How has the business conversation with enterprises changed during the last year regarding security management?
Things have changed dramatically in this area. It reminds me of 10 years ago, when we were breaking in Unicenter [Computer Associates' flagship system management product] and management was fragmented and there was no clear leadership. The need for improved security management stems from real complexity in an enterprise. These are sophisticated environments with the advent of things like Web services and companies running multiple platforms like Unix, Linux and Windows. Things have gotten more complicated. Security violations occur in all environments. The problem is information overload, and companies don't know how to deal with it. I talk to clients who have 1 million rows of security information every day. They want to know how to cut that down to 50 rows of data. What are customers asking for when it comes to security management?
Lots of enterprises are working around antivirus software and firewalls -- and calling it a day. Enterprises are now realizing that security is way beyond antivirus, though that's still important. But they are dealing with enterprise-wide security issues, more than can be detected by the naked eye. Enterprises need tools that allow them to be proactive about security. Until now, enterprises have been in a reactive mode [signature-based virus defenses, for example]. There has been no proactive management, no automated policy management or strong event correlation.
The market is emerging, and security people are starting to recognize the issue and tell their CIOs about it and telling them we've got a problem we need addressing. There is a strong story to tell here. This is an emerging market, one that has not been fully accepted yet. And it's not dominated yet. I think you'll be hearing a lot more about security management in the next six months or so. We intend to lead. How can security management systems help enterprises remediate vulnerabilities in software and systems?
Vulnerability assessment will evolve from looking for vulnerabilities in systems, databases and applications to remediation and automated patch management. Look at the SQL Slammer worm. I've heard from many clients that if they had applied the patch initially, it would have caused more problems than had they waited. They need more than just the ability to do vulnerability assessments; they need a way to validate and test a patch. If you don't go through that process and just apply a patch, you could have chaos. You mentioned information overload earlier. Is that the most critical issue enterprises have when it comes to managing their security environments?
In management, it's a data problem -- the volume of data enterprises have to deal with and the lack of tools to deal with that volume effectively. They want me to slice a million records of data down to 50, give them the highlights, tell them what state of security they are in, and enforce policy according to what state they are in. It's about reducing data. People want data reduction and want it on local nodes.
Another area that is growing in importance: identity management and security enforcement. For example, Fidelity runs CA's 401(k) program. Why can't I log in to the CA domain and be logged into the Fidelity system -- and also be authorized on our health care system and have open access to the applications I need there as well? What our clients are asking for is true company-to-company identity management. This is an important area.
Security enforcement is also coming up a lot. Enterprises need automated lockdown on desktops and servers to enforce order and discipline. But there are not enough tools out there to address the issue. Policy management needed to enforce corporate security policy in an automated way. It sounds like you're talking about this evolving into an automated patch management system? Are enterprises, however, willing to give up that level of control?
Most operators don't trust patches they are getting from vendors. People want to apply their own patches and prefer system alerts [from management systems]. They want to have the option to test a patch in their environment. What they need is an automated workflow approval process for patches, or else they won't apply them. Management controls have become critical.
We need to provide the flexibility. Clients will never accept a find-a-patch-and-apply system. There has to be a level of change control and version management. We need to create a safe environment for clients. We have to come up with tools for safer, methodical patch management.
Finding vulnerable systems is an issue too. With SQL Server, there is the whole problem of policy and identifying what assets a company has. These are areas we are investing in.
FOR MORE INFORMATION:
- FEEDBACK: How severe is "information overload" in your enterprise?
Send your thoughts to News Editor Michael S. Mimoso.
Dig deeper on Security Event Management