NATIONAL HARBOR, Md. – Secure Web gateways offer many different features to protect enterprises from Web-borne threats, but one CISO says a successful implementation depends on isolating the one feature that matters most.
At Gartner Inc.'s Security and Risk Management Summit this week, Logan Kleier, chief information security officer for the city of Portland, Ore., discussed his organization's secure Web gateway selection and implementation. He said every secure Web gateway product has a unique set of core competencies, and above all else, a customer must identify its must-have feature and ensure the product it chooses is built around that feature.
"If you don't know what the most important thing to you is, you're going to struggle," Kleier said.
For Kleier, the key feature was bidirectional malware filtering. It was critical not only to make sure malware wasn't sneaking in via the Web where its endpoint protection suite and intrusion prevention system (IPS) couldn't defend, but also that it wasn't spreading outbound malware, which the city's iterative product testing efforts revealed.
"You think you know everything about your infrastructure and then you start testing and you realize you don't," Kleier said.
Its product-selection process began with a list of 12-13 vendors. It culled the list down to five with the help of Gartner's Magic Quadrant for secure Web gateways. Next it ran various malware samples through the products, and used a scoring methodology to assess the results and identify three finalists. The remaining appliances were then placed in-line on its network for four to six weeks to develop a real-world baseline of how they protected the city's infrastructure.
Perhaps the most surprising part about the whole process, Kleier said, was when he began calling the customer references supplied by the vendors.
"We got so many mediocre references," Kleier said. "It's almost as if vendors don't expect people to call them. We got more than one person who said if they had to do it again, they'd do it with another vendor. That's kind of scary."
Kleier highly recommended pressuring vendors to provide customer references, and speaking with them on non-mediated phone calls. That was some of the most valuable info, he added, because it's the best way to make sure a product can be used successfully to solve specific problems. Plus, Kleier said, if a vendor-supplied reference offers negative feedback, it should serve as strong validation to reconsider whether a particular vendor is a viable choice.
In the end, the city of Portland chose a secure Web gateway from Mi5 Networks, which was later purchased by Symantec Corp. Kleier projects that the total cost for hardware and software over a three-year period will be $212,000. He said the acquisition has largely been a non-issue, as Symantec has a lot of experience with acquisitions and so far has done a good job keeping Mi5's key technologists on board.
Still, Kleier said it took many months of discussions to convince the city's CIO that its IPS alone wasn't enough, and that a secure Web gateway offers different protections. An IPS, he said, defends against SQL injection, for instance, but its product couldn't perform informed content filtering or bidirectional malware filtering.
He indicated it was a trying series of discussions, despite the CIO's background in security, and advised attendees to spend plenty of time preparing if and when they need to make the case for a secure Web gateway product to upper management.
"If you work with someone who doesn't come from a security background, convincing them to spend a quarter of a million dollars is going to be even harder," Kleier said.