Buying a unified threat management (UTM) system is not a decision that should be made lightly. Here are five questions...
that every enterprise should know the answers to before sealing the deal on its UTM purchase.
1. Are the capabilities the UTM appliance provides already provided by point tools from multiple vendors?
Deployment is going to be tougher and more expensive whenever you are moving from point products to a UTM appliance from another vendor. Imagine the learning curve for staff -- having to learn different interfaces for several types of products all at once. And the more diverse the point products are (e.g., the more vendors), the more challenging UTM deployment may be. Ultimately, an organization might choose to keep one or a few point products in place and deactivate the corresponding UTM capabilities, but that dilutes the effectiveness of the UTM system and ultimately is more costly from a software licensing and infrastructure perspective.
2. Is your workforce already largely mobile or trending in that direction?
UTM systems may not be that effective in environments where most of your users are mobile, particularly in highly distributed environments where the majority of employees are teleworking. In such environments, it may be difficult, impractical or even impossible to route all of your users' network traffic through your enterprise network security devices, and you may need to rely solely on host-based security controls for many of your user endpoints. Although UTM appliances can be effective at protecting servers and other infrastructure devices from attack, they are geared more toward protecting traffic for end-user devices (such as desktops and laptops) that are directly connected to the organization's internal networks. Organizations with highly mobile workforces may find it more effective to protect those mobile devices through endpoint protection software, the host-based counterpart to the network-based UTM products.
3. Do you have the in-house expertise and staffing available to analyze the UTM alerts and logs?
UTM devices: The key to efficient security or are they firewall failure risks?
Is there a better alternative than UTM?
Should UTM and Web security filtering software be combined?
A UTM appliance is of limited usefulness if no one is performing frequent (or, preferably, constant) monitoring and analysis of the data that the UTM is logging and alerting on. When the UTM is stopping threats, arguably it's not as time-critical to review those prevented attacks. However, the UTM might be configured -- and most likely is configured -- to permit certain types of suspicious activities because they are so similar in appearance to benign activities. There are also some types of attacks that UTMs are not designed to detect, but that a person manually reviewing the UTM data could pick out of the noise. In addition to monitoring and analysis, UTMs require frequent tuning and updates to be able to detect the latest attacks and attack types. The monitoring, analysis, tuning and updates all take significant security expertise and staff time. As a result, many smaller organizations choose to outsource part or all of their UTM management to an outside vendor. Such organizations have decided that it is less expensive to pay for external UTM support than to allow incidents to go unnoticed by the organization due to lack of time and expertise.
4. What access, if any, does the UTM vendor have to the network traffic being monitored by the UTM devices?
Obviously, in outsourced UTM services the vendor is going to have access to some of the organization's network traffic. However, it's possible that for technical support reasons, a vendor may have access to traffic at times with non-outsourced UTM products. Regardless of the circumstances, organizations should be cautious in allowing an external party to access their network traffic because of the risk of exposure of sensitive information within that network traffic. A classic example is personally identifiable information being transmitted in the clear over monitored networks. This is a poor security practice, but a common one. Make sure that you consult with your legal professionals and that you have any necessary agreements in place with your vendor regarding the vendor's treatment of your network traffic and ensuing data.
5. How does the UTM appliance provide resiliency to failure and attack?
The security of the UTM tool itself is paramount, because a compromise of the UTM appliance could be disastrous in terms of overall network security -- for example, allowing an attacker to monitor all network traffic and bypass attack detection capabilities. However, it's even more likely that problems will occur because of routine failures (power outages, hardware failures, software bugs, human error and the like). Organizations deploying UTM systems should carefully consider how UTM devices can be single points of failure and plan accordingly to make their UTM deployments as resilient as possible. This includes deploying redundant UTM devices at key network junctions and acquiring UTM appliances with built-in redundancy (multiple power supplies, redundant storage and so on).
By considering these key factors, an organization can help ensure that it chooses the UTM product -- or alternative to UTM -- that's the best fit for the organization. This involves not only choosing a vendor and/or service provider, but also carefully considering where the various pieces of the UTM appliance should be deployed and what redundancy and scalability is needed. Security and privacy considerations are also of paramount importance; because the UTM tool has such deep insights into network activity, a failure or compromise of the UTM system itself could be devastating. Weigh all these factors carefully when making decisions regarding the possible adoption of UTM appliances.
About the author:
Karen Scarfone is the principal consultant for Scarfone Cybersecurity in Clifton, Virginia. She provides cybersecurity publication consulting services, specializing in network and system security guidelines. Scarfone was formerly a senior computer scientist for the National Institute of Standards and Technology (NIST), where she oversaw the development of system and network security publications for federal civilian agencies and the public.