are numerous security tools that help you monitor your
company's network. But with several security alerts
being sent out, how can one determine the real threat?
Chaw Chong Foo, Managing Director-Southeast Asia & India,
Internet Security Systems (ISS) provides an insight
on Threat Management/Vulnerability Assessment and their
increasing importance in the enterprise. by Minu Sirsalewala
are the common security issues with businesses connecting
to the Internet?
As organizations increasingly move business operations
online, the number and sophistication of threats to
the network, servers, and desktops escalate. Security
today is not limited to anti-virus solutions and firewalls.
The security administrator has the daunting task to
detect, prevent, and respond to these threats.
Businesses can gather security information from a variety
of sources like firewalls, intrusion detection tools,
vulnerability scanning tools, and other security checkpoints
in the form of alerts. These high numbers of alerts
generated by different tools can often guise serious
threats. So one has to identify the actual threats and
vulnerabilities in the network and secure them.
What aspect of security should enterprises now look
Enterprises should not forget that no two threats look
alike, and new and increasingly sophisticated ones surface
every day. One needs to go beyond passive security to
recognize potential exposures and suspect behavior.
One must then prevent them from damaging valuable online
assets. This proactive line of defense protects networks,
servers, and desktops through product and service offerings
designed specifically for enterprise, small office/home
office, consumer and service provider markets. Enterprises
should also perform threat management and vulnerability
What do you mean by Threat Management and Vulnerability
To explain this let me explain the difference between
vulnerability and threat. Vulnerability is intrinsic
to the entire network, like loopholes, bugs, and back
doors from where intruders can enter. For example, an
infrastructure which comprises Windows-based applications
or Cisco-based networks may have bugs in its components.
These may be discovered over a period of time but until
then makes the applications and programs very vulnerable.
A Threat is extrinsic to the network like a hacking
attack and an intrusion. There are many sites dedicated
to hacking and similar activities. And each of them
has tools to exploit networks. These tools can be used
by hackers as well as internal employees.
For Threat Management (TM) you can use Intrusion Detection
System (IDS) solutions or tools. An IDS is a real time
infrastructure or system that monitors the threats or
attacks on to the network. A TM solution is an enterprise-wide
risk management solution that enables organizations
to centrally manage attacks, threats and exposures.
This solution correlates security information from across
the network and eliminates false-positives to help administrators
quickly identify real security threats and respond with
adaptive security measures.
Threat management can integrate risk event-data from
almost any electronic source, aggregate mountains of
electronic risk-data, and automatically correlate, analyze,
and prioritize risks. It also provides real time warnings
in addition to preserving records of the threat from
start to finish and works with existing technology deployed
by the enterprise.
For Vulnerability Assessment (VA) you can use tools
like scanners, which scan the network and give a report
to the customer outlining the vulnerabilities in the
network. It's important to locate where information
is stored, understand the security measures in place
that guard that information, and identify vulnerabilities
and suspect configurations that place information at
risk. These vulnerability assessment solutions work
at both: the workgroup and enterprise level, providing
critical knowledge and advance warning of potential
online security risks across the network, server, database,
and wireless operations.
Does an enterprise need to emphasize more on VA tools
than on TM?
TM and VA complement each other. In an enterprise
you need to have both TM and VA. You need VA to assess
any loopholes you may have, and based on the findings
prepare a report. The next step will be to study the
network level to frame the security policy and then
deploy the policy. These vulnerabilities can result
in risk because threats plus vulnerability is equal
The solution should be selected depending on the operations,
applications, and requirements of the customer. It can
be on a stand-alone basis where someone can monitor
real-time using IDS tools or on a proactive basis with
the help of scanners to find out the vulnerabilities.
One can also have a single dashboard to interconnect
these two to have a common protection system that can
point out that this attack took place because of this
vulnerability or that this vulnerability can result
in this attack.
How can they both be addressed from a common platform
and what is the advantage?
Injecting security functions into network gear like
routers and switches is one method of integrated security.
Another is a tool that blends two or more security functions,
like IDS, Internet filtering, firewall, vulnerability
assessment, and virus scanning. Vendors also are embedding
security features into non-security software products
like virus scanning into e-mail.
Stand-alone network protection products like IDSs and
firewalls, flag any unusual network behavior as a security
'event'. But the products receive an overwhelming amount
of such data, some innocuous and some serious. If a
worker accidentally types in the wrong Web address that
registers as an event, and an outside scan of the network
by an attacker looking for a way in can create hundreds
or thousands of events.
Enabling these standalone products to communicate helps
cut through the mass of information and sort the true
threats from the false alarms. And in fact, products
that can't be centrally managed may not actually be
doing much to help security.
What is the awareness level for these solutions in India?
The market is not yet educated and aware of the complete
advantage of IDS tools. They are aware of anti-virus
and firewalls but not about IDSs as yet. Based on our
own assessments, ISS sees around 70 percent untapped
market share in this segment in India. However, the
Indian market is getting educated and the market is
definitely beginning to pick up for these kinds of product
Sirsalewala can be reached at firstname.lastname@example.org