Getting back to basics
IPS, IDS and UTM are the topics de jour these days and everyone has their opinion on which technology we need and which is dying and which was never needed in the first place.
In reality, a company has no business getting any of the above technologies until they have the basics covered. ‘What are the basics?’ you ask. Here they are, the risk management world according to me:
- Secure perimeter (yes, we all still have a perimeter)
- Effective, enforced policies
- Patch Management
- Centrally managed antivirus
- Disaster recovery/business continuity
- Incident response
Each of these points must be addressed before an organization can effectively deploy IPS/IDS or UTM. “But Michael, UTM covers everything, its the end-all-be-all of network security!” WRONG.
First of all, what happens when your shiny new UTM alerts you to one of your internal hosts shoveling cmd.exe out to the world? How do you handle that incident if you don’t have a formal incident handling program? Who do you call? Who remediates the compromised host? How do you search for additional compromises?
Secondly, how did the machine get compromised in the first place? The compromised machine was likely an un-patched machine and could have been compromised by a zero-day threat that slipped past your IPS or if you’re running IDS it slipped through and you missed the alert because you aren’t monitoring the logs (lack of incident response).
And now that you’ve discovered that the compromised machine is one of your file servers and all your data is now encrypted by the bad guys who demand $100,000 for the decryption key, how do you get the data back and get your constituency back to work? Where are the most recent backups? Where is that hot backup server you bought and configured a year ago to restore data to in case the primary server goes belly-up?
In short, a security group who can’t manage the basics won’t be able to manage the more advanced technologies like IPS/IDS and UTM.
I can see the arguments forming already; “your risk management world is too simple Michael.” WRONG. When your security solutions are overly-complicated so is their management and upkeep. Keep it simple, stupid. That’s my mantra. You’d be surprised just how much time you’ll have once you build a strong security posture based simply on the basics. You might even have time to start deploying the cool toys!
Michael Farnum put it best when he said “stick with the tried and true security.” His article titled “Another successful admin / manager advice post” has some additional points that I didn’t hit here. Check it out.
