BACKGROUND IMAGE: iSTOCK/GETTY IMAGES
Editor's note: This is the first of a two-part series on the benefits of unified threat management (UTM). Here we explore how a UTM system can help reduce security incidents. In part two, we discuss more considerations to keep in mind to ensure you find the best UTM for your enterprise needs.
UTM products, even those that don't offer all the typical security capabilities, are very effective at stopping many of today's attacks; this translates into a reduction in damage and related costs to the organization. For many organizations, particularly smaller organizations that lack security expertise and manpower, UTM can make a significant difference in how effectively attacks can be detected and stopped, or at least mitigated. For larger organizations, UTM may not provide as dramatic a difference in security, but there can still be major improvements in convenience and cost as a result of a UTM deployment.
UTMs are capable of detecting and stopping attacks that individual component products could not detect because they lack that level of cooperation.
The business benefits of using UTM appliances fall into four major categories: reducing the number of security incidents; improving the rollout of new security capabilities; reducing infrastructure, software and labor costs; and minimizing latency.
UTM benefit No. 1: Reduce security incidents
Using a single integrated product instead of several disparate products tends to improve the effectiveness and efficiency of attack detection and prevention capabilities. In turn, this reduces the number of data breaches and other incidents that occur in an organization. When separate products are used, the analysis required to detect attacks must be repeated; with an integrated UTM product, in contrast, analysis is done once. For instance, if you want to check Web requests and responses for malicious activity, you must parse the applicable Web protocols, then study the content packaged within these protocols. With a single product, however, this parsing occurs only once, and the content studying is also performed more efficiently, compared to several products each independently doing its own check.
If a product is truly integrated -- if its detection and prevention capabilities all work together, sharing information and results -- then the single product is capable of detecting and stopping attacks that individual component products could not detect because they lack that level of cooperation. This is particularly true for previously unknown attacks (those that cannot be detected through signature-based methods). If such an attack is attempted, it might be noticed as suspicious independently by multiple detection capabilities. Noticed independently, none of these levels of suspicion would be great enough to declare definitively that an attack is occurring, but when multiple components are suspicious of an activity and correlate those suspicions, the overall decision can be to treat the activity as an attack.
Unified threat management links
The UTM guide for managers
How to configure a UTM device
Making sense of basic UTM features
Another important aspect of UTM systems is the wide variety of detection and prevention capabilities that they support. As previously mentioned, UTM is a layered defense in a single product. UTM can detect many different types of attacks, so it is the equivalent of several separate products in terms of its security capabilities. And as discussed above, with thorough integration, a UTM can provide detection and prevention functions greater than the sum of its parts can.
About the author
Karen Scarfone is the principal consultant for Scarfone Cybersecurity in Clifton, Virginia. She provides cybersecurity publication consulting services, specializing in network and system security guidelines. Scarfone was formerly a senior computer scientist for the National Institute of Standards and Technology (NIST), where she oversaw the development of system and network security publications for federal civilian agencies and the public.