think that means dumping tasks they hate on workers — i.e., s**t rolls downhill. Good bosses delegate responsibility and hold people accountable. That’s fulfilling and fosters professional growth. Don't be afraid to roll up your sleeve and help out under crunch time. Even if your role is taking out the trash or getting food for your staff - it goes a long way.
7: Encourage employees to hone their natural abilities and challenge them to overcome their issues. That’s called getting people to perform at their best.
8: Build team spirit. As we learned before, great groups outperform great individuals. And great leaders build great teams. Celebrate team wins!
9: Treat employees the way they deserve to be treated. You always hear people say they deserve respect and to be treated as equals. Well, some may not want to hear this, but a) respect must be earned and b) most workers are not their boss’s equals.
10: Inspire your people. All the above motivate people, but few bosses have the ability to truly inspire their employees. How? By sharing their passion for the business. By knowing just what to say and do at just the right time to take the edge off or turn a tough situation around. Genuine anecdotes help a lot. So does a good sense of humor.
How do you rate?All this adds up to an environment where people feel appreciated, recognized, challenged, and appropriately compensated. So what do you think? How do you measure up on the good boss scale?
Keep positive!
Scott Arnett
scott.arnett@charter.net
As we discovered in being a leader, bosses aren’t usually aware that they are bad bosses. The fact is that nobody wants to believe they’re the problem. Nevertheless, there’s a bell curve for all things involving people, which means there are few really bad bosses, few really good bosses, and most of you fall somewhere in the middle.
To me that says, for the vast majority of you, there’s lots of room for improvement. Including myself. So if you’re not exhibiting any of the 7 Signs of a bad boss, that’s great; pat yourself on the back. Still, if you really want to up your management game, maybe even vault into the executive or ownership ranks someday, you’d better start doing at least a few of these 10 Things That Good Bosses Do.
Incidentally, this isn’t from some academic study. These are real attributes of real bosses, culled from decades of observation, which motivate and inspire employees to perform at their best. Including some of my own real life experiences.
Top 10 Things that make a top dog boss -
1: Pay people what they’re worth, not what you can get away with. What you lose in expense you gain back several fold in performance.
2: Take the time to share your experiences and insights. Labels like mentor and coach are overused. Let’s be specific here. Employees learn from those generous enough to share their experiences and insights. They don’t need a best friend or a shoulder to cry on.
3: Tell it to employees straight, even when it’s bad news. To me, the single most important thing any boss can do is to man up and tell it to people straight. No BS, no sugarcoating, especially when it’s bad news or corrective feedback. People can see through the smoke and you just damage the relationship long term.
4: Manage up… effectively. Good bosses keep management off employee’s backs. Most people don’t get this, but the most important aspect of that is giving management what they need to do their jobs. That’s what keeps management away.
5: Take the heat and share the praise. It takes courage to take the heat and humility to share the praise. That comes naturally to great bosses; the rest of us have to pick it up as we go. Pat them on the back, shake a hand, say thank you.
6: Delegate responsibility, not tasks. Every boss delegates, but the crappy ones think that means dumping tasks they hate on workers — i.e., s**t rolls downhill. Good bosses delegate responsibility and hold people accountable. That’s fulfilling and fosters professional growth. Don't be afraid to roll up your sleeve and help out under crunch time. Even if your role is taking out the trash or getting food for your staff - it goes a long way.
7: Encourage employees to hone their natural abilities and challenge them to overcome their issues. That’s called getting people to perform at their best.
8: Build team spirit. As we learned before, great groups outperform great individuals. And great leaders build great teams. Celebrate team wins!
9: Treat employees the way they deserve to be treated. You always hear people say they deserve respect and to be treated as equals. Well, some may not want to hear this, but a) respect must be earned and b) most workers are not their boss’s equals.
10: Inspire your people. All the above motivate people, but few bosses have the ability to truly inspire their employees. How? By sharing their passion for the business. By knowing just what to say and do at just the right time to take the edge off or turn a tough situation around. Genuine anecdotes help a lot. So does a good sense of humor.
How do you rate?All this adds up to an environment where people feel appreciated, recognized, challenged, and appropriately compensated. So what do you think? How do you measure up on the good boss scale?
Keep positive!
