Information Security staff
Published: 01 Dec 2003
Best Integration Platform: IBM/Tivoli
There's an old saying in IT: "No one has ever been fired for buying Big Blue."
True, since IBM remains the stalwart of the IT world; a company that will always be there to provide support. But many enterprises have sought out other, best-of-breed solutions for their security schemas.
IBM was cognizant of this when it developed Tivoli, mandating that the security division produce products that are interoperable with a variety of IBM and competitive offerings.
"We recognize that this is a heterogeneous world," says Brian Anderson, program director of Tivoli Security's Market Management. "Customers have already made investments in point technology. Those point solutions have a three-year competitive life, but a five-year amortization cycle. So we need to be able to work with those solutions."
Primarily an access control/security management suite, Tivoli provides solutions from identity management that can provision users accounts, check credentials and enable single sign-on, to directory server/integration solutions that help enterprises manage and control data, to integrity tools that return devices to a trusted state when deviations occur.
Tivoli can work holistically as an all-in-one product suite, or its individual components can be leveraged in a best-of-breed deployment. Tivoli's identity management solution, bolstered by technology acquired from Access360, has 70 agents or APIs for working with other leading offerings.
Soon, Tivoli will release Think Dynamics, a server and firewall-level provisioning solution. Users of the Tivoli management platform will be able to use Think Dynamics to set access controls and configuration settings on many leading firewalls.
Enterprises that have adopted the full Tivoli security framework and solutions can make a single policy modification, which will propagate through the entire security infrastructure. For instance, when a user leaves the company, the change entered in Tivoli will propagate through the infrastructure, revoking that user's access rights.
"The promise is a viable vision, but the reality is no one can do it in total. The closest is IBM/Tivoli," Anderson says. "And we're not resting on those laurels. We're making more interoperability with each release."
-LAWRENCE M. WALSH
Best Emerging Technology: IpAngel, Lucid Security
Intrusion prevention is a relatively simple idea. Instead of reacting to threats after they happen, these security solutions will stop attacks as or before they happen. While many security vendors bandy the term about, few provide true proactive prevention the way Lucid Security does with its ipAngel.
Designed to complement firewalls (currently supporting Check Point's FireWall-1), ipAngel's five components provide policy mapping, vulnerability scanning, rule correlation and management, intrusion detection and countermeasures. These give ipAngel a powerful toolbox for actively discovering and guarding security holes.
ipAngel uses its vulnerability scanner to uncover holes in its host network. It uses that intelligence to monitor for exploits against those holes, and then drop malicious connections. Likewise, it uses its IDS tool to monitor for suspicious activity, giving the firewall application-layer intelligence and the ability to block attacks in real time. It also has a low false-positive rate (the bane of IDSes), because it only monitors for threats against specific assets on the network.
Many security vendors are building more intelligence into their firewalls and perimeter devices. What Lucid provides is the ability to augment the leading firewall with intelligence without having to rip out perfectly good equipment.
-LAWRENCE M. WALSH
Best Scalability: Guardent
Perhaps no other security provider can deliver on the promise of scalability better than a managed security service provider. And leading the pack in this turbulent space is Guardent.
Sitting on a major Internet backbone, Guardent's security operations center has the capacity to monitor and manage more than 15,000 devices located anywhere in the world. Guardent says it will add more capacity long before it current facilities are saturated.
OK, so 15,000 devices doesn't sound like much. But consider this: Guardent can integrate and begin managing an enterprise's infrastructure faster and cheaper than most enterprises can scale their own programs. Further, it's far easier for Guardent to add capacity than it is for enterprises to roll out complex and costly management systems. Included in Guardent's managed services are firewall and IDS monitoring, incident response and forensics that most SMBs can't afford to do on their own.
While the managed security services market has been tumultuous, to say the least, providers such as Guardent will continue to have greater scalability than any single point product.
-LAWRENCE M. WALSH
Best Homegrown Application: Social Security Administration's Audit and Compliance Tools
The Social Security Administration's (SSA) IT infrastructure evolved from monolithic mainframes to a sprawling client-server architecture of more than 113,000 machines. Controlling and auditing those NT accounts proved difficult, and the commercial market lacked the tools to do the job.
