Begging for trouble on security

Securify founder Taher Elgamal says a patchwork mentality has effectively turned network security into an IT budget black hole.

Let's face it, network security has turned into the black hole of the IT budget. Under constant pressure to, once and for all, make their networks secure, IT managers have set up an arsenal of internal and external defenses: firewalls that filter packets, intrusion detection systems that spot known attack signatures, virtual private networks that establish encrypted tunnels to trusted partners, and public-key infrastructures that authenticate partners in a transaction.

Fort Knox never had it so good. Yet for all this investment, security problems are actually getting worse.

What's the problem? Part of it is scale. The enterprise network began as a set of internal pipes, invulnerable to outside attack because there was no external connection. As long as you could trust your own people, your network was safe.

The other part of the problem is architecture. The Internet was originally designed for information sharing, and the corporate LAN was designed to run the business. When corporate LANs were connected to one other, the security model was broken, and the door was opened to the outside world--including hackers who are increasingly being driven by financial reward.

Almost every "solution" is touted by its vendor as the silver bullet--the missing piece that will ultimately secure the network. And that's a myth.
Securing an Internet-connected network is a challenge of different magnitude, yet the security industry has not changed its approach: Almost every "solution" is touted by its vendor as the silver bullet--the missing piece that will ultimately secure the network. And that's a myth.

The perimeter itself is the issue--the increased level of connectivity between networks allows for many different types of users to access different types of resources through different levels. The perimeter does not support that; and, as such, the security model does not support the business case. For example, partner connections did not intend access to the entire network, as the network cannot differentiate between an insider and an outsider.

The hard truth of network security is that while many approaches are good, no individual effort makes the network completely safe. Implement enough fixes, and you only succeed at making your network more complex and, hence, more ungovernable, with solutions that wind up acting at cross-purposes.

Rather, you should enhance the infrastructure to support business requirements first and then solve security problems with reasonable effort. And instead of taking a reactive approach to security, characterized by the use of various point products, enterprises need to take a proactive approach to fixing underlying network flaws. In today's status quo, security consists of anticipating the next network attack and subsequently "patching" the vulnerability.

IT departments need to take a holistic look at the network to determine vulnerabilities that could possibly be exploited. Worms and viruses will inevitably attack an enterprise network--proper network management enables network anomalies to be predicted in real-time in order to prevent the attack.

Proactive approaches to security allow IT departments to determine deviations from the norm, and place metrics on compliance to the underlying network "policy."

Additionally, creating policies identifying "good" network traffic, as opposed to merely pointing out "bad" traffic, enables the enterprise to learn about network vulnerabilities and make adjustments in real-time to make the network more secure. This type of solution not only helps avert security attacks, but allows the network to do its job: provide a place for companies to do business with one other, their partners and their customers.

This is certainly not an all-or-nothing proposition. Rather, the main issue is whether enterprises are moving in the right direction. The key is defining the steps that help you gain the benefit of enhancing the infrastructure--to give an overview of the entire network so that the weakest link is known and then to work on the areas you want to secure.