Scott Arnett
scott.arnett@charter.net
Thursday, November 11, 2010
Veterans Day
Veterans Day is a time to reflect on the many contributions our veterans have made -- and the sacrifices that go along with it. The men and women who choose to serve in our Armed Forces are doing something truly extraordinary.
This year I lost a friend in the Armed Forces and how tough that is but more so how proud we are of him. My grandfathers and father served in the Armed Forces, and I take the time today to reflect upon their sacrifices and many contributions.
Whether we agree with the wars, or the politics around them or not, we respect those that serve. We go to the graveside of the fallen with respect, reverence and leave our agenda, politics and views at the gate. This is no place for protest, or religious views or rants. This is sacred ground.
“Grant me the Serenity to accept the things I can not change, Courage to change the things I can, and Wisdom to know the difference.” – Dr. Reinhold Niebuhr (excerpt from the Serenity Prayer)
Today my friends, we honor those that wear the uniform and show our thanks, gratitude and respect.
Scott Arnett
scott.arnett@charter.net
This year I lost a friend in the Armed Forces and how tough that is but more so how proud we are of him. My grandfathers and father served in the Armed Forces, and I take the time today to reflect upon their sacrifices and many contributions.
Whether we agree with the wars, or the politics around them or not, we respect those that serve. We go to the graveside of the fallen with respect, reverence and leave our agenda, politics and views at the gate. This is no place for protest, or religious views or rants. This is sacred ground.
“Grant me the Serenity to accept the things I can not change, Courage to change the things I can, and Wisdom to know the difference.” – Dr. Reinhold Niebuhr (excerpt from the Serenity Prayer)
Today my friends, we honor those that wear the uniform and show our thanks, gratitude and respect.
Scott Arnett
scott.arnett@charter.net
Wednesday, November 10, 2010
Good Old Days
I was talking the other day to a colleague, one whom I have known over 20 years, and of course we took a walk down memory lane. Remember when IT was fun, we did this, or had to do that. But the conversation came back around to what did happen to the IT profession. Has the IT field changed as much as the technology itself? Why are the jobs going offshore, why doesn't the business understand, and the conversation quickly takes a turn.
IT jobs have gone offshore to balance a budget, and make the numbers look good, regardless of quality or the rework that has to take place. In addition, blind to the security risks and data leak. Furthermore, IT has become very process heavy - are we killing our ability to provide an agile, fast moving, responsive organization? We want controls in place to protect the organization from unplanned outages, and to show structure, but has it gone over the top?
IT seems to be this animal the top management can't figure out how to manage or understand. Some take the easy route and say we will just outsource the entire organization. To which many has become a disaster and now they have to bring in back inside. The problem is, have a strong CIO at the table with the CEO, CFO and be a business partner. Having IT report up through finance or operations usually does not lend itself to high success in the organization. Time to take a step back and take a look at this key business partner is engaged in delivering business capabilities to the business.
IT technology has changed over the years, dramatically, but so hasn't the profession. New skills are needed, new process, new management styles. We have to change to align with the technology, the business, and the change in culture.
The old IT guys can change, bring your wisdom with you, your battle scars, and always strive to understand first, act second. There is the ability to teach an old dog new tricks!
Keep positive
Scott Arnett
scott.arnett@charter.net
IT jobs have gone offshore to balance a budget, and make the numbers look good, regardless of quality or the rework that has to take place. In addition, blind to the security risks and data leak. Furthermore, IT has become very process heavy - are we killing our ability to provide an agile, fast moving, responsive organization? We want controls in place to protect the organization from unplanned outages, and to show structure, but has it gone over the top?
IT seems to be this animal the top management can't figure out how to manage or understand. Some take the easy route and say we will just outsource the entire organization. To which many has become a disaster and now they have to bring in back inside. The problem is, have a strong CIO at the table with the CEO, CFO and be a business partner. Having IT report up through finance or operations usually does not lend itself to high success in the organization. Time to take a step back and take a look at this key business partner is engaged in delivering business capabilities to the business.
IT technology has changed over the years, dramatically, but so hasn't the profession. New skills are needed, new process, new management styles. We have to change to align with the technology, the business, and the change in culture.
The old IT guys can change, bring your wisdom with you, your battle scars, and always strive to understand first, act second. There is the ability to teach an old dog new tricks!
