network security: past, present & future -...
TRANSCRIPT
Market Overview
Network Security: Past, Present & Future
By Jon Oltsik Senior Analyst, Information Security Enterprise Strategy Group
March 2004
Copyright 2004. The Enterprise Strategy Group, Inc. All Rights Reserved.
Network Security: Past, Present & Future
By Jon Oltsik Senior Analyst, Information Security Enterprise Strategy Group March 2004
Table of Contents Table of Contents..........................................................................................................................1 List of Figures ...............................................................................................................................1 Introduction ...................................................................................................................................2 Network Security: Complex and Inefficient ..................................................................................2
Network Security Woes Abound ...............................................................................................3 New Initiatives, New Security Risks ..........................................................................................4 The Next Challenge: Internal Networks ....................................................................................5 Interview Summary ...................................................................................................................6
Enterprises Need End-to-End Network Security ...........................................................................6 Risk Management Should Guide Network Security Investment................................................6 Sound IT Governance And Security Policies Help Minimize Risks and Mistakes.....................8 A Business-Focused Incident Response (IR) Process that Minimizes Disruption ....................9 Network Security Technology Anchors the Infrastructure .......................................................11
Network Security Will Become Part Of the Infrastructure............................................................12 Summary.....................................................................................................................................13
List of Figures Figure 1: Network Security Problems............................................................................................3 Figure 2: Security Priorities...........................................................................................................7 Figure 3: Security Based Upon IT Governance and Security Standards ......................................9 Figure 4: Network Security Evolution ..........................................................................................13
- 1 -
Introduction Current enterprise network security strategy is broken. In an effort to address the growing number of security threats, firms have upped their security budgets and purchased boatloads of point security products but this myopic plan creates costly security islands that don’t protect critical business assets effectively. This report concludes:
Network security is fraught with issues. Enterprises suffer through high operating costs, complex security infrastructure, and insufficient protection.
The next step: Improved processes and technology aggregation. To meet business
requirements security managers plan to improve long neglected processes and upgrade to next-generation security technologies offering aggregated functionality on perimeter and internal network platforms.
Network security transitions will drive industry consolidation. M&A activity will accelerate as security companies look to supplement their portfolios by gobbling up startup companies or merging with other large players. During this transformational period networking and security companies large and small will be in play.
For this report, Enterprise Strategy Group interviewed 12 senior information security managers from enterprise companies and government agencies as well as several thought leaders from academic and industry settings. We also spoke with leading security technology vendors and service providers including 3Com, Arbor Networks, BladeLogic, Borderware Technologies, Check Point Software, Cisco Systems, Computer Associates, Crossbeam Systems, Cyberguard Worldwide, Ecora, Ernst & Young, F5 Networks, Guardent, Hewlett-Packard, IBM, Inkra Networks, Intrusic, Internet Security Systems, KF Sensor, KaVaDo, Mazu Networks, Microsoft, Mirage Networks, NFR Security, NetContinuum, Netilla Networks, Netivity Solutions, NetSec, NetScreen Technologies, Network Associates, Network Engines, Nokia, Nortel Networks, Novell, Patchlink Corporation, Qualys, Riverhead Networks, Sanctum, Inc., SonicWall, Secure Computing, Shavlik, Sun Microsystems, Symantec Corporation, ThruPoint, TippingPoint Technologies, TopLayer Networks, Trend Micro, Unisys, and Watchguard Technologies.
Network Security: Complex and Inefficient For years, network security was based upon three primary products: firewalls, VPNs and anti-virus software, but this security triad has reached its limit. Why? First, Internet applications are now widely deployed to help companies drive revenue, improve communications, and automate processes but today’s security infrastructure protects network layer protocols leaving Internet applications virtually defenseless. At the same time, automated Internet worms, viruses, and Distributed Denial of Service (DDOS) attacks are more prevalent and virulent than ever before causing billions of dollars in worldwide damage and impacting companies like Bank of America, Continental Airlines, eBay, and Yahoo. Finally, new technologies like IP telephony, WLANs, and Instant Messaging are gaining rapid acceptance opening up another potential avenue for attacks.
