adimas - Fotolia
The World Wide Web (WWW) is celebrating its 30th birthday. Among the many benefits it has given society, the web has also become the perfect vehicle to trick unsuspecting users into visiting rogue websites containing malware.
Bridget Kenyon, global chief information security officer (CISO) at Thales, says search engines such as Google and Microsoft Bing have worked hard to remove malicious search results, but while web browsers are filtering out most of the bad sites, it is difficult to prevent the worst attacks. “Spear phishing is a lot harder to recognise,” she adds.
The web has made it possible for users to jump easily between different servers across the internet, without even being aware that it is how web pages are rendered on their browsers.
For security professionals, ensuring users don’t activate malware that could attack the corporate network is an uphill battle, often involving multiple security systems, with each requiring administration. Unified threat management (UTM) is an attempt by the industry to simplify security management.
Traditionally, UTM has focused on preventing and detecting cyber attacks. Ideally, security incidents and breaches should be prevented, says Maxine Holt, research director at Ovum.
However, organisations recognise that not everything can be prevented, so Holt says it is essential that the potential for a security breach is detected while an attacker is in the network, before the breach happens.
“As we have seen with enterprise approaches to security across all sectors and in organisations of all sizes, there is increased focus on the third objective of technology security controls – responding to an attack,” she says.
More of these types of technology capabilities will be deployed as part of UTM. Data loss protection (DLP) is generally included, but may be joined by data breach reporting capabilities to comply with the EU’s General Data Protection Regulation (GDPR), for example.
Multiple layers of security
For Holt, the benefits of UTM, led by the reduction of complexity in the security environment for small and medium-sized enterprises (SMEs), mean that UTM will be around for years to come.
However, Simon McCalla, chief technology officer (CTO) at Nominet, says: “Having one system in place means there’s only one system to go wrong. A lack of redundancy systems means that if the worst were to happen, there’s nobody on the subs’ bench ready to come on and change the game. If the UTM system fails, the criminals can essentially walk right in.”
Given that the profile of cyber criminals is changing and attack vectors continually change, McCalla warns: “With a UTM system, you’re reliant on the threat intelligence provider to be as quick as the criminals. If it’s not up to date, a business’s whole security posture is weakened, instead of just one element. This leaves multiple attack vectors open to criminals, and makes the business more vulnerable.”
McCalla urges CISOs to be wary of marketing hype. He says one major cyber security player was recently criticised for the inefficient alerts it was giving the teams that used it. The technology was essentially accused of crying wolf, meaning that security professionals ignored alerts, or turned them off all together. “This doesn’t mean that the system wasn’t also flagging legitimate threats, but they were likely lost in the maelstrom,” he adds.
Read more about unified threat management
- How can organisations best use unified threat management tools to help stem the tide of data breaches?
- UTM is not a fit and forget exercise – the appliances and their management systems or UTM software needs to be maintained at the latest supported level.
- Unified threat management (UTM) is one of the growing parts of that global security spend.
- A UTM system fits into the latter trend, bundling a number of security functions into a single, centrally controlled system
According to McCalla, one of the key areas which is often underlooked is domain name system (DNS) security, which offers a layer of protection that sits at the very gateway to your network. DNS is usually a reliable attack vector, as firewalls often allow traffic through this way.
However, as McCalla points out, what is weak in the event of an attack can be made strong in defence – if every packet of data leaves or enters via the DNS, it can be used as a strong first line of defence.
“At the moment, UTM systems don’t pay much attention to the DNS,” he says. “CISOs would be wise to consider a layered approach to cyber security, with bespoke tools for each potential attack vector. Or, if a UTM system is the preferred method of protection, a backup system that sits at a DNS level should be considered.”
The other thing CISOs need to consider is what type of business they are in, and where it might be vulnerable. For example, a manufacturing or industrial business will be vulnerable in different areas to a bank.
One thing that is clear, however, is that as businesses continue to transform digitally, connecting more devices online, maintaining a secure network environment becomes harder. Due to the interconnected nature of today’s businesses, a UTM tool likely wouldn’t cover all bases anyway.
