Recent weeks have brought more grim news about tech spending. A study released March 4th by Merrill Lynch, which surveyed 75 U.S. and 25 European CIOs, showed that people who run networks in corporate America are loath to expend capital unless they absolutely must. Merrill found that 62 percent of technology officers feel no pressure to increase spending this year, and a good 40 percent of their budgets will go toward preventing existing machinery from breaking.
In such an environment, security spending is likely to be squeezed even tighter. After all, systems security tends to go unfixed until proven broken — in the form of sensational reports about billions of dollars in damages wreaked by malware or hackers.
No company wants to see its name in lights in connection with a break-in. But neither do companies have countless billions to spend on security measures. Fortunately, a level-headed middle-ground approach can set a company on the right path without breaking the bank.
Playing with Firewalls
There are at least two ways to be parsimonious about security spending. One is to figure out how to spend as little as possible while still gaining some added protection. The other, slightly more costly, way is to consider going beyond the bare minimum to examine which technologies will deliver fairly rapid return on investment. The promise of ROI can be the justification needed to pry loose larger sums of money from top company management.
Yankee Group senior analyst Eric Ogren suggested that if a CIO chooses the first approach, he or she should focus on firewall products and intrusion prevention appliances. “The most basic thing you can do in security is a firewall,” he told the E-Commerce Times, “because you’re instantly getting both protection for your network and for your servers.”
Indeed, a simple firewall has become the ultimate security commodity. To control which computers access a corporate network, a CIO can use the free software that ships as a feature of several enterprise-class operating systems, including Mac OS X Server and all Linux distributions. Although its product is not free, Microsoft offers the Internet Security and Acceleration Server as an add-on to Windows 2000 for an additional US$6,000 per processor.
Don’t Forget the Antivirus
Alternatively, one of several hardware appliances running firewall software from Check Point can be had for a few hundred dollars with limited user licenses, as can the low end of Cisco’s PIX firewall appliance line. And firewall products from Fortinet include antivirus software in a kind of two-for-one special.
Indeed, Gartner research director Rich Mogull told the E-Commerce Times that antivirus software should be an important consideration for IT managers. He also said that having a dedicated security engineer on staff is at least as basic as firewall protection.
“You’ve got to have a specialist for this stuff,” Mogull noted. “It’s just too complex as a discipline not to.” For example, he pointed out that patch management, which can help prevent denial-of-service attacks and other intrusions, is a time-consuming effort that can be accomplished well only by trained professionals.
Prevention vs. Detection
Intrusion prevention is a little different than firewalls or antivirus systems. Devices designed for this purpose generally model a set of acceptable behavior for accessing servers. Any activity outside of this, such as requests for password files, is zapped. (Avoid confusing intrusion prevention systems with traditional intrusion detection systems, which require extensive analysis of reports by a skilled security technician. Ogren called those devices a “money sink.”)
Devices from Cisco and Entercept Security Technologies fall into the intrusion prevention category. Cisco got serious about these systems in January with the acquisition of software startup Okena. Entercept’s namesake product goes beyond battling viruses to fight other types of malicious intrusions. For example, in the case of the Slammer worm, Entercept said its product would have prevented infected servers from running code that originated from a buffer that had overflowed.
The Entercept system comes in two parts: a management server, costing $4,995, and agent software installed on each machine to be protected. SQL Server agents cost $2,995 per agent, and the management server can accomodate up to 5,000 of these agents before a new management license is required.
But Does It Pay?
CIOs also may choose to spend a little more on technology that demonstrates return on investment and therefore justifies itself in the eyes of management. The problem, of course, is that security rarely contributes directly to the bottom line.
Gartner’s Mogull scoffed at the very notion of ROI-driven buying. “ROI is not the right model for security. What’s the ROI for a fire extinguisher? The ROI of not having a firewall is how bad you get hit.” Ogren agreed but pointed out that “the Web server drives revenues, so protecting can be seen as an investment” that will pay off in sustained sales.
Among the products to look at are Web gateway appliances from such firms as NetContinuum, Teros and Kavado. Rather than simply locking down ports on a network, as a firewall does, these appliances scan interactions with applications, such as Web servers, in real-time, looking for activity that falls outside the normal pattern of client-server requests.
Eric Beasley runs the Teros 100 APS to secure various Microsoft servers at Baker Hill, a maker of CRM products for the financial industry. Beasley said he believes the Teros box actually contributes to ROI by reducing the overall man-hours spent installing patches for various servers. “The number of hours required to consider whether patches are needed is reduced significantly,” he told the E-Commerce Times. “We no longer feel we have to immediately evaluate any patches that have been released by Microsoft so that we would avoid any vulnerability.”
Build Your Own Mousetrap
If a company cannot even afford the abovementioned solutions, there are still a few things users can do that do not cost a dime. First, make sure you have obtained all of the freely available vendor patches and tools. Cruise the Microsoft TechNet site for security updates. Download a copy of the company’s Baseline Analysis tool, which will try to detect which hotfixes you have installed on your Windows servers and where there may be holes in your server configuration.
In addition, if you use client operating systems such as Mac OS X or Linux, you should run services for automatic updates of security fixes, such as Apple’s Software Update and the Red Carpet software update for Linux from Ximian.
Lastly, consider having consultants make periodic evaluations of your network’s health. SPI Dynamics and Sanctum are two outfits valued for their appraisals. If you are willing to stay up nights to save a few bucks, you can even consider doing your own homework by surfing the security advisories at the CERT Coordination Center, the SANS Institute and the Risks Digest.
In the long run, any effort to secure a corporate network is better than no effort at all. But the truth is that some monetary outlays are not only prudent, but also likely to generate ROI — in terms of the incidents that will not occur.