Our security team has funding to augment application security this budget cycle, and we’re considering technologies such as application whitelisting, next-generation/application firewalls and application activity monitoring. However, we likely can get only one new product implementation approved. Can you tell us what you might recommend for certain scenarios?
Delivering network and application security on a tight budget is always a compromise, so you’re right to consider your options carefully.
Your most critical assets obviously take priority. Classify your applications and the data they handle, then rank them in order of importance. You can use threat modeling to identify and evaluate the risks to your applications, and take the top three critical risks and decide out how best to remediate them. The technology you choose will depend on the objectives and requirements of your security policy, and relevant laws and regulations.
Of the types of application security tools you’re considering, application whitelisting provides the greatest level of control over end-user systems. Essentially, whitelisting is a default-deny model, the opposite to the antivirus model of default-allow. While the general concept is quite simple – only allowing approved applications to run – it can be difficult to get users to accept that their PCs and tablets have been locked down. Any product considered must have the capability to automate the exception-management process and to automate list management.
If the thought of telling your boss his favorite app isn’t on the whitelist gives you heartburn, then an application firewall can provide protection against common, as well as emerging threats. You may even have the necessary capabilities in your existing firewall. Some large firewall vendors offer Web application layer protection as an add-on module, greatly reducing the cost and effort of managing a separate firewall. Installing an application firewall is one thing, proactively managing it 24x7 is another. Ensure your administrators have the ability and time to deal with alerts and log reviews. If your staff already has the skills to tune and manage an application firewall, these additional costs may only be incremental.
Application activity monitoring requires a log management product that pulls all log information into one place and compares entries from various sources to provide a holistic view of all application activity. The volume of log information in most organizations makes manual log analysis impractical, so automated log management is essential to help with the process of aggregating, correlating and reacting to information captured in logs across an enterprise. With the visibility it provides, you can proactively address potential weaknesses and react more efficiently to security incidents.
An alternative to a patchwork of individual single-function point devices, all creating their own logs, is a unified threat management (UTM) device. It delivers a fundamentally simpler network security infrastructure as its various services are designed to work together and be managed from a centralized console. This saves time, money and people, making UTM a cost-effective option with lower day-to-day running costs. The reduced number of physical devices on your network also consolidates the number of vendors you have to deal with so you don’t need an IT department with multiple skill sets to deploy, manage and update different products from different vendors. Avoiding conflicting or incomplete rule sets due to misunderstandings about which products handle which threats is a time-consuming task, even for competent administrators.
The downside of relying solely on a UTM is it introduces a single point-of-failure, and with all the tasks a UTM has to handle, network performance and scalability are legitimate concerns, too, especially in large enterprises. Also, if your preferred UTM doesn’t have all the features to fulfill your security policy requirements, you’re going to have to invest in additional devices anyway. Besides, you may already have excellent antimalware gateways, so why duplicate it with a UTM?
Whichever type of application security software or device you choose, get evaluation copies of potential products, and deploy them in a test environment. Only shortlist those that meet or exceed your short- and medium-term requirements. Also, make sure it doesn’t cost more than the value of assets that need protecting and any expected costs of a breach.
This was first published in November 2011