Sysadmins struggle to manage growing security infrastructures
- By William Jackson
- Apr 30, 2003
IT security now hangs on applying patches as soon as they're posted, properly configuring hardware and software, and monitoring a host of devices that block unwanted traffic.
Keeping track of this growing security infrastructure is becoming 'an overwhelming task for systems administrators,' the House Government Reform Committee said in a recent report on IT security.
And configuration is complicated by the fact that 'optimal settings depend on the specific network configuration,' the report said.Supply and demand
Meanwhile, vendors are discovering that remediation management is a hot new product category to sell.
'We believe in aggregating host security functions,' said Tom Turner, marketing vice president for Okena Inc. of Waltham, Mass.
Okena's existing StormWatch intrusion-prevention product deploys agents on a network to monitor policy-violating behavior. A new Okena product called StormFront uses the same agents to identify the applications and processes running on a network.
Georgia's Student Finance Commission uses Okena agents that fill in the gaps left by intrusion-detection systems that detect virus signatures, said Bill Spernow, the commission's chief information security officer.
'The signature-based environment sometimes raises more questions than it answers,' Spernow said. 'Do I ignore something or spend a day and a half tracking it down?'
His staff is beta testing StormTrack, and 'my techies really like it,' he said. They can identify anomalies once they know what applications and processes are actually running on each box and port.Not dead yet
What they find often comes as a surprise. 'A lot of the time we find it's from an application that has been deleted but the process has never been killed,' Spernow said.
Hercules from Citadel Security Software Inc. of Dallas has no assessment or scanning capabilities, but it imports scans from third-party products and gives the administrator a fix for the vulnerabilities found.
Administrators are touchy about tools that automatically change or install software, so Hercules does nothing until the administrator authorizes a suggested fix. The company claimed that Hercules reduces the time needed to review and fix a vulnerability from hours to minutes.
GuardedNet Inc. of Atlanta also uses information from third-party products. Its neuSecure software imports data from security devices to centralize event management. Chief executive officer Tom McNeight said the company is targeting the federal market.
'Everybody has made significant investment in device-level infrastructure' without a way to manage it effectively, he said.
NeuSecure consists of an event aggregation module that gathers and normalizes data from firewalls, intrusion-detection systems, routers, operating systems and applications. The module passes all the data to a central management system for correlation.
McNeight said there is no effective limit to the number of devices for the aggregation module or how many modules that can feed a central management system. NeuSecure is part of three federal pilots, he said.
William Jackson is freelance writer and the author of the CyberEye blog.