Re: State of security technology for the enterprise

["Chris Hughes" <chughes () l8c com>]

The environment is a product development environment that is under constant
threat from the outside and a history of inside threats/attacks.  I am
protecting mostly Microsoft systems with some *nix.  The data at highest
risk is source code and product development documentation. I need to be at
least FIPS 140-2 compliant.  As far as budget goes, I was hoping to spread
the purchase between this years and next years and keep the total spent less
than 70K. Staff??  I'm it.  Experience dealing with IT security risks is
about an 8 on a scale of 1 to 10.  I've caught a few, been attacked
internally a few times and externally on a continuous basis.  Corporate
espionage is a reality for me.

 

While all this is important to consider when choosing a solution, I'm not
that far along yet.  My intent is to investigate the state of security
technology so that when I am ready to choose a solution or set of solutions,
I can go with product(s) that are forward thinking and least likely to
require a forklift upgrade in the next 3 years.

 

You make a good point that the pieces of the overall solution must work
closely with each other.  This is something the vendors of security
solutions are fighting.  They want me to think that they are so good that
they can handle it all.  My current solution is hybrid and on more than one
occasion I've seen one vendor miss something and another catch it.  

True security cannot be bought, but with the growth of new technologies
comes new threats that are not as easily dealt with by using a six shooter.
As an example, VMWare tells me not to run endpoint protection in my virtual
environment and that there are products out there that sit at the hypervisor
layer to protect VM's from attacking each other. ( I left that out of the
environment section.  We are 70% VM and will be 90% by end of year.  This is
a big consideration)

From: Marcin Antkiewicz <firewallwizards () kajtek org>

Subject: Re: [fw-wiz] State of security technology for the enterprise

To: miedaner () twcny rr com, Firewall Wizards Security Mailing List

      <firewall-wizards () listserv icsalabs com>

Message-ID:

      <7ed5f2120904292213r55acf650n92cc1a34a3f7cea6 () mail gmail com>

Content-Type: text/plain; charset=ISO-8859-1

 

> The underlying architecture is very important to providing control.

 

I doubt that the original poster's question can be answered without rest of
the relevant information. What is the environment? What systems/data will be
protected? Under what regulation? What budget?

How big is the staff? What's the infrastructure? What's the organization's
experience dealing with IT Sec risks?

 

A laundry list of technology is meaningless - each of the pieces must work
with the others, and satisfy some business need. If the later part is
neglected funding tends to dry up in 2-3 years. Justification to the
business does not have to be extravagant, but it must be well done, and in
language and context that the business understands.

 

ArkanoiD is correct, biggest Sidewinder is worthless, if the application
folks decide to include passwords in Javascript. I know of a few places that
try to correct such creativity with iRules on F5s, but that's just a race
that the org is going to loose. Sidewinders and F5s are not needed, secure
SDLC will fix that problem. Add decent development process to sidewinders
and the F5s and the org will be doing quire well, but that's very expensive
- requres cooperation of IT Sec and App Delivery, which cannot be purchased.

 

I think I am trying to say that Seurity is a process, and cannot be bought
(in a sustainable manner), But that we all know already.

 

--

Marcin Antkiewicz

 

 

------------------------------

 

_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards