Network admin Doug Porter has conducted enough budget presentations to know that upper management types tune out when it comes to slides about spyware scanners, content filters and the growing sophistication of online criminals.
His chances of getting badly needed intrusion defense resources always improve, however, when he talks to the top brass about inconveniences, like the spam clogging their e-mail queues.
"To company management, intrusion defense means blocking unwanted commercial e-mail like pharmacy ads, porn and gambling Web sites," said Porter, systems analyst for Apex Microtechnology Corp. in Tucson, Ariz., which has 95 employees, 100 Windows-based desktop computers and 15 servers. Fighting back other malware though requires more than the basics.
"Because we have AV, there's the assumption that we are fully protected from malware," he said. "I couldn't sell a purchase to management by explaining technically what the product does to block embedded HTML attacks. I have to sell it as eliminating things that are annoying, like spam."
While Porter has found a successful approach, upper management support is an obstacle to ironclad intrusion defense for about half of the 307 IT professionals who responded to a February SearchSecurity.com survey regarding their intrusion defense programs.
Among the more practical headaches respondents cited were a lack of executive backing, tight budgets and user awareness problems. On the more technical side, respondents said they struggle with security devices that register too many false positives and network activity logs that are difficult to process in real time.
The problems of culture and cash
Asked about the non-technical obstacles that get in the way of intrusion defense, 50% said upper management support is either a problem or a significant problem. A lack of employee training was an obstacle for 56% of respondents, and the vast majority -- 71% -- said cash constraints are either a problem or a significant problem.
"The problem with security is that it costs a lot and the hard return-on-investment (ROI) is almost impossible to prove," said Dave Bixler, CISO for Siemens Business Services Inc., a subsidiary of Munich-based Siemens AG. He noted that when the MSBlast worm struck a few years ago, "all our customers were down but we were not affected. We successfully skated over that simply by making sure everything was patched."
He said the flip side of that kind of success comes when it's time to lobby the company's financial officer for a new device. "I tell them I want to deploy an anomaly-based intrusion detection system (IDS) in the internal network to catch the 1% of what the signature-based IDS won't catch," he said. "Then the funding guy says, 'But that's never been a problem before.'"
Employees need training
When asked about vendor confusion and ambiguity, 35% of those surveyed said it's not a problem; 38% said it's a problem and nearly 10% said it's a significant problem. When it comes to employee training, more than a third said it's not a problem; 37% said it's a problem and about 18% said it's a significant problem.
Jeffrey Wilson, operations manager for the Albany, N.Y.-based Times Union newspaper, counted himself among those confronted with user ignorance. In his enterprise of 500 employees and 400 Windows-based workstations, he said the level of security awareness varies widely at every level -- upper management, lower-level workers and even among some IT staffers.
"One thing we're doing now is designing a security awareness program that will be for everyone, though managers will be a focus," he said. Workers at his newspaper hold two things sacred: protecting First Amendment rights and getting the paper out on time. In that environment, security isn't foremost on people's minds.
And when the newsroom is trying to get its hands on photos that may come by way of an e-mail or Web site, few worry about whether malicious code is lurking within.
But for Wilson, his biggest obstacles are technical. Specifically, he said it's difficult to get a clear picture of what's happening on the network in real time. Last year, the newspaper suffered disruptions during the Zotob attack that targeted last year's Microsoft Windows Plug and Play vulnerability.
If his team had had a clearer picture of what was happening on the network, he said, "We could have dealt with Zotob more quickly."
The IT department has implemented some procedures and tools that have improved security since then, but Wilson said it's an ongoing challenge to quickly analyze network traffic in a meaningful way.
"I want a better way to find unpatched machines or machines with outdated AV," he said. "I want to find them more quickly and kick them off the network" before something bad can happen.
Indeed, 70% of SearchSecurity.com survey respondents said one of the biggest technological obstacles to intrusion defense is that it's hard to separate sinister network activity from legitimate traffic. Managing activity logs generated by different devices on the network was reported to be a challenge for 60% of respondents.
When asked about other technological challenges, nearly 35% of respondents said the reactive nature of signature-based AV, antispyware and IDS is not a problem. But about 45% said it is a problem and more than 7% said it's a significant problem.
Less than 18% said they have no problem separating legitimate traffic from malicious traffic without false positives or negatives. But nearly 53% said it is a problem and 17% said it's a significant problem.
Defining spyware and adware isn't a problem for 31% of respondents, but nearly 45% said it is a problem and almost 12% said it's a significant problem. Finally, managing logs is no problem for close to 29%, but 38% said it's a challenge and about 21% say it's a significant challenge.
Intercepting malicious activity is an imperative for Jeffrey Baroli, IT Infrastructure bureau chief for the Idaho Department of Health and Welfare. His organization handles a lot of sensitive health data and is bound by the rules of HIPAA and other health industry standards.
Protecting the data and abiding by regulations is all the more difficult when your security tools spit back false positives or negatives.
"We tried some real-time intrusion defense software internally and it didn't work," he said. "Our analysts were spending more time separating false positives from intrusions and we weren't getting much else done."
His department has found more success using the security management tool from San Jose, Calif.-based NetIQ Corp. and Phoenix-based NetPro Computing Inc.'s ChangeAuditor for Active Directory. The latter tool helps pinpoint changes across all elements of Active Directory, including group policy, domain name system (DNS) schema and other elements in real time.
Despite these improvements, he said there is no magic potion for conjuring up flawless intrusion defense.
"In a perfect world, if I had the perfect intrusion defense device there would be no false positives," Baroli said. "It would tell me the who, the what and the when and it would give me all the auditing the auditors want in a report that isn't in geek speak.
I'm not sure we'll ever get there," he added, "but it would be a glorious thing."