North American businesses in every sector are spending more on IT security, but that has not necessarily made them more secure.
“”Many companies are investing their security dollars on the wrong risks,”” according to John Pescatore, vice-president of Internet Security at Gartner Inc. in Stamford,
Conn.
He cited a Gartner survey that shows the average enterprise channeled 5.4 per cent of its IT budget on security in 2003 — a 20 per cent increase over 2002. “”Despite this increase, there are many areas where old spending patterns are definitely not leading to better or more efficient network security.””
For instance, Pescatore said, Gartner is advising clients not to expend limited IT resources on network intrusion detection systems (IDS), but to opt for application-level firewalls instead.
“”We now have firewalls that can block the very same attacks that IDS systems merely alarm on”” Pescatore said. “”You spend a million dollars on IDS and you have the same level of break-ins.””
For protection against viruses, he said, many companies spend money on desktop protection but fail to put anti-virus software on the e-mail server, where it is more effective.
On the flip side, he said, companies and vendors across the board are getting the message and are starting to look at network security very differently.
For instance, Gartner predicts over the next few years, many enterprises will adopt “”containment technologies”” which can shut certain parts of the network in order to protect the infrastructure from threats, such as viruses.
He said several excellent containment solutions are available from vendors such as Cisco, Enterasys and Microsoft.
This concept of the network actively participating in the security paradigm is something Andover, Mass.-based Enterasys Networks Inc. has been actively advocating.
John Roese, the company’s chief technology officer, said in the past, the network was about connectivity and the job of protecting the network was left to purpose-built devcies, such as firewalls and intrusion detection systems.
“”Now we’re witnessing the emergence of a new model where the network itself is an active player in the security architecture.””
AUTHENTICATION AT THE SWITCH
Roese said this model is being driven by two factors: more companies are letting customers and suppliers access their networks, and the consequences of attacks are more severe.
Point solutions cannot adequately respond to such pervasive threats, he added.
“”When the network itself is a security element you are talking, potentially, about thousands or hundreds of thousands of individual points or connections,”” he said. “”It’s too complex to deploy a new security layer each time you change your connectivity.””
The solution, he said, is an embedded function, at the infrastructure level, for managing user identity and authentication. “”That way, when you buy a switch or a router, security is an inherent function of the device itself rather than a bolt-on or an overlay.””
He pointed to the LAN authentication and authorization capabilities of the current breed of Enterasys’ networking products, which include 802.1x authentication.
According to some experts, however, embedded security is not the only — or even the main — antidote to malicious hacker attacks on the network.
“”A complete and truly effective network security plan also covers process improvements and training,”” said Kent Kaufield, a senior manager with Ernst & Young’s Technology and Security Risk Services practice.
Kaufield said the sharp rise in security technology spending is not, by itself, a very heartening fact.
“”The biggest component of a security budget should be process and people spending. And that isn’t growing as fast as the technology spend. So we’re ending up with very small security groups handling (security) technology they aren’t properly equipped to use.””
This concern, according Gartner research director Richard Stiennon, has led certain companies to take drastic measures to protect their networks.
“”Many (of our) customers are circling the wagons and going into blackdown mode,”” Stiennon said during a recent Webcast. He cited the example of one of Gartner’s enterprise clients that wanted to prevent viruses from getting into the network through ‘rogue machines’ brought in from outside. “”So they started stopping people at security and checking their laptops…loading software on them to make sure there were no worms on the machines.””
The approach, said Stiennon, just did not work. “”(the company) would set up a meeting for 9 a.m. and nobody would show up until 10 a.m. because they were all waiting in line at security with their laptops.””
