Integrated Threat Management
Integrated threat management (ITM) is the evolution of stand-alone security products into a single, unified solution that is generally cheaper and easier to implement and maintain. Combine a single console for management, updates, reports, and metrics, and you will wonder why you do not have one at home too. This chapter introducea what an ITM solution is, the benefits and drawbacks of the solution, what to look for, and how to select a solution. Finally, the chapter wraps up with some lessons learned to help avoid some of the common pitfalls and gaps in a typical ITM solution.
One cannot read an information security magazine or attend a trade show without hearing about ITM. Within the same magazine or across the aisle, the next vendor may be advertising "unified threat management" or even perhaps "universal threat management." What these are, what the benefits to an organization are, what to look for when evaluating solutions, and lessons learned are discussed in this chapter. Even if you have no intention today of deploying an integrated or unified solution, this chapter provides you with a solid background to understand thoroughly and leverage this emerging technology in the future.
Integrated, unified, and universal threat management all have much the same implementations and goals; their names are different only because they were chosen by different vendors. For the sake of consistency within this chapter, we will choose to use the phrase "integrated threat management."
To start, let us examine the definition of ITM and what it brings to the enterprise. First, ITM is focused on threats that may affect an organization. A threat is defined as some entity that may be capable of attacking or affecting the organization's infrastructure. When used in a quantitative manner, the threat component also includes likelihood and impact considerations as well. Perhaps it is a malicious payload carried via Hypertext Transfer Protocol or via e-mail, or perhaps it is a "0-day" virus not yet seen by an antivirus software manufacturer. It may be a phishing site and the accompanying e-mails inviting users to visit the site to verify their account information or it may be a polymorphic worm whose purpose is to evade firewalls while continuously morphing its signature as it attacks the next target.
An ITM platform should, by definition, protect an enterprise against all of these threats and provide a platform to monitor and manage the ITM. To address these threats, the platform may include the following functions:
- An intrusion detection system (IDS) or an intrusion prevention system (IPS)
- Antivirus solution
- Antispyware solution
- Unsolicited commercial e-mail filtering
- Content filtering that includes e-mail and instant messenger content management
- Uniform resource locator (URL) filtering, which may include serving as a Web cache proxy
- Virtual private network (VPN) connectivity
It is important to note that in the absence of a defined standard for ITM, almost any product with an integrated (unified) combination of functions listed here can and likely has been called an ITM solution. Fortunately, if you follow the steps identified under "Evaluating an ITM Solution," you will learn how to identify and include the components that are important and relevant to your ITM requirements.
What Is an ITM?
The ITM platform is an extension to the information security life cycle within a typical organization.
As you may recall, a number of organizations typically started with very rudimentary (compared to today's standards) IDS capabilities that complemented an existing firewall solution at the perimeter. Some number of IDS personnel actively monitored a number of consoles for anomalies and reacted accordingly based on the alarms produced by the consoles. As the technology matured, a more effective and valuable event correlation function developed that allowed us to see longer term, more sophisticated and professional style attacks. Somewhat concurrent with the advancements in event correlation came IPSs, which allowed connections that either the user or the system determined to be a threat to the system's environment to be actively shut down. The ITM platform is the next stage of evolution, by which one can monitor and manage not only firewall and IDS data, but all security appliances.
It is important to note the similarities, as well as the functional differences, between an ITM program and an effective enterprise risk management (ERM) program, which are different, but complementary, programs. Recall that the function to calculate risk can be defined as
Risk (asset) = T * V / C
where T is the threat, V the vulnerability, and C the control or safeguard employed to protect the asset. The asset need not be a single system, but can be a collection of systems grouped by function (such as the Human Resources systems or all e-mail servers), by physical or logical location (such as New Jersey or systems in the corporate demilitarized zone), or even by system administrators or groups of users.