To comply with SSA's strict security requirements, the agency turned to Bruce Kobin, one of its IT specialists, who custom built applications for the agency's specific needs.
"On the Windows platform, it was starting to edge into areas of handling sensitive information, and compliance was certainly difficult," says Ron Burdinski, division director of telecommunication security and standards. "Different security reviews revealed holes, and Bruce's software nicely plugged those holes."
Using Visual Basic, Kobin developed several apps for granularly controlling and auditing NT accounts in a similar fashion to the way Computer Associates' Top Secret does in SSA's mainframe environments.
Among Kobin's creations are applications that:
- Enforce naming conventions -- if a NT account name doesn't match Top Secret's name, it's flagged for deletion.
- Scan for improper account settings, such as noncompliant passwords.
- Check for employee work status against open accounts.
- Audit accounts, providing management with a clear view of who owns what on the network.
"Commercial applications just couldn't provide us with the wide range of flexibility we need to comply with SSA's security policy," Kobin says.
Burdinski says Kobin's applications, now used by scores of SSA admins around the world, save the agency more than 50 work years annually.
Cost savings and compliance with SSA security policies were important, but so too was elevating the agency's security rating in annual reviews conducted by the General Accounting Office.
Some at SSA say Kobin's apps were instrumental in pulling the agency's grade from the basement to a B-, making Social Security one of only three federal agencies to achieve acceptable security grades. Not bad for applications that took less than a month each to develop, test and deploy.
-LAWRENCE M. WALSH
Best Security Book: Security Engineering by Ross Anderson
Punch in "information security" in an Amazon search, and you'll find a plethora of security tomes ranging from those penned by charlatans and fly-by-night wannabes to must-read, essential texts for practitioners and managers. Few, though, rise to the upper levels of practicality and maintain their authority in information and insight more than Ross Anderson's Security Engineering (Wiley, 2001).
Publishing houses routinely spew security books on topics du jour, rarely producing anything meaningful or lasting. Security Engineering exceeds expectations, and there's little wonder why. Anderson's writing is steeped in his decades of in-the-trenches project and design work. The text abounds with stories, advice and guidelines -- many from Anderson's work in banking systems and patient data security.
Security Engineering is the first book to tackle the challenges of secure software and hardware design, examining the topic from the perspective of several real-world scenarios. While many of Anderson's examples fall outside the scope of most infosecurity practitioners -- such as tamper-resistant physical devices and secured printing via holographic seals -- examining how past attempts to secure information were defeated provides lessons for avoiding similar mistakes in the digital world.
Several books deserve recognition as must reads, but Security Engineering transcends the geek books that are replete with bits-and-bytes stereo instructions and the management strategy books that examine security from a blue-sky perspective. Anderson crafted an essential work that provides a little bit of everything for everyone involved in infosecurity.
-LAWRENCE M. WALSH
Best Baseline Security Tool: ZoneAlarm, Zone Labs
Marauding worms, hackers and identity thieves are forcing individual computer users to seek better defenses for their PCs. Nary a day goes by without someone uttering, "Install a desktop firewall, like ZoneAlarm."
Just as McAfee and Norton made antivirus a household word by giving away their basic products during the AV wars of the 1990s, Zone Labs has led the charge for making "firewall" a household name. It gives away its ZoneAlarm Basic, with intuitive firewall functionality, enabling novice users to block incoming and outgoing traffic.
Ordinary PC users who download ZoneAlarm are mesmerized by the alerts, which pop up like IDS alarms, for all suspicious traffic. Many have no idea what's happening in the background of their Internet traffic until they install the firewall and start seeing all the log entries for applications -- many resident and nonmalicious -- that routinely make outbound connections.
For those with a little more experience, Zone Labs offers advanced versions of its firewall -- for a nominal price -- as well as enterprise products.
Security aficionados and hackers can debate the effectiveness of software firewalls, but they -- ZoneAlarm in particular -- add another layer of protection for those virtually unprotected desktops. More importantly, though, is ZoneAlarm indoctrinating users to the threats they face each time they venture on to the Internet, making them more security conscious.