Firewalls and anti-spam software are effective at catching phishing emails aimed at employees, but they may not notice packets of data leaving a connected device infected with malware – this happened to a casino when its connected fish tank was hacked. To that end, CISOs should consider their spend. UTM systems may give them protection in areas they don’t need, while leaving them vulnerable in others.
UTM is not a silver bullet
Simon Persin, director of Turnkey Consulting, warns that over-reliance on a UTM system must be avoided. “If alerts are switched off – possibly as part of an attack, as this would be a target – effectiveness is seriously compromised,” he says. “In other words, using UTM shouldn’t mean foregoing controls at other levels throughout the organisation.”
Three network traffic patterns to watch out for and what to do about them
- Generic patterns, known within the industry and likely to affect many organisations: Tools to detect these can be delivered by the UTM provider, and is potentially an area for the customer to consider when undertaking due diligence on the prospective supplier.
- Patterns specific to individual organisations that are known about: This requires the UTM solution to be extendable so that custom patterns can be defined to meet specific needs.
- Patterns that are not yet known and therefore need to be defined: The UTM product could analyse the source data, for example, and propose potentially undetected scenarios outside the previously known threats. This is where artificial intelligence may be most effectively applied.
Once patterns have been identified, the right tools are needed in the operational world to generate a relevant response – such as an alert or notification – direct to a nominated user, or the incident response system, should an anomaly occur. This should also include an aspect of machine learning to assist where a potential violation has been repeatedly marked as an exception or false positive.
Source: Simon Persin, director of Turnkey Consulting
He adds that storage is another consideration. “UTM systems rely on vast amounts of stored data to detect patterns over time as well as identify immediate threats. When implementing UTM, the team must understand the data requirements, availability of storage and potential impact on key applications prior to installing,” he says.
Vladimir Jirasek, managing director of specialised cyber security consultancy and services company Jirasek Security, says: “Sometimes I get into discussions pertaining to the use of the latest technologies to thwart data breaches. In many cases, the debate quickly steers into suppliers, capabilities and features. I try to get my point across: cyber security starts with processes at the hygiene level – once these are implemented to a satisfactory level, add more advanced processes.”
He believes cyber security processes are undervalued in the portfolio of security programmes. “Companies put various technologies in place, in some cases implementing these without a care for how they will be managed, monitored and integrated into the rest of processes,” he says.
Jirasek believes UTM, or any other technology for that matter, is no good without well-executed processes. “Start with the critical controls implemented as processes, supported by trained people, good configuration and managed technologies,” he says. “It is only then that we stand a realistic chance to protect against data breaches.”
What next for UTM?
As threats continue to evolve, so too will UTM tools. In the age of GDPR and similar legislation worldwide, where businesses are under increasing pressure to disclose breaches, McCalla believes that the ability to forensically report on attacks will be key.
“Knowing what data was stolen and where it went will need to be a key offering for all cyber security suppliers,” he adds.
Nominet’s McCalla expects UTM tools to become more expansive as they cover the ever-increasing attack vectors available to criminals.
“They will also look at offering protection at a deeper network level to cope with the plethora of devices now connected to the internet. Some sort of DNS protection capability will be essential,” he says.
Ultimately, UTM systems – as with all types of threat prevention – will always be in responsive mode, tracking the latest threats and adapting accordingly. To that end, it will still require the guile of a strategic CISO to understand their own network, identify the weak points, and deploy tools accordingly. Whether that’s a UTM system, bespoke tools, or combination of the two, nothing will beat the strategic outlook of a well-versed CISO.
The threat landscape has exploded as the web and services built on web technologies gain in popularity. Given that every device – whether it is a corporate PC, a smartphone or an internet of things (IoT) device such as an internet-connected TV or security camera – requires an open connection to the internet, this provides a network port through which hackers can target attacks.
Understanding the health of the corporate network from a security standpoint – where are attacks being targeted or which exploits have broken through – is key to stopping or limiting damage from any attacks. UTM may go some way to helping security admins manage the ever-changing threat landscape by providing a single console to assess the overall security posture of the corporate network.