By Ruby Bayan
Gone are the days when choosing the best security solution simply meant picking up the latest version of the toughest-sounding antivirus and firewall applications. Now, selecting reliable protection against hackers, crooks, and other social deviants—who are becoming increasingly tech-savvy—is among the most daunting tasks for the IT pro.
It would seem that the most sophisticated, if not the most expensive, intrusion detection system is always the best choice, but even if you can justify the investment, a different solution may be more suitable for your organization. How would you know? Read on for tips from security experts.
Consider the solution that aligns with your business plan
On a macro level, one of the main factors to consider in choosing a security solution is its significance to your business.
Daniel E. Geer, Jr., chief technology officer of @stake and responsible for its Risk Analytics Center of Excellence, said that the best solution is entirely dependent on what industry you're in and where you fit in the bigger scheme.
"For the biggest firms," Geer said, "reliability is the goal and security is a subset of that goal, hence the measurement that security must undergo is to cast light on how it does or does not advance reliability."
"For firms facing a regulatory burden," Geer advised, "they must convert the generally vague and qualitative language of a regulation ('you will not misplace customer data') into something that is technically crisp ('strong authentication for anyone able to access customer data en masse'), and find a way to audit that the solution is really in place."
Geer added that for firms where the corporate asset is corporate data itself, such as with pharmaceutical research, "the central theme would be a sufficiently precise accountability regime that the insider threat is blunted by the certain knowledge of competent forensics."
Economically speaking, companies with the greatest information assets to protect should invest heavily in security solutions. According to Geer, these would be the companies with IT assets that are the most short-term valuable, the most difficult to recover from the loss of, and the most central to economic advantage.
"Arguably, the notional concept of money is inherently information and, thus, the financial services industry's livelihood depends upon information, which explains why financial services have been and are likely to remain avatars in the information security field," Geer explained.
Keep track of costs and anomalies
Using a detail-oriented approach, especially if the selection process hinges on recommendations from network or system administrators and support teams, one way to find the right solution is to scrutinize the problem.
Keep track of costs, Geer suggested. "What is the lack of security costing the company every year? If there are intrusions, what are the consequences? Even if the system admin cannot put a dollar number to it, write down what you can—hours of down time, overtime spent getting things running again, people who lost jobs, big sales opportunities [that] were lost, etc." Once you have an understanding of what insecurity is costing the company, you're in a position to try to find solutions that will be cost-justified, he said.
Geer also suggested deploying enough logging in general "so that anomalous actions will stand out for the simple reason that you have a clue what 'normal' is." He said that if you do not do this, you would have a tendency to either underprotect or overspend.
"Measure something—for example, how many unique external addresses the average desktop references per hour—so that you can guess that desktop #1234 has a problem when it starts reference 10 times the average number of external sites. And so forth."
Go back to basics: Set up sound selection criteria
According to Francis Pineda, head of Security Consulting Practice at I-Sentry Solutions Inc., there's a growing trend among companies to purchase the best and latest security technologies without much regard for what exactly the company is trying to safeguard.
"Buying is easy, but you need to understand what assets need protection, from what threat, at what level, and what the potential impact is on the business," Pineda said. Simply put, risk assessment—either internal or through a third party—will help you identity your selection criteria and narrow down your prospective solutions.
"Security technology selection is a multi-angled process—don't cut corners," Pineda emphasized. The ideal selection criteria should include basic, oftentimes overlooked, considerations such as:
- Hardware- or software-based
- Windows, Solaris, or Linux
- Suite solution or best-of-breed
- Functionality, manageability, and performance
- Support and value-added services
- Installed base and testimonials
- Third-party reviews and ratings
- Additional features
"There are thousands of commercial products to choose from, and luckily, 99 percent of them function as advertised. Firewalls, intrusion detection systems, antivirus applications, etc., have matured and evolved through years of redevelopment, so they are mostly excellent solutions, many almost identical to their competition."
Pineda stressed the importance of research and legwork in evaluating the best security devices. Consult your peers. Buy only from a reputable reseller. "And never decide based solely on cost," he warned. "Because you always get what you pay for."
Tap the human factor
Security experts underscore the "human factor" in determining the best security technology for the enterprise. Beyond FUD and ROSI, organizations need to consult with managers, resource owners, and business units to discuss security concerns and assess viable solutions. But in order to do this, security administrators must be top-notch with both technical and communication skills.
"The best solution has the best administrator," said Pineda. Some companies are able to acquire appropriate security solutions, but the administrators fail to optimize the use of the tools. For instance, intrusion detection devices need to be implemented properly or else they will trigger too many false alarms, and firewalls need to be reconfigured to align with the company's security policies. Security officers and administrators must be competent, diligent, and resourceful, he said.
But more than being technically adept, security administrators need to also possess excellent communication skills. This helps them efficiently disseminate security policies to all levels of the organization and obtain support and collaboration from managers, users, and resource owners.
According to recent Meta Group research, "more than 75 percent of organizations identify a lack of user awareness as moderately or severely reducing the effectiveness of their current security program." The lack of awareness is attributed to the IT security staff's inability to effectively communicate policies and initiatives across the organization.
No magic formula
"There is no magic formula," according to Geer. "The real security solution would look at the security problem and then structure both people processes and technologies to solve it. In this sense, the best security solutions tend to be custom."
Finding the best answer to your company's security concerns will require an intricate and complex process that involves in-depth risk assessment, dedicated security committees, comprehensive product evaluations, and highly competent administrators. It will be tedious and tricky, but certainly doable.