United in threat management part three: how scared are you?

YESTERDAY: Has UTM delivered?

The rise in popularity of blade servers and virtual servers has made it easier to build a distributed threat management solution while still being able to deploy and configure best of breed point solutions on individual servers within a single physical server. "We have done a lot of work in the areas of firewall virtualisation and unifying the applications into a chassis with blade technology that gives an organisation five nines up-time," says John Addeo of Dimension Data. But it's a very high-end solution and very specific to customers who want to go to market very quickly to create dynamic firewalls on the fly to enable the business to be more reactive."

"It's all about sitting down and working out what you are trying to accomplish, what you're trying to achieve," says Addeo. "What threats and controls do you require and how do you best achieve that? The challenge is in the large end of town. Unified threat management (UTM) appliances work well in the SMB market "“ being able to put in appliance straight off the shelf and it tends to work. But then we have a massive gap for enterprise until we get to the very high-end. So we go from appliance, to distributed threat using best-of-breed solutions, and then into the unified chassis based approach with virtualisation. So we go through a number of different stages but again it's all about what are you trying to achieve as an organisation and what controls can we put in place and how do we create an infrastructure that's appropriate for your business to meet those needs?"

Addeo is no stranger to the threats that can come from within the network, transported in briefcases, backpacks and handbags. "Looking at some post mortems for incidents that have happened in some of our clients that have come in to ask us to help them look at the event, it has typically been somebody who has come onto a network who has been offline for awhile and their AV hasn't been updated or they haven't been distributed patches to protect them and they have come back in and brought malicious code into an organisation," he says. "Then without the appropriate defence, that code has been able to replicate across the network and actually take down systems."

We've spent a lot of time as an industry ensuring that we have strong gateways and IDS and automated patching regimes, but wandering notebooks are often left on their own with nothing more than anti-virus and anti-spyware between them and the big bad Internet. "Things like laptop encryption are important, things like ensuring anti-virus is on the laptops but even more than just signature based AV, but anomaly based protection, intrusion detection and firewalls," says Addeo. "So when the laptop goes into an unsecured network like a hotel or a wireless network at an airport, that laptop actually has an appropriate level of security itself so it is not picking up any code that would be eventually brought into an organisation when they reconnect."

And what about the dangers from memory sticks? "It's like accepting anything," Addeo opines. "If you accept data from an unsecured location, one of the risks is that someone hands you a memory stick not created from a file that was within your control. Those files should be cleaned and that should be picked up by your defence software on your laptop. More importantly the risk of memory sticks is the loss of a memory stick and the unencrypted data that is on it. A lot of people put sensitive information on memory sticks including things like corporate financial data and Excel spreadsheets that we share around and those are usually lost or even if the information has been deleted, the information is typically easily recovered using some forensic software."

"So the biggest challenge with memory sticks is in ensuring that you force encryption on them and you are enforcing security of those devices. Also, intellectual property is a big risk for organisations with memory sticks. People can come in and plug in a memory stick, dump data on it and walk out of the business with very, very highly sensitive information." Which is another reason why you need to remain alert, and very likely, alarmed.