Serg Nvns - Fotolia

Making unified threat management a key security tool

As data protection becomes critical to businesses, we look at how unified threat management can be a useful tool, providing it is selected and deployed correctly according to business needs

As data protection becomes critical to businesses, we look at how unified threat management can be a useful tool, providing it is selected and deployed correctly according to business needs

The 2018 Cyber security breaches survey from the Department for Digital, Culture, Media and Sport (DCMS) found that 43% of the 1,519 UK businesses that participated admitted they had experienced a cyber attack or security breach.

Fines for major data breaches may be among the main reasons the industry is pushing unified threat management (UTM), says Peter Wenham, a member of the BCS security community of expertise. The General Data Protection Regulation (GDPR) has driven many chief information security officers (CISOs) to reassess their security posture. The new data regulation, which came into force in May 2018, means organisations face fines of up to 4% of global turnover. According to Wenham, UTM systems can help reduce the threats that could lead to a breach.

Benefits of UTM

Emma Bickerstaffe, senior research analyst at the Information Security Forum (ISF), says UTM systems were designed primarily for small to medium-sized enterprises (SMEs), but suppliers are increasingly promoting UTM as a viable and beneficial option for large enterprises.

The advantage of implementing a UTM appliance is that there is a single interface from which to both manage UTM appliance functionality and to monitor network events in a consolidated view. Other UTM appliance functions can include prioritising events and the alerting of significant events via video screens, SMS text messages and email, in addition to comprehensive reporting capabilities. Some products also offer artificial intelligence (AI) to aid diagnosis of security-related events, while most offer tools to aid investigations, says Wenham.

The centralised management control is often the clincher, with administrators gravitating to this with the intention of being able to deploy policies uniformly by using a single console, says RV Raghu, director of information security professional association Isaca. “But before getting carried away, it is imperative that enterprises understand that deploying a UTM tool requires that administrators have a deep understanding of how the tool will interface with the existing infrastructure landscape,” he says.

The other aspect which plagues all implementations of UTM, says Raghu, is the fall in performance, which can be experienced when several services are turned on, with some users indicating a steep fall in performance. “While this may seem like a deal-breaker, it also points to the need for proper planning and design prior to implementing the solution, as well as close interaction between the enterprise and its implementation partner,” he says.

Read more about UTM

How can organisations best use unified threat management tools to help stem the tide of data breaches?

UTM is not a fit and forget exercise – the appliances and their management systems or UTM software needs to be maintained at the latest supported level.

Unified threat management (UTM) is one of the growing parts of that global security spend.

A UTM system fits into the latter trend, bundling a number of security functions into a single, centrally controlled system

For Mary-Jo de Leeuw, director of cyber security advocacy for Europe, the Middle East and Africa (EMEA) at non-profit membership association for certified cyber security professionals (ISC)2, web filtering is arguably the most powerful client-facing UTM tool that can be used to protect the organisation. “By intercepting web requests at the point of initiation and using pre-defined and frequently updated whitelists and blocklists of sites, an organisation can screen out and mitigate the threat posed by a significant proportion of phishing attacks, malware-infected emails and links, scams and other threats that could compromise user and data security,” she says.

According to De Leeuw, a UTM-based approach to centralised antispam and antivirus provides a manageable and difficult-to-circumvent layer of data and file protection. She says it reduces the risk of data being compromised by malware corruption or ransomware hijacking, machines being disrupted by malware infection, and also communications platforms being overrun by irrelevant and unwanted junk mail.

“A centralised approach can counter any local client preferences or lapses in judgement and best practice. Thus, it can restore the messaging signal-to-noise ratio to a level where email is a net benefit to the 

organisation, rather than having inordinate amounts of storage space and user time wasted on junk mail, scams, threats and other security challenges,” says De Leeuw.

To optimise the potential of a UTM system, Bickerstaffe recommends that an organisation determines which of its functions to enable with reference to the threats faced by the business and whether the respective functions offered by the UTM system meet security and business requirements.

“Consideration should be given to the capacity of the UTM supplier to add new functions and improve the functionality of existing ones as threats evolve,” she says.

The performance of the UTM platform should also be tested prior to adoption to ensure it has the capacity to handle the loads that existing and new features can generate.

What are you protecting?

