Security Think Tank: Know strengths and weaknesses of UTM systems

Consolidate requirements into one dashboard

Having a single, unified system – which encompasses everything from antivirus protection to content filtering and penetration controls – allows administrators to simplify the analysis of their primary threats through one dashboard and provides a focus on the areas where the greatest dangers may lie.

Of course, dashboarding is nothing new, but unified threat management (UTM) consolidates the differing requirements of these systems into one portal. Patching status can be viewed alongside anti-spam filters and attempted DDoS (distributed denial of service) attacks, for example.

Identify network traffic patterns

A UTM also performs tasks such as detecting patterns in network traffic, an activity that has three aspects:

• Generic patterns, known within the industry and likely to affect many organisations – determining suspect user login locations and IP addresses, for example. Tools to detect these can be delivered by the UTM provider, and this is potentially an area for the customer to consider when undertaking due diligence on the prospective supplier.
• Patterns specific to individual organisations that are known about (by the organisation in question). This requires the UTM solution to be extendable so that custom patterns to be defined to meet specific needs.
• Patterns that are not yet known and therefore need to be defined. The UTM could analyse the source data, for example, and propose potentially undetected scenarios outside the previously “known” threats. This is where artificial intelligence may be applied most effectively.

Once patterns have been identified, the right tools are needed in the operational world to generate a relevant response, such as an alert or notification, directly to a nominated user or the incident response system, should an anomaly occur. This should also include an aspect of machine learning to assist where a potential violation has been repeatedly marked as an exception or false positive.

Simplify systems to enhance overall security

UTMs, by design, tend to be easier for the end-user to understand than standalone security tools because a key requirement is to provide a friendly user interface that allows the organisation to interpret, mitigate and remediate risks to their environment effectively. By enabling an organisation to monitor a large majority of the complex security risks facing it, in one place, a UTM enhances the security of the environment.

All of the above reasons make an excellent case for investing in such a system.

Ensure the UTM is well secured

However, UTMs are not without their pitfalls, the main one being that consolidating controls mechanisms into UTMs provides a single point of failure for controls demonstration and execution should anything go wrong with the UTM system. Also, the UTM itself may become a central liability if it is vulnerable, outdated or poorly configured.

Preventing this requires the UTM to be well secured via firewalls and up-to-date patches. Otherwise, it is necessary to create a second line of defence to eliminate attacks that have overcome the UTM.

Guard against a false sense of security

UTMs can also induce a false sense of security. If rules to identify risks are not designed correctly, far from the system – and therefore the organisation – being secure, the reality is that there are risks that are not being detected. 

Combating this requires the team charged with managing the UTM to ensure vigorous review and testing of the specifics before deploying a rule. Similarly, users must guard against overusing the functionality of the UTM. For example, setting too many alerts makes the monitoring task unmanageable for the security team, again leaving the organisation vulnerable, but believing it has protected itself.

Over-reliance on a UTM must also be avoided. For example, if alerts are switched off – possibly as part of an attack, as this would be a target – effectiveness is seriously compromised. In other words, having a UTM should not mean forgoing controls at other levels throughout the organisation.

Storage is another consideration. UTMs rely on vast amounts of stored data to detect patterns over time as well as identify immediate threats. When implementing a UTM, the team must understand the data requirements, availability of storage and potential impact on key applications before installing.

UTMs are effective in the right context – but not a silver bullet

In 2019, as the value of data as a commodity rises, organisations are likely to face more data entity-level risks with an increasing focus on personal data. Mitigating for the associated risks and potential vulnerabilities will be a major investment for most organisations, which will require the relevant controls to be incorporated into UTM strategy.

UTMs enable administrators to manage a wide range of security functions with a single management console, rather than having to operate multiple, non-integrated, products from different suppliers. Human errors are reduced and threats can be handled more effectively.

However, they are not a panacea for all IT security issues, and careful consideration needs to be given to ensure they will deliver on their potential.