A few months ago, we surveyed Information Security readers about the features and improvements they'd most like
to see in security products. Their "wish lists" covered major security categories such as threat management (IDS, IPS, anomaly detection, SIMs) and vulnerability management (VA scanning, patch, configuration and change).
Three themes emerged: integration, correlation and reporting/visualization.
Security pros said they want tighter integration of technologies into a single system, as well as correlation of threats to system vulnerabilities and asset value. They also want better integration of threat/ VM systems into core network/platform management systems, such as Hewlett-Packard's OpenView. And, they want to visualize and report on security posture at any given point in time.
The themes of tight integration and simplified management highlight a fundamental shift for security in the organization. The focus on integration speaks to the need to make security more intuitive and easier to manage by non-security specialists. The focus on correlation and visualization stems from the desire to create security context--to understand threats and vulnerabilities, not as discrete events but as potential risks to business assets.
Security pros are asking for an "integrated security defense system," or ISDS, in an attempt to automate what is often the disjointed and incomplete manual process of IT risk management. ISDS is really about glue; in most organizations, the only glue between threats, vulnerabilities and remediation are the admins running these systems as separate tool sets.
The push for integration and correlation is not lost on security vendors, lots of whom are rolling out ISDS-flavored products. Symantec, Fortinet, WatchGuard, Juniper, Cisco, SonicWALL, ISS and others are pushing multifunction "unified threat management" boxes. nCircle, Sourcefire and Tene-bril are doing "target-based IDS," which correlates threats and vulnerabilities.
This is all great, except that 99 percent of organizations are ill-equipped to handle the demands of this type of automated risk management. For one thing, security owns less and less of the network's core security operations.
In the Information Security survey, nearly three out of four security pros said IT security is being addressed more by core networking devices and OS/platforms, and the staff who manage them. Firewalls and IDSes are run by the network group. Patch is done by the server or desktop group.
For a true ISDS system to work, those groups will have to march to the beat of security's drum. As the Brits would say, not bloody likely.
Another obstacle is that no vendor is tackling the whole enchilada of ISDS. The technology, the protocols--the glue--simply isn't there yet.
Many vendors are doing interesting work within sub-segments of ISDS and primarily threat/vulnerability correlation, but none has fully integrated or automated the core phases of the detect-assess-respond process.
ISDS is an interesting trend to watch. Let me know your thoughts on the issue of correlation and integration, and how close your organization is to automating aspects of risk management.
Welcome Kelley Damore
I'm excited to announce the appointment of Kelley Damore as Information Security's editor-in-chief. She brings more than two decades of editorial leadership at PC Week, InfoWorld and Computer Reseller News (CRN), where she was editor-in-chief. Her column will appear in this space next month.