Consolidation is key to future for Network Associates

Computer security specialist Network Associates bought intrusion protection companies Entercept and IntruVert earlier this year....

Computer security specialist Network Associates bought intrusion protection companies Entercept and IntruVert earlier this year. The issue for Gene Hodges, president of Network Associates, in the next one to two years is how to pull the management infrastructure together and simplify it.

"There are a lot of giblets in a security turkey around a computer system," he said.

"There is antivirus, host intrusion detection or prevention. You have to worry about spam and spyware and the application firewall that sits on the system. You are concerned about policy control, especially for laptops, to make sure if the machine gets onto the network it has protection software installed and doesn't have an access Trojan installed."

Hodges admitted that there is a lot of complexity, even for a large company, to manage. "So pulling all those things together so they can be managed simply in a single way is something we are putting a lot of investment in.

"Management is one of our strengths, and we have most of the pieces. So we will integrate the various technologies into an existing management infrastructure to give the customers a lot of leverage."

This lack of consolidation in security appliances so that users do not have to interact with so many elements is being addressed by the IT security firms including Network Associates.

Hodges said, "That will happen progressively over the next two to three years at the perimeter and the interior, and we absolutely will be in that space. We will bring to the table integration of secure content management and sniffing and intrusion prevention in a high-speed appliance."

For Network Associates though this all-in-one appliance will be on a specialised hardware platform. "We are on Linux with our anti-virus scanners today," said Hodges, "but the intrusion-prevention capability in general requires an accelerated hardware platform. We will see it get more accelerated-hardware-oriented as you start to open up XML packets and do deep inspection."

However, the jury is still out on what would be left out of the all-in-one consolidated security platform. "You will get a lot of different arguments from technologists over whether you can realistically keep the speed that you need in the switching environment or in the firewall and do deep packet inspection," Hodges said.

For example, he pointed out that NetScreen is going to build intrusion-prevention appliances with its firewalls. "The issue there will become if you are building a high-speed accelerated ASIC device without a software environment, can it be kept up-to-date with the attack profiles?"

The question of including anti-virus in the consolidated product boils down to one of cost, he said. "You can do anti-virus on the line, but it is more expensive to do it at line rates."

However, for Hodges, secure content management means anti-virus, spam and ethical content management, and he adds, "that includes not swearing at the customers".

The other cost factor in security is the number of staff needed to set up and run the systems, said Hodges. "One key issue driving the security industry consolidation is the number of people needed to run things."

The good news for the cost-conscious user is that "the complexity of the infrastructure is not going to keep expanding unbounded forever," he said. "Body count should drop, but you will see a move to a more skilled body count - the guys that remain will be forensics experts who can delve into the hard cases."

Over time, the management of the infrastructure itself will be simplified and integrated so that it is carried out by the larger infrastructure teams.

For example, Hodges said, "on the perimeter and network interior, this security stuff will migrate to where it is managed by the network operations team as opposed to a separate security team.

"So the security team will be the specialists that you call into handle the ugly-looking cases, but the day-to-day stuff will be handled by the network operations team," he said.

This transfer of skills from specialists to infrastructure should improve relations with the network experts, Hodges said. "When you put an intrusion-detection box onto a network, you can have separated security from network operations because you are just looking at alerts, such as ‘This happened’ or ‘This may have happened’ and you are not taking immediate action," he explained.

"But when you are taking immediate action, the network operations people become very concerned and want to have control and say, ‘Hey, wait a minute - this is my network’."

From a scaling and manpower perspective, Hodges said, the security capabilities should be where the big infrastructure team can run it.

The other major development will be in learning. "The technology will be heuristic," he said. "It is already in some ways. But it won't implement what it has learned without asking a human first."

There is still a mixed response to outsourcing security. "In our customer base, there are many who say, ‘This is complicated, requires specialists, and I don't want to hire those specialists,’ and, ‘I want to have a single throat to choke and I'll out-task it’," said Hodges.

"However, customers in the same industry say, ‘How can the security of our core applications not be something that we're good at and not know about on a day-to-day basis?’," he added.

"The middle ground will be out-tasking the operations management and keeping security architecture and forensics inside."

But for Hodges the biggest worry is "that the bad guys get ahead".

"At the end of the day, if you don't secure a customer's network, they are not happy, because they are giving you a lot of money," he said.

Network Associates sets up intrusion prevention framework>>

Matt Hamblen and Rob Mitchell write for ComputerWorld

Read more on IT architecture