An ERM program is a continuously measured enterprise-wide view of the risks affecting an organization. A properly implemented ERM program identifies and measures the risks from perspectives such as financial, operational, reputational, and strategy. One of the most dynamic aspects of enterprise risk is the operational component, as it includes the logical and physical security risks of an organization. Having an effective ITM program provides a component of the many inputs required to support a successful ERM program. Although it is quite possible to have a successful ERM program without an ITM program, it significantly simplifies the collection and management of data to support one aspect of the program.
Returning to the ITM discussion, the platform as such does not require that all components be manufactured by the same company, but rather the components have their life-cycle activities consolidated. These activities include the following:
- Implementation and deployment
Rarely does a single manufacturer produce a best-in-class product in each area that it attempts. As we will see, an ITM solution may include components from several manufacturers utilizing a completely separate third-party integration tool or it may include using the management of several components to serve as its integrated solution. Alternatively, an organization may choose to develop its own integrated solution, relying on the framework of the individual components to satisfy its needs.
As has been presented here, an ITM solution typically integrates several IT security components within the infrastructure. Consider the simplified network diagram shown in Figure 1.1, which highlights the IT security components of a typical organization.
Figure 1 Traditional IT security components.
There are equally viable architectures that could support an ITM program. In this situation, the firewall, VPN, antispyware, antivirus software, and IDS solution are individual solutions and are managed individually. One typical solution is shown in Figure 1.2.
Figure 2 Typical ITM solution.
As a typical ITM solution, the functions identified in the traditional solution in Figure 1.2 are combined into a single, integrated solution. It is quite possible, and in fact quite likely, that a typical ITM architecture may include two ITM devices to support high availability and load-balancing requirements. The primary components of an ITM solution are the management functions, the individual engines, event data, and configuration data of the ITM solution.
The management of an ITM solution is one of the most critical functions of the solution, as IT support personnel will need to manage and maintain the system. The ITM management functions should be a cohesive and tightly integrated module that includes the following:
- A dashboard that clearly shows the overall operating efficiency, critical events, and ITM functions that require attention and action and can be customized to the individual conducting the monitoring
- The ability to run queries that may be predefined by the vendor or ad hoc queries defined by the organization
- The ability to throttle traffic or reallocate processing capability to prioritize traffic or functions
- The ability to assign and manage user accounts and roles and responsibilities
- The ability to support multiple concurrent sessions to manage and monitor the device and events
The maintenance and update functions within the management component should focus on the maintenance of the ITM platform, including interfaces to the database backups, restoration, and repair. This is quite important and should also include provisions for archiving of data, and more importantly, an effective method of recalling and viewing the archived data. For example, if we need to recall the data from four months ago that has been archived to tape and stored off -site, a valuable feature of the ITM platform would be the identification of which particular tapes we need to recall and then an easy way to view the data once it has been recalled.
The core of an ITM solution is the processing engines that do the work. The antivirus engine, the firewall engine, and perhaps the reporting engine are the foundation of the solution and are utilized by the management function to provide an integrated solution. Whether the engines are single or multiple processors, shared or independent, commercial or proprietary; the customer is typically concerned about making sure that his or her requirements are satisfied during regular and peak periods.
One of the most useful and desirable benefits of an integrated solution is the correlation of the data collected and analyzed across the engines. Consider an innocent-looking e-mail message that would typically pass through an antivirus server. If the message has an HTML-based attachment that includes a Trojan or other malicious payload, an integrated solution can utilize a combination of antivirus, antispyware, unsolicited commercial e-mail filtering, and other security engines to detect the blended threat and block it from entering the network.
As part of the correlation functionality of an ITM, the management console can typically identify threats across a wider range of types of attacks, which can result in a more efficient response and can also look at the destination of more than one type of attack (such as firewall and antivirus messages) to develop an appropriate response to ensure that the organization's assets are appropriately protected.
In both examples, it is the combination of data from multiple sources that allows the analysis of aggregated data typically not detectable from a single vantage point. It is important to note, however, that most ITM solutions focus on the active protection of the organization rather than serving as a complete security event management (SEM) system. For those organizations, the adoption of a more robust SEM solution that takes input from the ITM may be preferable, as its core strength is the correlation and analysis of the data.
