It's an issue about which business-technology managers are increasingly passionate, and their frustrations bubble up when discussing the topic. "We get better communication about their security problems" than about their security improvements, says Diane Bunch, senior VP for information services at government-owned power utility the Tennessee Valley Authority, in an E-mail interview.
Many security tools are poorly designed and don't work well together, says Adam Hansen, manager of information security for law firm Sonnenschein Nath & Rosenthal LLP. "They're either incomplete, have flaws, or don't communicate well," he says. "Companies are buying each other up, but they don't integrate the apps well afterwards." His solution? "Those products aren't around here anymore."
Many security tools are poorly designed, says Adam Hansen, manager of information security for law firm Sonnenschein Nath & Rosenthal LLP.
Photo by Jeff Sciortim
WesCorp scans its network and systems each day for the vulnerabilities that make attacks from hackers and worms possible, Hoff says. "We're never more than 24 hours out of date," he adds. Still, he doesn't rest easy. "You can never get too far ahead" of the attackers, he says.
Many security professionals use several layers of security and regularly add new types of tools to protect their systems. They're also trying to better understand which security threats are serious and need to be addressed immediately and which ones can be addressed later.
Most common antivirus and intrusion-detection systems use signature-based technology to recognize a threat by looking for a virus' fingerprint, or specific code. Those systems "do a good job, but they don't do a perfect job," says Michael Kamens, global network and security manager for Thermo Electron Corp., a $2.1 billion-a-year maker of electronic measurement and laboratory equipment (see story, p. 71). Thermo uses several layers of antivirus protection, including at E-mail gateways and desktop systems, but viruses still occasionally sneak through. "Isn't that disgusting?" he says.
One frustration many information-security managers feel is that security tools don't provide them with the right kind of information. If a software or hardware vendor rates a security vulnerability as a high risk, customers get flooded with warnings that systems need to be patched, regardless of how those systems are being used. What customers really want is to be able to understand the business risk of a threat so they don't spend a lot of time rushing to patch a relatively unimportant system, Hoff says. "I want to know how the investment division is doing versus other divisions," he says. "I want to be able to correlate vulnerabilities and see the actual risk [a threat] poses to the business."
Businesses are turning to tools that help them do more. Advo Inc., a $1.2 billion-a-year provider of direct-mail services, is supplementing its open-source Snort intrusion-detection systems with Enforcer and Profiler from network-security software maker Mazu Networks Inc. "We didn't want to put all of our eggs in one basket," says Phil McMurray, IT security officer at Advo. Mazu's heuristics-based Enforcer helps protect Advo's network from distributed denial-of-service attacks, the No. 3 threat after viruses and worms. Some 18% of survey respondents in North America say they were hit with such attacks in the past year, as do 26% in the Asia-Pacific region, 10% in Europe, and 14% in South America.