Maksim Kabakou - Fotolia

Security Think Tank: Approach UTM with caution

How can organisations best use unified threat management tools to help stem the tide of data breaches?

With the increasingly pervasive cyber threat, chief information security officers (CISOs) could be forgiven for trying to find a catch-all solution. Unified threat management (UTM) systems typically claim to offer these time-poor, stressed security professionals with a one-size-fits-all approach to cyber security. One tool to cover all bases sounds like an ideal solution – but CISOs should approach these with caution.

UTM appliances combine firewall, gateway antivirus, and intrusion detection and prevention capabilities into a single platform. In theory, this should give you a wide range of protection from external threats and cyber criminals. CISOs are afforded the knowledge that they only need to look in one place and at one system or piece of software to understand the safety and security of their critical systems.

But having one system in place means there’s only one system to go wrong. A lack of redundancy systems means that if the worst were to happen, there’s nobody on the subs bench ready to come on and change the game. If the UTM system fails, the criminals can essentially walk right in.

One size doesn’t always fit all

Think about the profile of cyber criminals. They don’t play by the rules, and will continually change attack vectors and apply pressure to the latest vulnerabilities. The speed at which they can do this is frightening, and with a UTM system, you’re reliant on the threat intelligence provider to be as quick as the criminals. If it’s not up to date, a business’s whole security posture is weakened, instead of just one element. This leaves multiple attack vectors open to criminals, and makes the business much more vulnerable.

The other thing CISOs need to consider is what type of business they are, and where they might be vulnerable. For example, a manufacturing or industrial business will be vulnerable in different areas to a bank.

One thing that is clear, however, is that as businesses continue to transform digitally, connecting more devices online, maintaining a secure network environment becomes harder. Due to the interconnected nature of today’s businesses, a UTM tool likely wouldn’t cover all bases anyway. Firewalls and anti-spam software are effective at catching phishing emails aimed at employees, but they may not notice packets of data leaving a connected device infected with malware. Remember – this happened to a casino when its connected fish tank was hacked!

To that end, CISOs should consider their spend. UTM systems may give them protection in areas they don’t need, while leaving them vulnerable in others.

Beware of the tool that cried wolf

Of course, this isn’t to say that UTM systems don’t have their place in the CISO’s arsenal. Large enterprises may well benefit from the cost-effective deployments and centralised management. They are also scalable, so it’s becomes much easier for security professionals to deploy into new offices and geographies. However, there are a few considerations.

“CISOs would be wise to consider a layered approach to cyber security, with bespoke tools for each potential attack vector”
Simon McCalla, Nominet

The first is to be wary of marketing hype. A big cyber security player was recently criticised for the inefficient alerts it was giving to the teams that used it. The technology was essentially accused of crying wolf, meaning that security professionals ignored alerts, or turned them off all together. This doesn’t mean that the system wasn’t also flagging legitimate threats, but they were likely lost in the maelstrom.

The second is to get the basics right first. One of the key areas which is often overlooked is domain name system (DNS) security; a layer of protection that sits at the very gateway to your network. The DNS is usually a reliable attack vector, as firewalls often allow traffic through this way. But what is weak in the event of an attack can be made strong in defence: if every packet of data leaves or enters via the DNS, it can be used as a strong first line of defence.

At the moment, UTM systems don’t pay much attention to the DNS. CISOs would be wise to consider a layered approach to cyber security, with bespoke tools for each potential attack vector. Or, if a UTM system is the preferred method of protection, a backup system that sits at a DNS level should be considered.

What next for UTM?

As threats continue to evolve, so too will UTM tools. In the age of GDPR – the EU’s General Data Protection Regulation – and similar legislation around the world, where businesses are under increasing pressure to disclose breaches, the ability to forensically report on attacks will be key. Knowing what data was stolen, and where it went, will need to be a key offering for all cyber security suppliers.

UTM tools are likely to become more expansive, as they cover the ever-increasing attack vectors available to criminals. They will also look at offering protection at a deeper network level to cope with the plethora of devices now connected to the internet. Some sort of DNS protection capability will be essential, as that may be the only way to spot malware that is calling out to a command and control (C&C) centre.

Ultimately, UTM systems – as with all types of threat prevention – will always be in responsive mode, tracking the latest threats and adapting accordingly. To that end, it will still require the guile of a strategic CISO to understand their own network, identify the weak points, and deploy tools accordingly. Whether that’s a UTM system, bespoke tools, or a combination of the two, nothing will beat the strategic outlook of a well-versed CISO.

Read more from Computer Weekly’s Security Think Tank about unified threat management (UTM)

Read more on Hackers and cybercrime prevention

Data Center
Data Management