IT security trends come and go. First, experts advised protecting the perimeter. Then, they recommended safeguarding data at rest and in motion. Next, the talk was about layered security. But as the market matures, IT leaders have come to rely on some tried-and-true security technologies to safeguard their networks and data.
Web filtering, unified threat management, antimalware, intrusion detection/prevention systems, and security information and event management tools perform essential security functions and automate related tasks, freeing state and local government IT departments to focus on supporting and serving users. While quantifying the return on investment with security products often isn't possible -- the "return" is the absence of any security breaches -- IT managers say these products have proved their worth by keeping their networks free of threats.
Photo credit: Bill Cramer/Wonderful Machine
The borough of West Chester, Pa., deployed Websense Web Filter in 2005 to restrict employee access to certain websites. The software also regulates the amount of data that can be transferred across connections, protecting network performance if, for example, a user downloads a large video clip.
"Web filtering is one of the main cogs in the security of our network, and it keeps employees productive on the job," says Bill Mann, IT manager for the borough and also the West Chester police department's chief dispatcher. Websense Web Filter allows Mann to establish rules regarding which users can visit certain websites based on their role in the organization.
"When we first installed Websense, we sat back for two months so it could do the reporting to find out what websites employees were visiting. The No. 1 activity was job searching," Mann says. "I'm sure any employer doesn't want employees wasting its time and resources looking for a job."
Photo credit: Robert Houser
The second most-visited category was sports and the third was gambling. Preventing employees' ability to visit such sites from their work computers reduces an organization's liability because it limits the chances of a user doing something he or she is not supposed to do. And because many recreational sites tend to be infected with malware that spreads worms and viruses, Websense also helps West Chester limit exposure to web threats, Mann says.
In addition, most of West Chester's 100 users aren't permitted to visit social networking sites while at work, reducing the chance that sensitive data will accidentally be leaked. "Law enforcement deals with confidential information all the time," says Mann. Information leaks "can happen accidentally with social networking. If something happens with the police department or there's a law enforcement situation -- if someone has a momentary lapse of judgment and puts it on Twitter, it's a liability risk."
Websense requires a dedicated server, as well as a subscription to periodic updates. But because of the protection it offers the organization, in addition to the alerts, reports and management capabilities, Mann believes Websense is well worth the investment.
"If a company wants to remain productive, liability free, and keep its people focused, it has no choice; it has to do web filtering," he says.
The Fresno County Economic Opportunities Commission in Fresno, Calif., has 1,450 employees at more than 50 sites. Greg Streets is charged with protecting the commission's network from data threats of all kinds.
For this, the network administrator uses the SonicWALL Pro 4060 UTM at its main office for firewall services, content filtering, gateway antivirus, intrusion prevention, antispyware and malware, e-mail filtering, and Real-time Blackhole List filtering. The organization also installed SonicWALL's TZ 170 and TZ 210 devices at smaller sites where users connect via DSL and SonicWALL's integrated virtual private network tunnels.
The commission installed SonicWALL's products about 10 years ago when it decided to take the security function in-house. "SonicWALL security devices have proven to be secure, efficient, dependable, scalable and are one of the most cost-effective firewall/UTM products on the market," Streets says.
Because UTM integrates all the protection services the commission needs and automatically monitors gateway activity, IT staff can spend more time supporting users. "It allows us to focus on other areas of providing customer service to agency staff," Streets says.
Photo credit: Robert Houser
That customer service includes helping outreach workers onsite in Fresno County's rural communities to stay connected to the main office and access the resources they need.
"The mission of FCEOC is to humanely focus all available resources to empower low-income families and individuals working toward the skills, knowledge and motivation for self-sufficiency," IT Manager Doug Walthour says.
"SonicWALL devices have allowed us to expand and secure our WAN throughout Fresno County within budget and without consuming all of the resources of our four-person IT office."
Antivirus technology has long been required to protect desktops. Today most security software manufacturers bundle antivirus capability with other tools that work together to protect desktops, with minimal effort on the part of end users and IT staff.
