Editor's Note: Welcome to SmartAdvice, a weekly column by The Advisory Council (TAC), an advisory service firm. The feature answers two questions of core interest to you, ranging from leadership advice to enterprise strategies to how to deal with vendors. Submit questions directly to smartadvice@tacadvisory.com

---

Question A: How well does unified threat management fit the requirements of an effective information security program?

Our advice: Unified threat management is a compelling and natural consolidation point in the evolution of information asset protection. Part technology and part packaging, it responds to the growing challenge of protecting information assets in the 21st century. Businesses are interconnecting more with each other, with customers, with vendors, with government agencies, and with the public. How does an organization make sure these interconnections (and the networked resources they connect) are used appropriately?

We are awash in a sea of attacks on our information assets. Place a probe outside almost any firewall and you will find a continual stream of low-level network attacks, peppered from time to time with serious break-in attempts. Add to this the virus-infected E-mails, worms, spam, and spyware that keep coming. And top it off with sophisticated attacks on Web servers. It becomes quite a challenge.

Early solutions were ad hoc and piecemeal. These included virus detection and prevention, firewalls, host and network intrusion detection, encryption, secure host configurations, more secure computers and software--and never-ending patch management, access control and review, penetration testing, vulnerability assessments, and so on. Not only is it labor intensive and expensive ensuring that all these are in place, it's problematic whether they can be sufficiently coordinated to ensure adequate and timely protection.

At the same time, the emphasis has shifted from threat avoidance to threat management. The latter requires, for example:

• Cost effectiveness. Total system costs should be less than the expected loss if there are security breaches due to a lack of controls. When considering total costs, recognize the hardware and software costs, operational costs, and potential impact on business.



• Coordination. It has to take place between organizations and between technologies.



• Streamlined administration. Manual processes will break down under too much volume and pressure; throwing more labor at the problem usually worsens it while increasing costs.



• Interoperability. If the technical components don't work well together, incident resolution (and sometimes even incident determination) is difficult, if not impossible.

Unified threat management addresses these and other requirements by bundling together key information-security functions and providing simplified administration. It's a state-of-the-art method of managing a lot of information-security threats--a good idea whose time has come. Efficiently packaged and effectively delivered, it will reduce the cost and increase the reliability of your information-security program.

However, there's an important caveat. Unified threat management, like its predecessors firewalls, intrusion detection, penetration testing, antivirus systems, and encryption, risks becoming a buzzword solution, even perceived as a panacea. It's a good tool, but it has its limits. Manage expectations, from desktop users to the board of directors. Make sure unified threat management is understood and defined by what it does and doesn't do.

Related Links New Appliances Tackle Perimeter Security Intrusion Prevention: A Lock To Dominate The New Year Symantec CEO Challenges Microsoft to ''Horse Race''

Fortinet claims to be the market-share leader. Through its FortiGate product, it provides a comprehensive suite of functionality. Significantly, it provides a central management function through its FortiManager. Other vendors claiming unified threat management services are ServGate and Barrier1. In addition, the UTM concept is sufficiently compelling that major security vendors such as Check Point Software, Internet Security Systems, and Cisco Systems aren't far behind. They have most, if not all, of the necessary components.

Strategically, look at deploying unified threat management in the medium term--two-to-four years. By then, the industry should shake out. Tactically, make sure that every decision is consistent with that direction, focusing on the bulleted requirements above and any others important to you. Finally, keep a continual eye on these products and prevailing practices, just in case unified threat management is superseded by cosmic threat management.

-- Richard Feingold