There is typically a database engine that focuses on maintaining the events that are detected and generated by the ITM solution. Depending on user preferences stored in the configuration database, an almost unlimited combination of events may be logged, stored, or analyzed. Some examples include
- Packets dropped by the firewall
- VPN users that were successfully authenticated and connected to the intranet
- Messages sent via e-mail that contained a predefined pattern and were logged in accordance with the requirements
- Sources of unsolicited commercial e-mail messages
The database may be a proprietary solution that can be accessed only through interfaces provided by the vendor or may not be directly accessible at all. Some vendors utilize commercially available databases on separate systems for scalability and flexibility issues that also may come with or without appropriate interfaces and may or may not require additional tuning and maintenance.
The engines and management console typically rely on a configuration database that maintains user preferences, user accounts and roles and responsibilities, and other system configuration information. This is the information that maintains the current state (and sometimes past state for rollback) of the system. Depending on the level of integration by the vendor, the ITM solution may provide a unified console to manage the configuration information but may utilize one or more databases to store the information.
It should be extensible. An ITM platform should include functions to support the implementation and deployment of additional components. For example, the inclusion of data and metrics from the desktop antivirus solution should not require a complete rewrite of the code, but perhaps an incremental additional licensing cost. A well-designed ITM console should provide a documented and supported interface to devices and other platforms and be capable of accepting, correlating, and analyzing the data that they provide.
The extensibility of the ITM solution should not be exclusive to the front-end or "input" side, but should also include the back-end or "output" side. Many organizations may utilize the ITM solution and the built-in tools to generate alerts to appropriate persons that will conduct further investigations or obtain additional data. Some organizations may wish to use the ITM solution as an input to their dispatching or trouble ticket system. Depending on the organization's requirements, how and what the ITM solution produces may need to be evaluated and be part of the decision-making criteria.
One of the most important functions of an ITM platform from a senior management perspective will be the development of metrics and reports that highlight the overall effectiveness (or ineffectiveness) of the ITM platform. Typical metrics include the following:
- New threats identified
- Total threats encountered
- Effectiveness of managing new threats
- Trouble tickets generated
- Trouble tickets closed
- Coffees consumed while troubleshooting the ITM appliance
Well, OK, the last one was thrown in as a joke, but it should be realized that although metrics are important to the ITM platform and the organization, one should not get carried away in creating numbers for the sake of creating numbers. Metrics and reports should be generated to identify areas of the ITM program that need improvement or require some additional action to support, to measure progress, and, very important, to measure compliance to existing corporate policies and regulations.
An effective ITM solution is more than just the box and some tools to manage it. Although a separate IT security program focused on the ITM solution may not be necessary (but quite helpful), integration of the ITM solution into the existing security program is necessary. An effective program should address the following areas:
- Responsibilities of the various roles required to support and monitor the solution.
- Appropriate training and required qualifications for the various roles.
- How the system is updated (including testing) with patches, data file updates, operating system updates, etc.
- Processes to request, review, approve, and implement changes, such as firewall rule changes and content monitoring criteria.
- All required policies, practices, standards, and procedures to support and monitor the solution. It is very important that the implementation of an ITM solution include a review or creation of a policy so that associates know what activities are monitored and logged.
- What system parameters and characteristics are monitored and included in the metrics and reports. How the metrics and reporting data are used to drive efficiency and effectiveness into the ITM solution should be addressed.
- How reports and alerts are reacted to, managed, and ultimately closed after being resolved.
- The ITM program should address the interface, if any is required, between the ITM solution and any system used to facilitate a response to a threat that is detected.
This is not an inclusive list of the components of an ITM solution but serves as a foundation to develop a program that can grow and adapt as necessary. Finally, the program also serves to help drive and support IT governance by ensuring that the ITM program (including all required documentation, monitoring, reaction to events, etc.) is fully operational and receiving the required support by upper management.
