There are numerous security tools that help you monitor your company's network. But with several security alerts being sent out, how can one determine the real threat? Chaw Chong Foo, Managing Director-Southeast Asia & India, Internet Security Systems (ISS) provides an insight on Threat Management/Vulnerability Assessment and their increasing importance in the enterprise. by Minu Sirsalewala

What are the common security issues with businesses connecting to the Internet?
As organizations increasingly move business operations online, the number and sophistication of threats to the network, servers, and desktops escalate. Security today is not limited to anti-virus solutions and firewalls. The security administrator has the daunting task to detect, prevent, and respond to these threats.

Businesses can gather security information from a variety of sources like firewalls, intrusion detection tools, vulnerability scanning tools, and other security checkpoints in the form of alerts. These high numbers of alerts generated by different tools can often guise serious threats. So one has to identify the actual threats and
vulnerabilities in the network and secure them.

What aspect of security should enterprises now look at?
Enterprises should not forget that no two threats look alike, and new and increasingly sophisticated ones surface every day. One needs to go beyond passive security to recognize potential exposures and suspect behavior. One must then prevent them from damaging valuable online assets. This proactive line of defense protects networks, servers, and desktops through product and service offerings designed specifically for enterprise, small office/home office, consumer and service provider markets. Enterprises should also perform threat management and vulnerability assessment exercises.

What do you mean by Threat Management and Vulnerability Assessment?
To explain this let me explain the difference between vulnerability and threat. Vulnerability is intrinsic to the entire network, like loopholes, bugs, and back doors from where intruders can enter. For example, an infrastructure which comprises Windows-based applications or Cisco-based networks may have bugs in its components. These may be discovered over a period of time but until then makes the applications and programs very vulnerable.

A Threat is extrinsic to the network like a hacking attack and an intrusion. There are many sites dedicated to hacking and similar activities. And each of them has tools to exploit networks. These tools can be used by hackers as well as internal employees.

For Threat Management (TM) you can use Intrusion Detection System (IDS) solutions or tools. An IDS is a real time infrastructure or system that monitors the threats or attacks on to the network. A TM solution is an enterprise-wide risk management solution that enables organizations to centrally manage attacks, threats and exposures. This solution correlates security information from across the network and eliminates false-positives to help administrators quickly identify real security threats and respond with adaptive security measures.

Threat management can integrate risk event-data from almost any electronic source, aggregate mountains of electronic risk-data, and automatically correlate, analyze, and prioritize risks. It also provides real time warnings in addition to preserving records of the threat from start to finish and works with existing technology deployed by the enterprise.

For Vulnerability Assessment (VA) you can use tools like scanners, which scan the network and give a report to the customer outlining the vulnerabilities in the network. It's important to locate where information is stored, understand the security measures in place that guard that information, and identify vulnerabilities and suspect configurations that place information at risk. These vulnerability assessment solutions work at both: the workgroup and enterprise level, providing critical knowledge and advance warning of potential online security risks across the network, server, database, and wireless operations.

Does an enterprise need to emphasize more on VA tools than on TM?
TM and VA complement each other. In an enterprise you need to have both TM and VA. You need VA to assess any loopholes you may have, and based on the findings prepare a report. The next step will be to study the network level to frame the security policy and then deploy the policy. These vulnerabilities can result in risk because threats plus vulnerability is equal to risk.

The solution should be selected depending on the operations, applications, and requirements of the customer. It can be on a stand-alone basis where someone can monitor real-time using IDS tools or on a proactive basis with the help of scanners to find out the vulnerabilities. One can also have a single dashboard to interconnect these two to have a common protection system that can point out that this attack took place because of this vulnerability or that this vulnerability can result in this attack.

How can they both be addressed from a common platform and what is the advantage?
Injecting security functions into network gear like routers and switches is one method of integrated security. Another is a tool that blends two or more security functions, like IDS, Internet filtering, firewall, vulnerability assessment, and virus scanning. Vendors also are embedding security features into non-security software products like virus scanning into e-mail.

Stand-alone network protection products like IDSs and firewalls, flag any unusual network behavior as a security 'event'. But the products receive an overwhelming amount of such data, some innocuous and some serious. If a worker accidentally types in the wrong Web address that registers as an event, and an outside scan of the network by an attacker looking for a way in can create hundreds or thousands of events.

Enabling these standalone products to communicate helps cut through the mass of information and sort the true threats from the false alarms. And in fact, products that can't be centrally managed may not actually be doing much to help security.

What is the awareness level for these solutions in India?
The market is not yet educated and aware of the complete advantage of IDS tools. They are aware of anti-virus and firewalls but not about IDSs as yet. Based on our own assessments, ISS sees around 70 percent untapped market share in this segment in India. However, the Indian market is getting educated and the market is definitely beginning to pick up for these kinds of product offerings.

Minu Sirsalewala can be reached at minus@networkmagazineindia.com