This week, I spent some time at <a href="http://www.rsaconference.com/index.htm">RSA</a>, an event where security vendors and professionals connect. As I have mentioned in past <a href="http://broadcast.oreilly.com/2009/08/security-paramount-to-the-sust.html">blogs</a>, security is paramount to the sustainability of the network. If we are to leverage the network as a powerful tool for change, we need to be able to trust that the information and resources on it are secure.
As recent headlines have demonstrated, attacks on the network are ever-present; 2009 saw <a href="http://news.cnet.com/8301-1009_3-10454870-83.html">malware and social networking attacks surge</a> (spam carrying malware was averaging 3 billion each day by the end of the year) and <a href="http://securitywatch.eweek.com/mobile_malware/sexy_new_mobile_botnet_on_the_move.html">increasingly sophisticated mobile attacks </a>emerge. Just as in the physical world, there are individuals motivated by greed, power and personal gain (the <a href="http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1389667,00.html">rise </a>and <a href="http://www.federalnewsradio.com/?sid=1891919&nid=19">co-opting </a>of the <a href="http://www.krebsonsecurity.com/2010/02/zeus-attack-spoofs-nsa-targets-gov-and-mil/">Zeus attacks</a>, which originally targeted financial institutions, is just one example - to date it has infected about 74,000 PCs, and that's just one attack), and there are those who are looking to achieve <a href="http://news.sky.com/skynews/Home/Strange-News/Mahmoud-Ahmadinejad-Iranian-Presidents-Website-Hacked-With-Message-Mentioning-Michael-Jackson/Article/201001115514791">political</a> or ideological ends.
But, as the show floor and conference discusssions demonstrated, there are a lot of technologies out there designed to help organizations combat and mitigate against all these attacks. There are literally thousands of companies, focused on everything from user and data authentication to spyware and cloud security. So why is it that even though there is an answer or feature out there for almost every threat or need, organizations are still struggling to protect the network? I think it's because security is more of a control and data management problem than a feature-set issue.
I heard Palo Alto Networks talk about controlling exactly what should and should not be allowed on the network, based on the user and their role, the application and exactly what they are trying to do. This approach makes sense because with a focus on control, you can eliminate a lot of the risks right off the bat. You can restrict peer to peer traffic and file sharing applications that can be used by attackers to gain access to the network (through malware/trojans) and all its resources. The key is to have this level of control over every aspect of your network, from the edge to the core and within the hosts themselves, and then, for what is allowed, look for threats and mitigate attacks within that "allowed" traffic.
This gets us to the data management problem; a typical network's security infrastructure contains multiple different devices, each with different management consoles, each producing a lot of logs that can contain thousands of pieces of information. Linking all this data and making sense of it all requires a lot of manpower and expertise. Oh, and don't forget that physical security measures, which can also provide clues and contain indicators of risks, are kept almost entirely separate from the network security activities (typically they are run by two different groups with very little connection, though I did see a <a href="http://www.alertenterprise.com/">company</a> that was trying bridge that gap).
I think it is telling that it took Google and a host of other companies targeted by attackers originitating in China <a href="http://www.google.com/hostednews/afp/article/ALeqM5jMvzWYB0BvmRgL2ZI0Y4b9I-vBOg">MONTHS</a> to figure out exactly what happened (in fact, I believe the investigation is still going on now). So, under the cover of the data deluge that network administrators are under from all these different security devices, attackers can infiltrate a network and operate undetected.
All of the calls to better manage business information and increase the value derived from insights and analysis of that information (take a look at last week's Economist's special report) need to be applied to network security. Organizations need a singular, meaningful view into the network that helps them identify in real-time what is going on and any threats to that network. To date, I haven't seen big advances on this front, sure there are the large, generic platforms offered by the likes of HP and IBM and security-specific management platforms from folks such as ArcSight. I would love to hear from you if you have seen promise in this area. Right now, I think we need more innovation; we need truly comprehensive visibility and the ability to easily and actively control and manage of the network. The security and ultimate sustainability of the network as a platform for change is reliant on it.