The ITM program should also include an IT security assessment of the implementation to measure the compliance with industry best practices and organizational policies. The assessment should review the ITM appliance or infrastructure to identify any vulnerabilities introduced, it should review the rules implemented within the ITM, and it should validate that the rules are being properly evaluated and processed by the ITM device. Finally, as part of the ITM program, assessments and audits of the ITM infrastructure should be scheduled on a regular basis.
Pros and Cons of an ITM Solution
There are a number of benefits to the deployment and implementation of a successful ITM program. Those benefits include consolidation, which typically drives cost and complexity, ease of management, and integrated reporting. The benefits of an ITM solution are not without a few drawbacks, which may include a lack of flexibility and potential performance issues if not scaled properly.
One of the most obvious and visible benefits of an ITM solution, and one of the most prevalent arguments made by ITM vendors, is the consolidation of a number of components and functions into a single, unified solution. Combining multiple functions into a single solution, and potentially a single appliance, will likely provide initial and ongoing cost savings.
Initial "capital" costs of an ITM solution are traditionally less than the costs of the individual components that comprise the ITM solution. Costs associated with vendor negotiations and licensing can be reduced from five or six vendors to a single ITM vendor. Additionally, the price of the appliance is typically substantially less than the sum of the components, through economies of scale and the use of common hardware and software. Likewise, the maintenance costs of a single appliance or solution are generally less than those of the separate components, which increases cost savings continuously over the product's life.
In the future, when the company needs another function provided by the ITM solution, it can be as simple as generating a purchase order and installing a license key that was received via e-mail. That alone often saves weeks of time and quite a bit of money for the organization. Although new policies and inputs may be needed, re-architecting the network and lengthy vendor evaluation and negotiations will likely not be needed.
An often overlooked factor in cost savings is the cost to house the components in the data center. Just like traditional real estate costs, some organizations bill back data center costs to the business. Consider the significant reduction in costs, moving from several boxes consuming rack space to a single unit with comparable functions. Additionally, it reduces overall power consumption, as well as the cooling costs, two important factors today in data center costs. To a data center that is already at maximum capacity with existing equipment, being able to retrofit several devices to a single solution or the addition of a single box that previously would have needed half of a rack is a tremendous advantage. Adding an additional equipment rack or maintaining equipment in multiple locations adds additional costs, complexity, and overhead.
Having a single console to manage will reduce the amount of time required to maintain and manage the infrastructure. Although it is imperative to ensure that all components are regularly updated with any appropriate signatures such as antivirus and antispyware data f les, equally important are the updates at the system level. Maintaining the operating system and application updates on one system will require less time and money than maintaining the updates on several systems.
Consider the benefits of deploying an ITM solution at each branch office or location when the equipment, maintenance, and management costs are multiplied across the organization. Additionally, whether conducting an audit or an assessment at one location or each of the branch offices, having one console to measure compliance and conduct audits and assessments will be tremendously useful and beneficial to the organization. A unified console to manage the ITM components also requires less training and shorter time frames for employees to learn and understand. Many ITM solutions also provide for granular user-account provisioning (including roles and responsibilities) that allows individuals to have access to maintaining or monitoring their respective components. Depending on the configuration of the ITM infrastructure, logging and alerting may be "unified" as well or at least provide for a consistent and uniform notification process that can be easily integrated into an SEM architecture. Likewise, the management of the ITM infrastructure from a single console allows an administrator to view all aspects and parameters of the system without needing to hop from system to system. The benefits of an integrated ITM reporting system can help with metrics, troubleshooting, return on investment studies and compliance, audits, and assessments (as noted earlier).
Some organizations consider the lack of flexibility of an ITM solution to be a significant drawback. For example, consider the ITM solutions that are available today. Although most vendors often do not attempt to develop their own solutions for all ITM functions, they partner or form alliances to deliver that integrated solution. If you are an organization moving toward an ITM infrastructure, are you willing to use the antivirus software that the vendor has chosen versus the one that you have or want to have? What about the firewall or the VPN connectivity solution? Although you do not have to license and use all of the components offered within an ITM solution, the cost savings, management, and benefits of an integrated solution may outweigh the inconveniences. It is unlikely that each component of the ITM will have been voted "best in class," but it is likely that the overall benefits of a well-integrated solution have that vote.
