Firewall Wizards mailing list archives
Re: State of security technology for the enterprise
From: "Chris Hughes" <chughes () l8c com>
Date: Fri, 1 May 2009 09:02:11 -0400
The environment is a product development environment that is under constant threat from the outside and a history of inside threats/attacks. I am protecting mostly Microsoft systems with some *nix. The data at highest risk is source code and product development documentation. I need to be at least FIPS 140-2 compliant. As far as budget goes, I was hoping to spread the purchase between this years and next years and keep the total spent less than 70K. Staff?? I'm it. Experience dealing with IT security risks is about an 8 on a scale of 1 to 10. I've caught a few, been attacked internally a few times and externally on a continuous basis. Corporate espionage is a reality for me. While all this is important to consider when choosing a solution, I'm not that far along yet. My intent is to investigate the state of security technology so that when I am ready to choose a solution or set of solutions, I can go with product(s) that are forward thinking and least likely to require a forklift upgrade in the next 3 years. You make a good point that the pieces of the overall solution must work closely with each other. This is something the vendors of security solutions are fighting. They want me to think that they are so good that they can handle it all. My current solution is hybrid and on more than one occasion I've seen one vendor miss something and another catch it. True security cannot be bought, but with the growth of new technologies comes new threats that are not as easily dealt with by using a six shooter. As an example, VMWare tells me not to run endpoint protection in my virtual environment and that there are products out there that sit at the hypervisor layer to protect VM's from attacking each other. ( I left that out of the environment section. We are 70% VM and will be 90% by end of year. This is a big consideration) From: Marcin Antkiewicz <firewallwizards () kajtek org> Subject: Re: [fw-wiz] State of security technology for the enterprise To: miedaner () twcny rr com, Firewall Wizards Security Mailing List <firewall-wizards () listserv icsalabs com> Message-ID: <7ed5f2120904292213r55acf650n92cc1a34a3f7cea6 () mail gmail com> Content-Type: text/plain; charset=ISO-8859-1
The underlying architecture is very important to providing control.
I doubt that the original poster's question can be answered without rest of the relevant information. What is the environment? What systems/data will be protected? Under what regulation? What budget? How big is the staff? What's the infrastructure? What's the organization's experience dealing with IT Sec risks? A laundry list of technology is meaningless - each of the pieces must work with the others, and satisfy some business need. If the later part is neglected funding tends to dry up in 2-3 years. Justification to the business does not have to be extravagant, but it must be well done, and in language and context that the business understands. ArkanoiD is correct, biggest Sidewinder is worthless, if the application folks decide to include passwords in Javascript. I know of a few places that try to correct such creativity with iRules on F5s, but that's just a race that the org is going to loose. Sidewinders and F5s are not needed, secure SDLC will fix that problem. Add decent development process to sidewinders and the F5s and the org will be doing quire well, but that's very expensive - requres cooperation of IT Sec and App Delivery, which cannot be purchased. I think I am trying to say that Seurity is a process, and cannot be bought (in a sustainable manner), But that we all know already. -- Marcin Antkiewicz ------------------------------
_______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: State of security technology for the enterprise david (May 01)
- <Possible follow-ups>
- Re: State of security technology for the enterprise kowsik (May 01)
- Re: State of security technology for the enterprise Chris Hughes (May 01)
- Re: State of security technology for the enterprise Chris Hughes (May 01)