- 2 -
Figure 1: Network Security Problems
Network Security Woes Abound Security executives exclaim that they are constantly playing a game of catch-up in addressing security management, business requirements, and growing threats (see Figure 1). They complain that:
Intrusion Detection System (IDS) noise persists. Even sophisticated IT shops grumble that IDS systems are chatty and difficult to tune. Sorting the security wheat from the chaff takes a lot of time and requires skilled security technicians that are not available in all geographies.
“Automated attacks create a tremendous volume of IDS activity. We need to know the relevant data by gathering everything and filtering the security events. Our IDS system is as good as any but in spite of constant tuning, data mining and analysis is still a difficult manual process.” (Hospitality Company)
Application layer attacks avert traditional protection schemes. Two years ago many companies added the latest stateful inspection firewalls to protect against TCP attacks. This technology provided protection up to layer 4 but many of today’s attacks, like buffer overflows, SQL injections, and cross-site scripting, are at the application layer. To combat this threat, security managers need added protection – and help from application
- 3 -
vendors and the development team.
“It’s not that our firewalls are useless, they just don’t catch the bad stuff up at Layer 7. We are evaluating our technology options, pushing back on software vendors, training our developers, and crossing our fingers.” (Freight Company)
Distributed Denial of Service (DDOS) attacks are becoming commonplace. The 2000 DDOS attacks against Amazon, Yahoo, and eBay were a wake up call to the industry but most companies thought they were immune to these high-profile attacks. No more. The security professionals we spoke believe that DDOS attacks may become the preferred weapon of organized criminals or state sponsored organization to disrupt business or take down an industry. They point to the January 2004 attacks on on-line gaming sites as a sign of things to come.
“Today’s DDOS attacks are aimed at individual companies to extort money. In the near future they may target the entire financial industry in an attempt to disrupt our economy. We have to be prepared for this – it’s going to happen! (Financial Services Company)
‘Box fatigue’ is common. It’s not the least bit unusual for an enterprise to have 4 or 5
security boxes from different manufacturers at the network perimeter. These systems tend to be independent from one another creating an architecture with diverse management tools, log files, signature updates, and support contracts. Our interviewees claim that this situation has created an operations nightmare that ironically impacts security protection.
“In addition to our firewall and IDS, we added an application firewall and an anti-virus gateway to our perimeter as we deployed Internet applications and added bandwidth. Now my staff is overburdened and managing each system reactively. I’d need two more people just to keep up.” (Retail Company)
New Initiatives, New Security Risks As if the security job wasn’t difficult enough, new business and technical projects add constant work and increase security risks. Business needs require new applications, servers, and network architecture that need protection while innovations like Wireless LANs (WLAN), Instant Messaging, and IP Telephony add insecure network protocols making existing protection schemes moot. Finally, overburdened managers compare vulnerability scanning and system patching to Sisyphus pushing a rock up hill for all eternity.
“We’re transitioning our network from a private hub and spoke to a mesh architecture using an MPLS-based VPN. This move will enable store-to-store communication, help with inventory management on a geographic basis, and improve customer service, but it will also extend our network security responsibility from the home office to all of our retail outlets. (Retail Company) “I feel like we are fighting a new battle on a monthly basis. Just when we eliminated all rogue wireless access points, we now need to figure out how to
- 4 -
restrict IM traffic. You can’t simply block IM traffic at the firewall because AOL’s IM is ‘port agile’ – it simply piggybacks over any open port. I’m just waiting for this to create a major problem. (Federal Agency) “Scanning and patch management is killing me! We don’t even have an accurate picture of all of our assets. Now I have to find and fix our systems before the next Internet worm takes down the whole agency. My people are burning out! (State Agency)
The Next Challenge: Internal Networks For the past 10 years, security managers have focused their efforts on the network perimeter with the belief that all external users are ‘untrusted’ while internal users are trusted. Network security expert Bill Cheswick dubbed this the M&M security strategy – hard and crunchy on the outside, soft and chewy on the inside. M&M security is no longer sufficient. Why? Three reasons: 1) The network perimeter is no longer static, remote users, contractors, partners, suppliers, even web services-based applications are all allowed network access regardless of physical location. 2) Automated attacks often enter the network through legal TCP ports before creating havoc on internal systems. 3) Many attacks come from disgruntled employees, not outside hackers. According to the CSI/FBI 2003 survey, 77% of companies claim that employees are the most likely to commit security crimes. As business requirements blur the line between internal and external users, network availability is more important than ever so worm and virus-driven interruptions must be minimized and restricted. To do so, security managers are beginning to apply new technologies to segment and protect internal networks including end-point security, network behavior modeling, IDS/IPS, and internal firewalls.