Some organizations are concerned with performance issues with available ITM solutions and feel that a single appliance cannot efficiently handle all functions without significant trade-off s. Just like any other solution, corresponding requirements need to be developed individually for each function. Once those requirements are developed, ITM solutions can be evaluated. Design and architecture of the ITM solution can be evaluated. Questions such as whether specific functions are sandboxed and managed to ensure that the required memory and processing power are provided should be answered. Having a significant peak in messages with large attachments that need to be scanned should not cause the firewall to block traffic or, worse yet, allow traffic to pass without the defined screening. Although many of the ITM solutions today are appliances, there are some software-only platforms that operate on top of hardware and operating system platforms provided by the user.
Although the vendor typically provides the specifications of those systems, it may or may not define security requirements to help ensure that the platform itself is secure. Customers should understand that if a system is an appliance, they may be prohibited by licensing or may not even have access to perform security updates to the core operating system.
Evaluating an ITM Solution
One of the most important aspects of the ITM life cycle is the development of the evaluation criteria so that the available products can be reviewed and assessed against standard criteria. With more than a single person conducting the assessment process, this is critical to help ensure a consistent approach to the process. This section will discuss the development of selection criteria, scoring of solutions, and selection of the product.
The development of the selection criteria should be based on what is expected from each of the individual components as well as what the requirements are from the consolidated reporting, management, and maintenance functions. First, develop a list of the functions that are critical to being part of the ITM solution. Although firewall, VPN, and antivirus are the most common functions of an ITM solution, other functions discussed in the introduction may be considered mandatory or optional to the organization. It is important to note that many vendors market their ITM products to small to medium business enterprises. These are the organizations that may not have extensive and complex firewall, content monitoring, logging, etc., requirements. For those firms that require complex rules, have extremely heavy bandwidth requirements, or have very specific needs, an ITM solution may not f t their needs. Following the process provided here should help determine the answer for you.
Once those components are identified, individual requirements should be developed and labeled as mandatory or optional. For example, consider the firewall component and ask whether you have or expect to have Voice-over-IP (VoIP) traffic passing through your firewall. If so, Session Initiation Protocol application inspection capabilities may be a requirement to support the VoIP traffic and may be heavily weighted as such. If VoIP traffic requirements are still under review, it may be considered mandatory, with a lighter weighting according to the relative importance to the organization, or even labeled as optional.
Once the individual components have been identified and their respective requirements defined, the requirements of the unified solution should be identified and weighted. Requirements in these areas typically include:
- Ability to define user roles and responsibilities that meet the organization's security needs
- Reports and metrics that support compliance, auditing, and any required return on investment information
- Extensibility and ease of access to the database engine to extract custom reports or feed to any other system
- Appliance and component updates including data files (such as antivirus or antispyware) and system-level updates including ease of installation, frequency of updates, and reliability of updates
- Space, size, power, and cooling requirements for integration into the data center
- The vendor road map: with appropriate consideration, the product road map including additional features and integration opportunities
- Ability to add increased capacity such as storage and bandwidth processing through systems in parallel or upgrades
- Ability to support the device, such as on-site support, 24/7 telephone service, and same-day or next-day replacement options
- Correlation features that allow one to look at data across a longer time range by threat, by asset, by physical location, etc.
When all of the requirements have been considered, a table should be developed that includes all of the requirements and their respective weighting that can be utilized to evaluate the products. A sample table is shown in Figure 1.3.
Figure 3 Sample evaluation table.
