Amid high network security cost, organisations explore internal savings

Information security budgets still aren't back up to pre-recession levels. Organisations therefore need to look for ways to reduce their network security costs internally.

Information security budgets are frozen, security teams are depleted, but security threats keep growing. The private sector, especially in the realm of financial services, has been hit hard since the beginning of the recession in 2008. While the public sector has so far been protected from big budget reductions, swingeing cuts are expected to take place there after the general election in May.

So how can organisations, whether in the public or private sector, manage to defend their organisations without increasing their network security costs, and without taking on more people to handle the ever-increasing flow of new threats hitting their systems? As every security survey shows, the incidence of malware on the Internet is still growing sharply, and the nature and sophistication of the threats continue to bring up new challenges.

Rob Newburn, head of the security division at York-based software management specialists Trustmarque Solutions Ltd, said many organisations are saving money on network security costs by reviewing the way they handle endpoint security.

Information security budget-saving tips

  • Go for commodity (inexpensive) solutions at the endpoint
  • Reduce number of suppliers

  • Use integrated endpoint products rather than multiple products
  • Consider UTM to combine security functions
  • Consider using managed security services for some functions, such as Web and email management
  • Automate wherever possible -- consider security information and event management products to help manage inbound threats
  • Consider open-source tools, and possibly combine with low-cost commercial management platform to make them easier to use
  • Keep firewall rules up-to-date so that they reflect changes on the network

"We see organisations taking one of two routes. For many, they see endpoint security as a commodity purchase, so they will go for the least expensive option. In the public sector we are seeing companies such as Norman and Kaspersky gaining a lot of ground as a result of this trend." Newburn went on to mention that organisations can often save up to 50% of their expenditure on endpoint security by working with separate vendors, rather than working with their premium suppliers.

For those companies that do go with their premium suppliers, some may opt for an integrated product to defray network security cost. "A lot of the user bases are trying to consolidate on a single platform," Newburn said. "Where they might have had one supplier for device control, another for encryption, another for AV and so on, they are moving to one enterprise solution." He also said that investing in one product can be friendlier on the information security budget and easier to maintain than individual products. While the integrated product may not be best of breed, the ease of use is an acceptable trade-off.

That approach, according to Newburn, can help to extend the life of client machines. "Where you might have had five different agents on a machine doing five different things, using up resources, by putting it on a single agent, you need fewer resources, and you have a smaller footprint," he said. "Therefore hardware refresh cycles can be extended from three years to five, particularly in the public sector."

Newburn also noted a greater use of open-source tools by local authorities, with many organisations adopting Nessus for network scanning. Open source tools, while effective, can often prove difficult to use, he said, so several authorities have adopted a low-cost management platform from Yorkshire-based RandomStorm Ltd, which provides a friendlier interface to Nessus, and is much cheaper than some better known commercial scanning products.

At the network gateway, Newburn sees less change taking place. "At the network perimeter, we are not seeing a lot of consolidation, with the exception of Web and email security," he said. "Firewalls are still much as they were; no one wants to take a risk with that part of their network."

But that could be changing. A commissioned 2009 study by Fortinet Inc. and carried out by research company Vanson Bourne Ltd. found that 73.5% of U.K. enterprises planned to "undertake some form of network security consolidation project" in the next 12 months. In Germany the figure was 96.5% and in France, 99%.

Reasons given for pursuing a network security consolidation project were "simplified network security management" (34%), "lower total cost of ownership/reduced operating expense" (33%), and "tighter security" (17%).

This consolidated approach, which involves combining security functions into a single appliance -- usually referred to as unified threat management (UTM) -- has traditionally been the preserve of small businesses and remote offices. But Fortinet's U.K. director, Paul Judd, insisted the concept is gaining acceptance in many large corporations. Fortinet's own customer list includes telecommunications and financial services companies.

But Judd also warned that many UTM offerings lack true integration and merely mask a collection of separate products that have been acquired by the vendor or included through an OEM arrangement. He said those devices fail to capitalise on the benefits of true integration, as users often still have to pay for separate licences and also acquire different skills for each of the different functions. "What users should be looking for in a UTM device is one application, one interface, one training course, and a single support contract," he said.

Information security budget saver: Automate SIEM
Dominic Storey, European technical director of intrusion prevention vendor Sourcefire Inc., said often companies miss the opportunity to save money by automating many mundane tasks, such as sifting through device logs.

Storey said all networks are under constant attack, but the majority of network events can be filtered out or ignored because, for example, they seek to exploit assets that do not exist on the network. For instance, an attack against a Microsoft IIS Web server would pose no threat to an infrastructure that runs Apache. By automating security incident and event management, it is possible to reduce the number of events that need human attention, and hence save time and money.

With staff free to do more useful work, Storey said, their efforts can be directed to keeping systems properly tuned. "Tuning is usually done at installation and then the system is left to get on with the job," he said. In reality, he added, companies must continue to revisit technology and policy changes because the network is always changing subtly.

Read more on Network security management