About five years ago, the Indiana Office of Technology deployed McAfee Total Protection Suite to protect 26,000 PC users from viruses, worms, Trojans, spyware and malicious websites. While no antivirus package is able to protect against every threat out there today, McAfee's management features help identify zero-day threats, says Paul Baltzell, director of distributed services. "If something comes into our environment that's completely new, that McAfee has no signature for yet, we can still block it once we know the executable file names and/or processes it operates under," he says. The office receives alerts from organizations such as the U.S. Computer Emergency Readiness Team (US-CERT) or the SANS Institute, and Baltzell enters the information into McAfee's management console to catch that file before it reaches desktops. "It's fairly automated," he adds. "You only have to enter the file name once, and it is replicated out to all client PCs."
Although the organization uses antispam software at the gateway and web filtering software, desktop antimalware remains an essential added layer of protection. "We work to minimize the inefficiency of functional overlap in our defenses, yet we need to ensure there are no gaping holes," explains Tad Stahl, Indiana's chief information security officer. "It's not uncommon for one layer to fail. You just hope that when it does, you are protected by others."
Years ago, intrusion detection systems emerged to alert IT to unauthorized network access. These products evolved to not only detect but also prevent network intrusions, and became known as intrusion prevention systems.
At the Los Angeles County Department of Health, Amin Almuhajab, network security manager, relies on a series of IPS devices from TippingPoint Technologies to protect the network used by 22,000 county employees.
TippingPoint, which HP acquired last year, integrates IDS and IPS capabilities into one platform to detect and block unauthorized access. The devices act as the IT department's eyes by scanning for intrusions and blocking suspicious connections.
Portion of respondents who were victims of a cybersecurity attack by an insider
Source: 2010 CyberSecurity Watch Survey
"TippingPoint provides efficiencies so we can use resources in other areas, rather than be bombarded with false positives," Almuhajab says. "The devices cut down on the amount of time my staff spends looking into junk events."
IPS also gives the department an additional layer of security, which is especially important for large public environments. "We have high-value systems that are the bread and butter of our organization; so if there's a compromise, the liability is huge," Almuhajab says.
One aspect of TippingPoint IPS devices that he particularly appreciates is the accuracy of its signatures, which identifies threats more precisely.
At the heart of a well-made security strategy is security information and event management (SIEM), which centralizes alerts, logs and reports generated by other security products and presents IT managers with a unified look at the state of their networks.
Michael Hogg, IS security manager for Hillsborough County, Fla., taps ArcSight Enterprise Security Manager to correlate events and manage the logs and reports generated by firewalls, IDS/IPS devices, antivirus software and other sources. The county also integrates ArcSight with Microsoft's Active Directory to leverage its reporting capabilities and demonstrate compliance.
Reduction in average monetary value of losses resulting from cybercrime in 2010, compared with 2007, according to the 2010 CyberSecurity Watch Survey
"The benefit of correlating events is you get alerts all in one place, instead of 10 different technologies with some sort of logging and reporting capabilities," says Hogg. "That would be a lot of technology to monitor." He notes that ArcSight translates logs and events into a common format, enabling his department to be more efficient.
While it's hard for Hogg to gauge the return on investment of ArcSight's product, he has found some unexpected benefits. "ROI is a hard thing to do; security is viewed as overhead until something bad happens," he says. "But one thing I've noticed is we're able to respond to third-party and internal audits much more effectively because we're able to have the logs we need in one place."
Products such as SIEM tools offer a smarter way to use technology, says Hogg, which is particularly important in difficult economic times. "In this budget climate, when we have to tighten our belts and we're faced with cuts and all the departments we serve are losing employees, we're looking to do more with less," he says.
Going forward, security products will need to adapt to the increasingly dynamic nature of IT and business infrastructures, according to Gartner Vice President Neil MacDonald. In the report, "The Future of Information Security Is Context Aware and Adaptive," MacDonald says that information security enforcement points must move up the IP stack instead of being bound to physical attributes, such as an IP address or device.
For example, firewall makers have added application, identity and event content awareness to their products, requiring deeper inspection of incoming traffic. Products that can adapt to the ever-changing threat landscape and business environments -- and do so in real time or near real time -- represent the future of security.