Forrester view

The convergence of systems and security management

Rising security vulnerabilities are forcing companies to adopt a proactive approach, says Thomas Raschke with Thomas Mendel and David Friedlander

The proliferation of security tools and the increasing pace with which vulnerabilities have been appearing has put pressure on firms to manage security more proactively. However, most organisations still have little visibility into their real security posture. While they need to be able to evaluate the impact of security breaches, they also must take appropriate action in times of crisis. Firms need tools to assess and manage security solutions and configurations, automate enforcement, and respond rapidly to security events. Systems management tools and products designed specifically to monitor security—including analysing security events—in the enterprise will help fill these gaps. They will combine security information management and network vulnerability assessment into a framework for monitoring and enforcing configuration compliance. In essence, this will enable enterprises to adopt a more proactive approach in managing security.

Combining for convenience

Like any other infrastructure component, security tools and processes need to be managed. However, companies are beginning to realise that they can use a single product to manage many aspects of system configuration and security. Given the increasing number of touchpoints and areas with similar challenges, combining security and systems management under one management roof offers IT an opportunity to reduce costs and increase responsiveness.

The key drivers to convergence include:

• The increase in the number and complexity of vulnerabilities. As the sheer volume of threats expands, vulnerabilities affect more applications and other system infrastructure components. Firms are now looking for solutions that help them assess and manage their security posture. They need tools that help them manage and prioritise the sheer volume of threat and vulnerability-related information generated by a variety of security systems. Emerging external threats like pharming and phishing will only compound these problems.
• The complexity of system information. The typical enterprise environment produces several hundred thousand event logs stemming from various user activities, including gaining access to individual machines or applications; communicating by e-mail and instant messaging; and printing, copying, editing, and deleting files. All of these can be relevant to protecting an organisation’s confidentiality, privacy, and security. Firms must analyse this information from a security perspective.
• Increasing complexity due to security management. In addition to system log information, security officers must manage numerous security logs that include information from anti-virus systems, firewalls, content security tools, and/or intrusion detection systems. An increasing number of security solutions also fall outside the immediate scope of today’s security infrastructure. For example, identity management and information leak prevention clearly tie into corporate functions like HR or strategic development, but also need to be linked with IT security. Ultimately, combining event and systems information with security management means better visibility, cost savings, and higher efficiency when protecting and managing enterprise-wide IT systems.
• The need to address configurations and regulatory compliance. Organisations look for a framework in which to monitor and automatically enforce compliance with specific corporate-wide configurations, as well as with government or industry regulations and standards. Both areas demand auditing, enforcement, updating, and documentation—and therefore stretch the capabilities and budgets of many organisations.

Consolidation's coming

Firms should expect convergence in a number of interrelated technology areas. The notable efforts around consolidation will happen in security systems and configuration management. These products have traditionally dominated the security management market by leveraging the strength of their network and systems management products in this area. Examples include BMC, CA Unicenter, Cisco, Evidian, HP OpenView, IBM Tivoli, Symantec, and VeriSign. Security configuration tools often include vulnerability assessment, patch management, security remediation, and basic compliance management. This is reflected in the fact that the other technology areas facing consolidation include vulnerability assessment and management, security event and information management, compliance management, and patch management.

Systems with security

Technology and markets are coming together. Combining systems information with security management means better visibility, cost savings, and higher efficiency when protecting and managing enterprise-wide IT systems. Firms will first look to systems management vendors they trust to help provide oversight of enterprise security systems. We will see vendors like BMC, CA, HP, IBM Tivoli, and Sun—but also McAfee, Cisco, and Symantec—offering bundled solutions or integrated products by expanding through acquisition and/or consolidating their existing product portfolios.

• Microsoft now releases operating system and major application patches on a predictable monthly schedule, but patches and vulnerabilities for other software are creating new concerns. Software applications ranging from Adobe Acrobat to Yahoo! Messenger contain security vulnerabilities. While patches or fixes are available for most of these vulnerabilities, firms often overlook these applications. At the same time, the window between vulnerability announcement and exploitation is decreasing. In 2001, the Nimda worm was released 336 days after Microsoft issued a security bulletin about the vulnerability the worm exploited. Two years later, MSBlaster hit only 26 days after a security bulletin and patch were available. In 2005, the window fell to five days with the release of Zotob.
• Effective security configuration management products help firms manage security proactively. Security configuration management tools combine vulnerability assessment, patch management, automated remediation, and configuration compliance capabilities. They give firms the ability to assess system configurations against known vulnerabilities and desired corporate compliance policies and take the appropriate action. The best tools allow a seamless transition from assessment to configuration and remediation.
• Some examples include CA, Cisco, IBM Tivoli, ISS, McAfee/Foundstone, NetIQ, and Symantec/BindView for vulnerability assessment and management; Arcsight, CA, IBM Tivoli, NetIQ, and Symantec for security event and information management; Citadel, Consul Risk Management, IBM Tivoli, NetIQ, and Symantec/ BindView for compliance management; and Altiris, BMC, CA, Citadel, LANDesk, Microsoft, Novell, PatchLink, Shavlik, St. Bernard Software, and Symantec for patch management.

Firms should not waste time or money on stand-alone patch management solutions. Even if these products offer superior vulnerability assessment and broad platform support, standalone solutions will be quickly overtaken by other vendors with more comprehensive offerings. Many firms deployed specialised tools in 2003 and 2004, but integrated offerings from systems management vendors are now on par with most specialised products.

Security information management (SIM) is one of the most versatile weapons a firm has for handling security threats. Vendors’ SIM products help customers detect threatening activities on the network, understand the importance or impact of the threats, and launch remediation plans. There are three common uses of the technology: centralised security operations centres, distributed incident response teams, and compliance management.

For more information, contact Sudin Apte, Forrester India Country Manager, at sapte@forrester.com or phone 020 2567 4390/91