“When most security experts think about August 2003, they think of Blaster and Sobig. I think of laptops! It seemed like every time we thought we were in the clear, some road warrior would plug his laptop into the network and BOOM, we’d be infected all over again.” (Professional Services Company)
“When you have over 10,000 employees, you have to assume that you have a few bad apples. I’ve experienced this first hand. At my last company we had an employee contact a competitor to try to sell our Intellectual Property. I’m convinced that network behavior monitoring will help us identify unusual and potentially damaging activity. (Retail Company) “Our network is business-critical so we’re integrating security everywhere. If we can’t stop these automated attacks, at least we can minimize the damage.” (Healthcare Company).
- 5 -
Interview Summary Based upon our interviews with senior security managers, ESG concludes:
Network security is piecemeal and immature. Most companies deal with security by bolstering the network perimeter forces with armies of boxes. These systems are difficult to operate, leave most of the IT infrastructure unprotected, and don’t protect business assets.
New initiatives create new challenges. Business and technical advancements require added security coverage stretching an already thin security infrastructure and staff.
Internal networks need protection. Perimeter fences are only a first line of defense. Internal networks require supplemental coverage.
Enterprises Need End-to-End Network Security Over the past few years, the rules of the network security game have changed radically. It is no longer adequate to rely on firewalls and other perimeter defenses; rather enterprise companies need a comprehensive defense-in-depth security infrastructure to protect high-value network-based assets. Technology alone is insufficient; network security needs to marry technology to the right policies, procedures, and priorities. ESG believes that appropriate end-to-end network security is dependent upon 4 interdependent factors:
1. A risk management strategy that matches security protection with business needs 2. Sound IT governance and security policies 3. Business-focused Incident Response (IR) policies and staffing 4. Integrated network security technology.
Risk Management Should Guide Network Security Investment Neighborhood banks protect themselves by placing monetary assets in a vault and an armed guard at the door. To date, network security has focused on the door but business requirements mandate more comprehensive and asset-based vaults. Risk management offers a solution by prioritizing security investment and resources based upon value. The more mission-critical the business asset, the greater network security protection it should receive. Risk management strategy begins with a value-based hierarchical assessment of network assets, from mission-critical application servers through user desktops. Many companies need not reinvent the wheel here, rather they can borrow this assessment from existing Disaster Recovery/Business Continuity (BC/DR) plans. In general terms the network and network security is a shared infrastructure so business units and functional groups should pay for their security services. To create an equitable system where groups contribute based upon the services they receive, ESG suggests that enterprises
- 6 -
divide systems into four categories (see Figure 2)
1. Externally-facing mission-critical servers. Examples here include eCommerce, e-mail, DNS or Extranet sites. These DMZ-based servers are the most vulnerable requiring security TLC. Systems in this group will receive the highest level of protection and pay the highest charge back rate.
2. Internally-facing mission-critical servers come next. These servers generally run proprietary business applications like HR or manufacturing. While these systems aren’t as exposed, a security event could still be devastating. Systems in this bucket are the second highest payers.
3. Externally-facing non-mission-critical servers. These systems include non-transactional web servers and pay the third highest amount.
4. Internally-facing non-mission critical servers bring up the rear. This group consists of productivity applications like file and print or the corporate Intranet, pays the least for network security and receives the lowest level of service.
