Communications News: Beware of grand schemes: integrated security consoles sound like a good idea—but history has taught us caution

FindArticles > Communications News > Nov, 2002 > Article > Print friendly

Beware of grand schemes: integrated security consoles sound like a good idea—but history has taught us caution - The Bottom Line

Lenny Liebmann

There's some buzz around the industry about a new generation of enterprise security management systems. The theory behind this new breed of system is that today's fragmented assortment of "point" security tools can't provide effective protection against threats that take so many forms--from Internet worms to targeted server cracking. There are also concerns among infosec professionals about how much work it takes to administer all the tools we use to secure our various locations, technologies and devices.

The enterprise security management system is supposed to address these concerns in two ways. First, it will act as an event collector and manager. All the alerts and information generated by firewalls, intrusion-detection systems (IDS) and the like will be gathered into a single console. This console will theoretically give infosec managers a 360-degree view of security conditions across the enterprise, which, in turn, should help them make smarter, faster decisions about defenses and countermeasures.

Second, the enterprise security management system will act as a policy implementation and enforcement engine. Infosec managers will supposedly be able to define policies, and then have the system automatically implement them across every point security tool. This approach promises to simplify administration and eliminate the exposures that result from sloppy security housekeeping.

If you've been in the networking business any length of time, this pitch should sound familiar. It bears a striking resemblance to the enterprise network management platform paradigm that gathered momentum in the mid-90s. The situation in network management then was similar to the situation in network security now: a variety of point solutions being used to address each aspect of infrastructure. By consolidating those management tasks, we were told that we would streamline workloads and improve service levels.

What actually happened, however, is that we spent millions of dollars on software and complex integration projects that never quite delivered what they promised. In many cases, the volume of alerts that arrived at our integrated consoles was so great that we spent more time clearing them than we did solving the underlying problems. Meanwhile, the real find-and-fix work continued to be done using our component--and product-specific tools.

My concern is that the same scenario will play out with enterprise security management. Network managers hardly have time to read their firewall logs as it is. How will they manage to pore through a report that combines firewall, IDS and e-mail filter events? And what kind of policy engine will really be capable of replicating rules across our diverse security tools?

I'm not sure that we need a new class of applications to enforce policy, anyway. After all, you can use application programming interfaces and other techniques to get one tool to talk to the other. If your IDS identifies a malicious host and you want your e-mail server to reject messages from that host, you can set that up fairly easily yourself.

In addition to fearing unnecessary technical complexity, I'm also skeptical about technology that doesn't jibe with how organizations are actually structured. Security responsibilities are currently distributed across IT's various functional groups: network techs, systems administrators, and website managers. Which of these groups is going to be in charge of the enterprise security console? Will that group be able to adequately understand events outside its bailiwick? And will it be able to effectively exercise authority over other groups that have historically operated with total independence?

I'm sure enterprise security processes could be coordinated better, and I'm sure many organizations need to make technological changes to implement those improved processes. I'm just a little nervous about anyone who promises that his grand scheme will solve those problems. Ultimately, enterprise management consoles turned out to be a vendor strategy for account control, rather than a panacea for infrastructure health. I suspect that enterprise security consoles are no different.

Liebmann is an independent consultant specializing in the application of networking technologies to strategic business challenges. Send comments for publication to liebmann@comnews.com.