Understanding Multi-Tiered Protection

By Tom Schmidt

A rapid response to threats has always been a vital element in the effectiveness of any enterprise's security strategy. But it's even more important today because threats are spreading too quickly for any reactive signature-based security mechanism to adequately protect against them. Consider the following:

• During the summer of 2003, the Blaster threat was released 27 days after the associated system vulnerability was announced.
• Sasser, discovered in May 2004, launched just 18 days after its target vulnerability was publicly disclosed.
• The Zotob worm, discovered on August 16, 2005, was released less than a week after Microsoft announced a Plug and Play vulnerability in Windows.

While antivirus protection provides a critical safeguard for corporate networks and clients, it is not enough. Beyond antivirus, organizations need to consider a full range of measures and approaches they can apply to enhance the security and availability of their critical information assets. This article will show how the most effective safeguard of that information is a multi-tiered system of integrated technologies that enables a proactive -- rather than reactive -- posture.

Today's threats and vulnerabilities

Today's threats use multiple methods and techniques to infect a host and reproduce themselves. They can combine the characteristics of different types of malicious code -- such as viruses, worms, and Trojan horse programs -- while also exploiting system vulnerabilities. They may also attack simultaneously from different directions, improving their success rate and making them more difficult to defend against. The multiple propagation mechanisms used by these threats enable them to circumvent an organization's security in a variety of ways, allowing them to simultaneously overload system resources and saturate network bandwidth.

This volatile threat landscape takes on even more significance when business impacts are considered. Potential losses associated with successful attacks may include the loss of money, computer resources, and information. However, less obvious long-term problems can also result. These include loss of potential sales, negative brand impact, loss of competitive advantage, and loss of goodwill.

Clearly, protecting an enterprise's critical information assets is a strategic business issue as well as a technical one, and organizations need to approach this challenge with the right combination of technologies, people, and processes.

Securing the enterprise at every point

Safeguarding the enterprise means applying protection to every network tier, from the Internet gateway to individual clients and everywhere in between. It means applying solutions to protect essential servers, desktops, and remote clients, as well as popular environments like Microsoft Exchange and Lotus Notes/Domino. That can be a tall order.

Traditionally, because most enterprise infrastructures consist of multiple devices, operating systems, and applications that have diverse security and availability requirements, enterprises have relied upon fragmented, multi-vendor solutions to provide everything from intrusion protection and policy compliance to patch management and data backup and recovery. But because this strategy involves deploying and supporting an array of independent products and services, it can be complicated, time-consuming, and costly, making it a major drain on IT productivity.

Worse, since critical tools aren't always interoperable and IT operations and security functions often have conflicting priorities, this traditional approach can create more problems than it solves.

Treating security and IT operations as a collection of separate, standalone functional silos no longer makes sense. What's needed instead is a solid array of security, storage, and systems management technologies. This approach helps enterprises align the right people, processes, and technologies required to build resiliency into the infrastructure -- from storage, critical servers, essential applications, and the network gateway, down to individual clients.

In practical terms, this means that a company must:

• Establish a baseline This requires the IT team to understand how the IT systems are tied to business services based on the value each asset brings to the organization. The team also needs to establish a desired state for each component of the IT infrastructure based on IT security best practices. Next, policies must be created to communicate IT security and availability requirements. (Examples of policies include defining access control, ensuring that systems are hardened by turning off unnecessary services, encrypting mission-critical data, and performing regular backups.) Companies then need to perform a risk analysis to identify if there are any gaps between their prescribed policies and the latest threat information.
• Identify, analyze, and prioritize Given today's constant threats, companies need trained IT security experts who can identify and analyze threats. Additionally, these experts need to provide relevant information, including the severity of the threat and remediation guidance. Working together, both IT security and operations would then be able to decide, for example, whether to apply a patch immediately or wait until the next scheduled routine maintenance.
• Deploy protective safeguards Because of the speed of today's threats, companies need safeguards that put up temporary shielding to quickly protect exposed systems and applications and to allow the IT team to properly mitigate vulnerabilities and manage disruptions. Examples of safeguards include proactive steps such as increasing the frequency of backups, rapidly deploying vulnerability signature updates, and ensuring that mission-critical data is encrypted.
• Remediate quickly To properly eliminate the root cause of a vulnerability, the IT team must be able to quickly scan all systems; download, test, and certify appropriate patches; and deploy patches enterprise-wide.
• Maintain and monitor Because enterprises must be able to understand their security posture and risk profile at any given time for policy compliance, they need to constantly monitor and manage their environment. In addition, changes to an IT environment, such as new systems and applications, can introduce new vulnerabilities. As a result, frequent monitoring of the IT environment, including policy compliance, vulnerability scanning, and system discovery, is needed to minimize the number of exposures.

Just five steps to safeguard all tiers of the network? Not exactly. It takes a lot of hard work, and it requires the right set of people, processes, and technologies, along with constant analysis, actionable intelligence, and round-the-clock vigilance. But the effort is worth it. By taking these steps, enterprises can ensure the rapid recovery of systems should any disruptions occur.

Conclusion

To build an infrastructure that can accommodate today's demands for information access, enterprises must consider all tiers of their IT environment -- from storage and computing systems to mission-critical applications where information is processed. With a resilient infrastructure, one that ensures the security and availability of information systems, enterprises can dramatically reduce the risk of unexpected disruptions, increase their ability to maintain continuity of normal business operations, and tightly align IT to changing business goals.

Tom Schmidt writes frequently about information security topics. He has more than 15 years' experience as a writer and editor in high-tech publishing.