Figure 2: Security Priorities
- 7 -
Sound IT Governance And Security Policies Help Minimize Risks and Mistakes Many security issues stem from either poor processes or configuration errors. A system administrator applies a wrong patch to a database server, a security manager makes several undocumented changes to the firewall, new equipment is added to the network without alerting the security team or updating configuration management documentation, etc. These seemingly minor snafus can lead to security vulnerabilities that are difficult to find and expose companies to hackers or automated attacks. To alleviate these lapses, firms should use IT governance standards like the IT Infrastructure Library (ITIL), IT Service Management (ITSM), or Control Objectives for Information and Related Technology (CobiT) as the foundation of security operations (see Figure 3). These time tested governance models provide standard policies, procedures, and documentation for critical security processes like change and configuration management. Furthermore, by standardizing on IT governance, companies can cut operating costs by a substantial amount. Proctor & Gamble adopted the ITIL model in 1997, which it claims has helped the company save more than $500 million over four years. A study of the savings within Procter & Gamble's finance and accounting IT departments showed a 6 percent to 8 percent cut in operating costs and a reduction in technology staffing costs of between 15 percent and 20 percent. IT governance like ITIL and CobiT provides basic security processes and procedures. Once this is in place, look at other security models like International Standards Organization (ISO) 17799, the Certified Information Systems Security Professional (CISSP) Common Body of Knowledge (CBK), and National Institute of Science (NIST) 800-37 that offer more process depth and technology specifics. Organizations in the government sector may want to also look at the National Information Assurance Certification and Accreditation Process (NIACAP), while those involved with defense or national security should consult the Department of Defense Information Technology Security Certification and Accreditation Process (DITSCAP). The next step is adding policies and procedures to tackle industry regulations like HIPAA, GLBA, or Sarbanes-Oxley and finally company-specific issues. Add security technology solutions only after addressing IT governance, standard security operations and regulatory compliance.
- 8 -
Figure 3: Security Based Upon IT Governance and Security Standards
A Business-Focused Incident Response (IR) Process that Minimizes Disruption Since security incidents can have a huge impact on the business, Incident Response must be based upon sound risk management practices that prioritize activities based upon asset value and business need. This isn’t always an easy thing to do as many executives and business managers think of security as a technology, not a business concern. It is critical that CISOs clearly communicate the business risks at stake and get management buy-in to support and participate in the IR process. Once executives are on board, security managers should outline the entire IR process flow. This activity starts with the creation of a matrix that defines specific security incidents and maps them to an appropriate set of responses. The matrix defines processes like when to alert business managers and users, which devices to disconnect from the network, and the necessary steps to remediate the problem. The goal is to have a detailed plan in place to address incidents quickly, limit problems to network segments and minimize any business
- 9 -
interruption. Once incidents are addressed, IR should continue with forensic investigations and process improvement.
- 10 -
Network Security Technology Anchors the Infrastructure Enterprises should approach network security with 3 basic rules: 1) Build a security infrastructure that protects all assets regardless of physical location, 2) Think about integrated operations whenever possible, 3) view all traffic and every user as untrusted. These high-level rules can be supported through:
Defense-In-Depth Deployment. Protecting enterprise networks means scanning every layer of every packet. This requires perimeter defense that includes a firewall, IDS, application-layer protection (IPS or application firewall), VPNs (both IPSec and SSL), anti-virus, anti-spam, and content filtering. Over the next few years, best-of-breed product purchasing will give way to integrated bundles to streamline management and operations. Internal networks and critical servers should be protected by additional firewalls, IDS/IPS, VLANs, and anti-virus protection and segmented into trusted zones. For example, all employees may get access to the corporate Intranet but few can access the General Ledger or HR database. Network segmentation not only restricts access it also helps to limit damage when an inevitable Internet worm attacks. To comply with regulations or protect extremely confidential information, firms may also want to encrypt internal traffic, adopt enterprise Digital Rights Management (eDRM) and stored data using crypto appliances or internal VPNs.
Network Behavior Analysis. It’s not enough to simply block packets or filter traffic. Large enterprise must also monitor network behavior so they can spot anomalies that indicate suspicious or illegal activities. When an internal server suddenly uses FTP to transfer files to an Internet-based destination there is probably a security event in progress. Today, tools from Arbor Networks, Intrusic, Mazu Networks, and Q1 Labs provide network behavior monitoring, analysis, and alerting. This functionality will likely be added into mainstream security and network management tools over the next few years.
End-point security. Viewing users as untrusted is especially relevant to laptops, PDAs, and other mobile devices. The goal here should be to authenticate these systems and enforce security policies as close to the device as possible. In other words, you don’t want to let these systems onto the network until you are sure that they have the proper credentials and a clean bill of health. Over the next few years, enterprise companies will get this functionality from vendors like Cisco, Nortel, and Microsoft using standards like 802.1x, scanning agents, and automated remediation. End-point security is also a bundled feature in SSL VPNs from Netilla, NetScreen, and Symantec.