Mike Gillespie, vice-president of the C3i Centre for Strategic Cyberspace and Security Science (CSCSS), says using UTM means managing your own expectations. “It is vital before buying any security system to first establish what you are protecting, why, and from what you are protecting it. Seems basic, but you would be amazed at the thought that sometimes fails to go into this part of a specification. For it to be the right tool for the job, you need to know what the job is,” he says.

In addition, BCS’s Wenham says there needs to be an understanding of whether an infrastructure is to be completely redesigned and rebuilt, or it is greenfield build, or whether it is a case of selectively updating an existing infrastructure.

“While the basics are the same in each case, such as the need for an effective set of IT and information security management processes and controls to be in place, there will be trade-offs and compromises between these approaches,” he says.

For a complete network redesign of an existing infrastructure, Wenham says there is greater scope in UTM tool selection, from on-site UTM network appliances to outsourced cloud-based services, or a combination of approaches. He says such a redesign should lead to an optimal solution for an organisation, but would typically cause major disruption while being implemented.

Updating existing infrastructure involves replacing existing infrastructure devices with a UTM appliance that offers greater capability and either a single unified management interface or implements a software-based central management system offering UTM capabilities.

Wenham says a basic approach to UTM could be to replace a firewall with a UTM appliance offering a firewall with intrusion detection and intrusion prevention. “A more comprehensive UTM approach would be the implementation of a UTM appliance offering not just firewall, IDS [intrusion detection system] and IPS [intrusion detection system] functions, but also content filtering and email spam and message handling, data loss prevention, VPN [virtual private network] and endpoint control,” he adds.

But implementing a UTM appliance with many functions may require a partial redesign of an organisation’s infrastructure.

Security failure

With a UTM, there is a single point of failure in the corporate IT security systems, warns CSCSS’s Gillespie. “While you may have combined several functions into one platform (and supplier/manufacturer), you are relying on all of those functions being carried out as efficiently, accurately and comprehensively as a single function offering could do, and to the same standard. Therefore, it is as strong as its weakest component,” he says.

Gillespie urges organisations that plan to deploy UTM to establish a security architecture based around the security principle of defence in depth by using technology from a variety of suppliers and manufacturers.

UTM is not a panacea. People are needed to configure the UTM systems, he says, so there is a risk of human error. “The ICO [Information Commissioner’s Office] tells us that misconfigured software or hardware is one of the top causes of data breach in the UK,” adds Gillespie. People are going to run, manage and patch the UTM itself.

As an antidote to UTMs becoming a single point of failure, Isaca’s Raghu says enterprises are encouraged to implement paired devices, ensuring high availability. “It is imperative to understand that a UTM by itself is only one part of the puzzle and needs to be part of an overall security strategy, especially considering that a host of new technologies that are being adopted by enterprises bring their own challenges,” he says.

Manage expectations

So on its own, a unified threat management system will not make a business compliant with legislation like GDPR. Nor can it train staff.

“We need to manage our own expectations of what a UTM can and can’t do, as well as knowing what we need it to do,” says Gillespie. “There is no point replacing a number of unnecessary security solutions from a range of suppliers with a number of unnecessary security solutions from a single supplier.”

You need to make sure you have the skills, plan and team in place and that you are able to act on intelligence that systems like these generate. Again, this is part of managing your own expectation of what it can achieve and knowing that it can and will provide you with insight. You need to make sure you have your people and plans ready to make the most of that insight.

Like all security technologies, UTM is constantly evolving. In the age of GDPR and similar legislation around the world, where businesses are under increasing pressure to disclose breaches, the ability to forensically report on attacks will be key, says Simon McCalla, chief technology officer at Nominet. “Knowing what data was stolen, and where it went, will need to be a key offering for all cyber security suppliers,” he adds.

UTM can be a useful tool to enable businesses of all sizes to bolster their data protection capabilities by providing a consolidated view of what is going on in the network, but UTMs alone cannot solve all challenges relating to data protection.

Unified threat management tools must be carefully selected and tuned to meet the data protection needs of the particular business, staff must have the skills to interpret what the UTM system tells them, and care must be taken to ensure that a UTM does not represent a single point of failure by incorporating it in a robust, multilayered security architecture.

“An analysis of the pros and cons in the context of your organisation must be conducted before implementation and on an ongoing basis to ensure that the UTM continues to meet your requirements,” says Raghu.

Read more on Endpoint security

Data Center
Data Management