-LAWRENCE M. WALSH
Best Ease of Use: BigFix Patch Manager
The year 2003 will go down as the year of the patch. Enterprises have been struggling for years with a ceaseless stream of patches, but the vulnerability problem became acute in the wake of this year's worm outbreaks.
Enter BigFix, which is making patch management in large, heterogeneous networks easier and more effective. No, automated patch management isn't a new idea, and there are plenty of vendors offering solutions that ease the process of fixing vulnerable machines. However, the BigFix Patch Manager approach is simply elegant.
"I've given BigFix to everyone from technical security geeks to a group of nurses who are in charge of patching a group of machines, and they've picked up on it right away," says Tim Rice, a network systems analyst at Duke Medical Center in North Carolina.
The key to BigFix's usability is its basic component: fixlets, a small application that determines if specific machines require remedial action.
Each fixlet is made for a specific machine type, operating system and configuration, etc. When BigFix or security managers create a new fixlet to patch a system -- such as applying a DCOM patch to Win2K SP4 -- the relevance check will ensure that the target machine meets prescribed conditions before attempting an install.
If a host machine meets certain conditions, the fixlet will reach back to a central server to retrieve and install the patch, change registry settings or make configuration adjustments.
Fixlets can alert admins that a fix is required, ask the admin for permission to apply a patch or automatically apply patches and changes whenever it detects a vulnerable condition.
Since fixlets can package virtually any change to a host machine, enterprises can use them for routine configuration changes, new software installs and virtually anything else that ordinarily requires touching a machine.
"We designed it to make managing, patching and identifying vulnerabilities in large networks uncomplicated," says Gregory Toto, BigFix's VP of product development.
BigFix supports Windows and Linux, but plans to add more OSes. The simplicity and ease of use of this solution will give BigFix legs in the enterprise marketplace.
-LAWRENCE M. WALSH
Best Open Source: Snort
The open-source community produces a number of tools with useful functionality, but rarely does it produce an app that exceeds the features and ease of use of commercial counterparts.
Snort is the rare exception. Not only is the network-based IDS competitive, but often better than commercial IDSes. Almost by happenstance, Martin Roesch created an eloquent IDS, winning enthusiastic support from the open-source community, which supports Snort with attack signatures -- often before the commercial vendors can analyze a new threat.
Since its first release in 1998, Snort has become the lingua franca of the IDS world. Its "rules" are supported by most major commercial IDS solutions, including Enterasys Networks' Dragon, Internet Security Systems' RealSecure, Intrusion Inc.'s SecureNet and Symantec's ManHunt. And Snort mastery is a critical component of the SANS Institute curriculum.
Though most organizations prefer to keep their choice of IDS a guarded secret, more than half a million copies of Snort have been downloaded and are in use today. That's not surprising, considering its extensive capabilities, availability and excellent communal support. Exploiting its popularity, several commercial vendors have popped up with Snort management platforms -- such as Roesch's SourceFire and Silicon Defense.
The success of Snort is unparalleled. Even as the security industry migrates toward intrusion prevention, Snort will likely continue to ply the IDS space like no other application, and continue to be the vanguard of the open-source security space.
Best Feature Set: Control-SA, BMC Software
Control-SA is a single product, but appears and acts as a wide-ranging security infrastructure. It's an account management and provisioning solution, a password reset system, a policy management and enforcement tool, and an audit and policy compliance mechanism.
Access control is the underlying purpose of Control-SA. BMC designed it to automate the account provisioning and management process, so security managers could make changes at one point that would propagate across disparate platforms, network resources and operating systems. Its group-based access controls schema allows for the quick provisioning of user access rights.
Password management is a sticky problem for any enterprise. BMC was one of the first to provide automated, self-service password reset through a Web-based interface. Users can securely reset their accounts, saving time and money ordinarily consumed by help desks.
Control-SA can revise or revoke accounts across platforms across an enterprise within a matter of moments. Auditing and account maintenance functions keep enterprises from leaving open unauthorized or expired accounts. It also traces how users are accessing accounts, giving enterprises a data assurance tool for compliance with regulations, such as Sarbanes-Oxley.
Security often comes down to the CIA triad -- confidentiality, integrity and availability. Control-SA's rich feature sets provide a lot of horsepower for enabling efficient controls for each of the three pillars.
-LAWRENCE M. WALSH