In addition to the myriad of technology-based evaluation criteria, the ITM manufacturer should also be evaluated. Moving toward an ITM solution is a difficult choice. Although the risk of going out of business may be marginal, it is a risk, as is perhaps the greater risk of a product line being dropped as a result of an acquisition or merger. When you are putting the protection of your entire infrastructure into the hands of a single organization, the company itself should be evaluated. Is the vendor venture capital financed, public, or private? What is the direction of the company? What is the reputation of the company in the industry? Is the ITM solution the main focus of the company or just a small part? Although there may not be a wrong or right answer to any of these questions, understanding the company is part of the informed decision-making process.
Many organizations follow a two-phased approach to evaluate solutions. In any event, it is important to understand and follow the product or solution evaluation methodology for your organization. The first phase is a non-technology-based review, which may consist of discussions with vendors, reading of white papers, reading of independent evaluations, and discussions with peer and industry groups. Rather than evaluating 20 or 30 ITM solutions that may satisfy your requirements, the first phase is intended to narrow the list down to a smaller, manageable list of vendors that require a more thorough evaluation. By eliminating solutions that do not meet your requirements up front, the selection pool is reduced. Solutions that marginally meet your requirements or have additional benefits and features should be noted and marked for further evaluation.
The second phase is one of further discussions with vendors and a further review of white papers, product specification sheets, and manuals and documentation. For those systems that make the short list (typically two to three systems), a "try before you buy" program may exist that allows you to implement the product in an environment that you maintain. Some organizations may have a test lab in which products are evaluated, some may choose to run the ITM solution under evaluation in parallel with preexisting solutions, and some may wish to evaluate the ITM solution operating in lieu of the preexisting solutions. The merits of each solution are varied, but the reader is warned not to test an unproven security solution in a production environment as the sole line of defense.
Conclusion and Lessons Learned
The selection, implementation, and maintenance of an ITM solution should follow the life cycle of any other IT security product deployed within an organization's infrastructure. However, given that any ITM solution typically encompasses several critical security and control components of an organization, any mistake is often amplified due to its criticality and function. Make an error on the selection of an ITM solution and five different components may not perform as expected. Realize the difficulty of developing a business case to implement an ITM solution and then realize how difficult it will be to develop a business case to implement a second, better performing, ITM solution.
To avoid these errors, during the selection phase, you must define your selection criteria accurately.
It makes no difference whether an ITM solution has the best e-mail filtering if that is not nearly as important as having a firewall that serves as a VoIP gateway. Many organizations have suffered because they decided to move toward a solution that offered great and wonderful features and functionality in areas that were not part of their mandatory requirements and were perhaps actually lacking in those areas that were part of their requirements.
The development of an effective program including the ITM solution is imperative to ensure that it is properly used, monitored, and reacted to. Too many companies focus on the IT aspects of a deployment and fail to include any of the requisite training, awareness, documentation, and integration into the existing infrastructure. Without a program that addresses those areas, an organization will, at best, not fully utilize the solution. At worst, the security posture of the organization will be significantly reduced below an acceptable level if alerts are missed, personnel are not trained, parameters are not properly configured, etc.
In addition, organizations habitually neglect to plan for growth in terms of size and bandwidth within their network. Many of the ITM solutions are geared toward small- to medium-sized businesses and have plenty of room to grow and add capacity as the organization grows. However, many organizations fail to plan far enough into the future and at some point the chosen ITM solution may no longer scale to support the business needs. Be sure to look far enough into the future and be sure that the solution meets your needs today and tomorrow.
The ITM market continues to grow in terms of both number of features within each solution and number of vendors that are marketing solutions. Whether it is a single appliance or an integrated solution and whether it is from one vendor or many, you will find that there are both extremely stellar and extremely inferior products available. Understanding what your requirements are and evaluating the available products to find a viable and effective solution that meets your requirement are half of the solution. Developing and implementing a robust ITM program that supports, governs, and sustains the ITM infrastructure completes the solution and serves as the remaining foundation to a successful ITM implementation that helps reduce risk posture, saves costs, and increases management and insight into the threats affecting the organization.
About the Author
From Information Security Management Handbook, Sixth Edition, Volume 3, edited by Harold F. Tipton and Micki Krause. New York: Auerbach Publications, 2009.