Keep positive
Scott Arnett
scott.arnett@charter.net
Tuesday, October 19, 2010
Change Management
I read an interesting article this past week on how some of the IT "Leaders" are saying ITIL has seen the prime is on a dowward spiral. Really? The organizations that have embraced ITIL and found value - probably would not agree. Yes, there are those organizations that took on ITIL and failed - but that was the approach, not the methodology nor the value it brings when done properly.
I have talked a few times on my blog about Change Management. If you do any ITIL - start and maintain Change Management. If you don't track your changes, then your incident response has to include finding out what changed - right? Having a managed and structure environment really ensures your environment can quickly respond in the event something happens. Planned or unplanned - have documentation.
Change Management:
Scott Arnett
scott.arnett@charter.net
I have talked a few times on my blog about Change Management. If you do any ITIL - start and maintain Change Management. If you don't track your changes, then your incident response has to include finding out what changed - right? Having a managed and structure environment really ensures your environment can quickly respond in the event something happens. Planned or unplanned - have documentation.
Change Management:
- Want to manage risks to the organization
- Reduce risk to a level acceptable to management
- Need to also enable the organization by quickly responding to changes
- Need to design the process accordingly
- Have a solid process
Scott Arnett
scott.arnett@charter.net
Tuesday, October 5, 2010
Cisco MARS: Worth the price?
Looking for that enterprise wide management tool for your network hardware? Think Cisco MARS is the answer? In November of 2009, Cisco Systems Inc. announced that its MARS security information and event management (SIEM) product would no longer support integration with third-party products. As such, should enterprises still consider MARS when looking at SIEM products, or is the vendor lock-in too high a price to pay?
What value does MARS bring now that other tools can't? I remember looking at MARS product in early 2000, it fell short of expectations then, where is it now? First, a little background: What is MARS? Quoting from Cisco's Frequently Asked Questions (FAQ), the vendor's Security Monitoring, Analysis and Response System, or MARS for short, is an "appliance-based, all-inclusive solution that allows network and security administration to monitor, identify, isolate and counter security threats." Basically, MARS is Cisco's attempt at a unified security monitoring and mitigation platform that allows the appliances within Cisco's security product portfolio to interact with each other and effectively address security threats in a timely manner (sometimes in real time).
Cisco MARS belongs to a family of products that has its roots in log management. A traditional log management platform attempts to provide a central repository for collecting events from servers, firewalls, switches, routers and even Web services. Most log management platforms come with a pretty robust parsing engine with some ability to trigger alerts on preset search signatures. These search signatures are highly customizable, providing extensive regular expression matching. To give you an example, search signatures could be set up to trigger alerts when accounts are created or deleted on systems, device configurations are modified or system failures take place, among others. This provides a pretty effective way to track down system or security events. These platforms also come with preconfigured alert packages that help organizations address compliance requirements like PCI DSS. Wait a minute - doesn't it let me configure switches or do a mass IOS update?
How is MARS different? MARS is a SIEM product, and, like other SIEM products, it offers baseline log management features and extends to provide intelligent threat analysis and threat mitigation capabilities on security events received from a wide variety of sources. It might be easier to understand where MARS fits into the enterprise by running through an example. Since a Cisco product is our focus, I have kept this example Cisco-centric.
Let's say Company A likes to stay informed on the latest security threats and has a robust security infrastructure to provide it visibility into various parts of its network. Company A has deployed a firewall with an inline intrusion prevention (IPS) module, and has also deployed a Web security gateway to provide traditional URL and reputation filtering with malware intelligence. This architecture is augmented by an endpoint security product that combines a host-based IPS with acceptable use policy enforcement and traditional antivirus protection. To disallow unauthorized systems from connecting to its network, the company also employs a network access control (NAC) system. Finally, Company A also hosts an ecommerce platform at a service provider. But what about my non-Cisco UTM products I have at the edge?
As you can see, Company A likes to keep on top of security with point products addressing security at multiple levels. But having all these point products makes it difficult -- if not impossible -- to manage, monitor and mitigate security risks in a timely manner. In other words, Company A has rightly implemented a multi-layered security strategy, but the effectiveness and timeliness of its risk mitigation capabilities would be compromised by the sheer number of devices providing information. But by adding a SIEM product to the mix, Company A can use intelligent correlation to take the alerts and data from each of the point products that the company has in place, aggregate and normalize them to remove repeat entries (damping), and then apply built-in security rules to identify threats and effectively mitigate them. The last action -- the actual application of the rules -- is the most critical step to successfully identifying a security threat.