Constant scanning and diligent patch management. At many enterprise companies, business initiatives drive continuous implementation of new servers and protocols and more vulnerabilities and patch management fire drills. To overcome the churn, firms should look to scanning tools or services from companies like SPI Dynamics and Qualys that offer frequent but unobtrusive vulnerability scanning. Once vulnerabilities are discovered there is no getting around system patching grunt work so companies should prioritize their patching activities based upon the system hierarchy outlined in Figure 2. Security managers tell ESG that patching costs run about $200 to $300 per server each
- 11 -
time so IT shops with hundreds or thousands of servers should be able to build an ROI case for patch management tools from vendors like BladeLogic, Ecora, Patchlink, and Shavlik.
An enterprise-wide security strategy. As security increases its enterprise scope, it will no longer be acceptable to implement one-off solutions to address every possible threat. Since security technology will ultimately touch every device and system, its best to design the architecture with simplicity, integration, and operational aggregation in mind. How will device health be checked and reported? Which log files should be viewed in parallel to assess security events? Which administrators will be responsible for day-to-day device operations and what other tasks do they perform? Security managers should always remember that the multitude of devices work in tandem to protect business processes and services so they should be managed accordingly.
The key to success for large companies is balancing enterprise security processes and technologies. Security managers and business executives must work together to define the scope of business risk then apply the right protective measures and technologies across the enterprise. Only then will firms have the coverage and flexibility to protect critical assets today while anticipating future requirements.
Network Security Will Become Part Of the Infrastructure Network security has been a series of “bolt-on” technologies but this model is in a state of transition that will last several years (see Figure 4). A combination of fast inexpensive hardware, new enterprise requirements, and industry dynamics is transforming network security to become an integrated part of the network infrastructure. Over the next few years, expect to see:
Fat perimeter gateway devices. This trend has already started with appliances like from Symantec, Fortinet, and Watchguard and super switches from vendors like Crossbeam and Inkra. By 2006, most enterprise companies will consolidate firewall, IDS/IPS, VPN, application-layer filtering, and content security on to a single parallel processing chassis with fault-tolerant characteristics that match Stratus and Tandem systems. Companies will evaluate different best-of-breed and single vendor solution but the ultimate winners here will have strong software, hardware, and management integration. Since the definitive perimeter ‘god box’ doesn’t exist today, anyone could win here.
Integrated internal network functionality. Strong security will become a standard part of
networking equipment in the form of software upgrades, integrated functionality, and hardware blades. With network backbones moving to 10Gb over the next few years, only the strong – and exceedingly fast – security vendors will survive, as users will place equal weight on performance, manageability, and security.
Merged network and security management. As networking and security continue to blend, it just won’t make economic or operational sense to have separate network and security operations centers. As these groups come together, security and network management software must be complimentary, integrated, and based upon emerging industry standards. Today’s home grown Security Event Management (SEM) software will give way to packaged solution from ArcSight, CA, eSecurity, or Symantec but these
- 12 -
systems will have to play nice with existing products from Concord Communications, HP, Micromuse and SMARTS. This area is also ripe for M&A activity as vendors pursue the ultimate solution.
Security spending will continue to increase over the next 24 months so the industry will remain hot on Wall Street and in the Silicon Valley. While niche opportunities will The next step is adding policies and procedures to tackle industry regulations like HIPAA, GLBA, or Sarbanes-Oxley and finally company-specific issues. Add security technology solutions only after addressing IT governance, standard security operations and regulatory compliance.
Summary Today’s reactive, technology-centric network security strategy brings heartburn to security staff while leaving enterprise companies vulnerable to attacks. Fortunately, this situation faces extinction. Business executives now realize that security is an important and necessary component of their overall business infrastructure and must be comprehensive and sound.
Figure 4: Network Security Evolution
- 13 -
Over the next few years, companies will invest heavily in network security technology while they formalize policies and improve procedures. At the same time, security technology functions will aggregate and integrate into network hardware and management software. These efforts will help companies establish an enterprise security view while lowering operating costs – two major problems with security technology today. Security integration into corporate culture and business processes will also drive a transition in the security industry. Vendors will have to supplement technical capabilities with business knowledge or fade into oblivion. This will accelerate industry consolidation and drive the creation of a few security powerhouses with multi-billion revenues and market share dominance.
- 14 -