Risk Management is strategic, Threat Management is tactical
I don’t recall right off the top of my head, but somewhere I read someone having a problem with UTM devices being called Unified Threat Management devices because you want to manage the risk, not the threat….
Whoever it was, they missed the point. Risk Management is a strategic process of maintaining awareness of your assets, their vulnerabilities, and the risks they face and then using that intelligence to make decisions on what risks you need to avoid, which you need to mitigate, and which you need to accept outright (hopefully backed by insurance).
Any device you place at your gateway to target attacks is a tactical device and does indeed manage threats. A UTM doesn’t manage risk. An example of risk is ‘the risk of being compromised by a web attack’ where a threat is more like ‘a hacker calling cmd.exe from your IIS server through an URL.’ In the case of a UTM, it does indeed manage the threat in a here-and-now situation, which is tactical.
Its the job of security manager to manage risk and it’s the security engineer’s job to manage threats and vulnerabilities. For example, the security manager creates a policy that says that all public-facing web servers must be running Apache web server, must be hardened by his or her team, and must have a level of logging maintained. It’s the security engineer’s job to harden the server, monitor the logs for attacks or compromises, and to maintain the security apparatus (including the UTM device) that prevents attacks from reaching the web server. In this example, the engineer is managing threats and vulnerabilities dealing with web-based attacks and the manager is the one who is defining the way to address risks posed by the combination of the threats and vulnerabilities.
Its just like the military model; the officer thinks strategically how to defend Camp Geek against advancing infantry, while his soldiers thinks tactically how to shoot and kill the advancing enemy, without getting shot himself or allowing the enemy to get past him. The UTM would be an example of a defensive wall with gun placements(IPS/AV), kevlar reinforcement (firewall) and biometric access control. It’s a tactical tool used solely to prevent a specific threat, the advancing infantry, while allowing the good guys to come and go. It serves very little strategic purpose in that it doesn’t advance the position of the defenders. In other words, the war isn’t won by the wall alone but the wall is indeed a very important part of the overall plan of defeating the enemy.
What I’m trying to say in a very long-winded fashion, is that calling a device a ‘UTM device’ because it has IPS, AV, firewall, and content filtering all combined is accurate and by deploying one you’re not deviating from the security bible that says ‘thou shall manage risk.’ At some point you have to manage the threats to manage the risk.
Que Bueno!
Let me add that risk management is more than:
“Risk Management is a strategic process of maintaining awareness of your assets, their vulnerabilities, and the risks they face and then using that intelligence to make decisions on what risks you need to avoid, which you need to mitigate, and which you need to accept outright (hopefully backed by insurance).”
It includes understanding your capabilities, your processes, everything under the CISO sun.
By Alex on 04.05.07 4:17 pm
[...] good if somewhat secondary point raised in this MCW Research posting concerns definitions. UTM is aimed at handling anything that comes at the network. A discipline [...]