Now that we've discussed the security function that SIEM tools like Cisco's MARS provide, the question emerges: How crucial is third-party interoperability? The answer: very. As the point of SIEM technologies is to be able to correlate data from a variety of sources, a SIEM's inability to talk to some or any of those sources renders it marginally useful at best, and marginally useful is not reason enough to spend a significant amount of money on a SIEM.
Given the change in Cisco direction on the product, and that most enterprises are not Cisco 100%, it is no longer a good fit, nor for the money. I can think of better products that are enterprise wide and bring in all my vendor products and give me a holistic view. Sorry Cisco - you missed the boat on this one!
Scott Arnett
scott.arnett@charter.net
What value does MARS bring now that other tools can't? I remember looking at MARS product in early 2000, it fell short of expectations then, where is it now? First, a little background: What is MARS? Quoting from Cisco's Frequently Asked Questions (FAQ), the vendor's Security Monitoring, Analysis and Response System, or MARS for short, is an "appliance-based, all-inclusive solution that allows network and security administration to monitor, identify, isolate and counter security threats." Basically, MARS is Cisco's attempt at a unified security monitoring and mitigation platform that allows the appliances within Cisco's security product portfolio to interact with each other and effectively address security threats in a timely manner (sometimes in real time).
Cisco MARS belongs to a family of products that has its roots in log management. A traditional log management platform attempts to provide a central repository for collecting events from servers, firewalls, switches, routers and even Web services. Most log management platforms come with a pretty robust parsing engine with some ability to trigger alerts on preset search signatures. These search signatures are highly customizable, providing extensive regular expression matching. To give you an example, search signatures could be set up to trigger alerts when accounts are created or deleted on systems, device configurations are modified or system failures take place, among others. This provides a pretty effective way to track down system or security events. These platforms also come with preconfigured alert packages that help organizations address compliance requirements like PCI DSS. Wait a minute - doesn't it let me configure switches or do a mass IOS update?
How is MARS different? MARS is a SIEM product, and, like other SIEM products, it offers baseline log management features and extends to provide intelligent threat analysis and threat mitigation capabilities on security events received from a wide variety of sources. It might be easier to understand where MARS fits into the enterprise by running through an example. Since a Cisco product is our focus, I have kept this example Cisco-centric.
Let's say Company A likes to stay informed on the latest security threats and has a robust security infrastructure to provide it visibility into various parts of its network. Company A has deployed a firewall with an inline intrusion prevention (IPS) module, and has also deployed a Web security gateway to provide traditional URL and reputation filtering with malware intelligence. This architecture is augmented by an endpoint security product that combines a host-based IPS with acceptable use policy enforcement and traditional antivirus protection. To disallow unauthorized systems from connecting to its network, the company also employs a network access control (NAC) system. Finally, Company A also hosts an ecommerce platform at a service provider. But what about my non-Cisco UTM products I have at the edge?
As you can see, Company A likes to keep on top of security with point products addressing security at multiple levels. But having all these point products makes it difficult -- if not impossible -- to manage, monitor and mitigate security risks in a timely manner. In other words, Company A has rightly implemented a multi-layered security strategy, but the effectiveness and timeliness of its risk mitigation capabilities would be compromised by the sheer number of devices providing information. But by adding a SIEM product to the mix, Company A can use intelligent correlation to take the alerts and data from each of the point products that the company has in place, aggregate and normalize them to remove repeat entries (damping), and then apply built-in security rules to identify threats and effectively mitigate them. The last action -- the actual application of the rules -- is the most critical step to successfully identifying a security threat.
Now that we've discussed the security function that SIEM tools like Cisco's MARS provide, the question emerges: How crucial is third-party interoperability? The answer: very. As the point of SIEM technologies is to be able to correlate data from a variety of sources, a SIEM's inability to talk to some or any of those sources renders it marginally useful at best, and marginally useful is not reason enough to spend a significant amount of money on a SIEM.
Given the change in Cisco direction on the product, and that most enterprises are not Cisco 100%, it is no longer a good fit, nor for the money. I can think of better products that are enterprise wide and bring in all my vendor products and give me a holistic view. Sorry Cisco - you missed the boat on this one!
Scott Arnett
scott.arnett@charter.net
Subscribe to:
Posts (Atom)