Re-Thinking Security Management

2:15 PM -- Many, many companies have sought to conquer the security management leviathan. The task at times appears insurmountable. There are at least a dozen paths to security management nirvana. They include device management; identity and access management; risk management; vulnerability management; asset management; security event management (SEM); and patch management. And, of course, there is the manager of managers (MOM) concept to bind them all together.

The very first question I ever fielded as an industry analyst came from a banking network based in Chile that handled most of the inter-bank traffic for South America. The security personnel I met with wanted metrics to demonstrate to their board and bank customers throughout South America that they had security and were improving. The only example they could point to was their anti-virus product that reported how many viruses it blocked every day.

Security metrics are key to security management and required if the goal is to reduce an organization’s risk exposure.

But another aspect of security that desperately needed management was intrusion detection. The millions of alerts, mostly false positives, that spewed from IDS sensors gave rise to the security event management (SEM) space. Tools provided by Arcsight, eSecurity (now Novell), GraniteEdge Networks, Intellitactics, MicroMuse, Netforensics, OpenService, Sensage, and Tenable all got their start in collection and rationalization of security alerts. Unfortunately SEM does not make an enterprise more secure. Having realized the futility of managing events, SEM vendors have shifted their message to risk management and incorporating asset value and network topology into their products.

Meanwhile the two proactive industry segments, vulnerability management and patch management, have been making significant progress. The patch management space is represented by Altiris, Bigfix, BlueLane, Patchlink, and don’t forget Microsoft. IT-Harvest tracks 25 vendors in vulnerability management. They include scanning services such as Beyond Security, Edgeos, and Qualys, and product vendors such as McAfee (Foundstone), eEye, nCircle, and Tenable. The patch management and vulnerability management vendors have done more to secure the enterprise and reduce exposure to risk in the last two years than the IDS and SEM segments have done in the preceding twelve years.

And finally, with the addition of metrics tools, enterprises can quantify and therefore improve their security posture. To my mind, the birth of the concept of using metrics, a weighted score based on vulnerabilities, asset value, and network position, was originated at nCircle under Tim Keanini, their eclectically brilliant CTO.

Now other vendors are beginning to develop security management solutions that pull it all together. SkyBox pulls data from multiple SEM devices, as well as network topology, to create a view of the network and exposures that can be managed to reduce overall risk. Perhaps the most visionary new company is RedSeal. Not only do they pull in vulnerability data and device configuration data from routers, switches, and firewalls, but their product collects Netflow data to build a real-time model of a network and its risk exposure.

These advances are very promising. Security management, as represented by these new technologies, is finally coming of age.

— Richard Stiennon is founder of IT-Harvest Inc. Special to Dark Reading