The Profiler application helps Advo better understand how the network is being used and lets McMurray tighten security policies. "The more detailed analysis gives us a better understanding of what our threats really are. Have we seen this before? How big is the problem? And it helps us watch for those problems from then on," he says.
Fewer than a third of companies worldwide, the survey shows, use security event-management applications. But those apps can pay off. Companies with sophisticated security programs that use those tools to correlate and monitor security-related activity occurring throughout their networks and systems are reaping the rewards.
Union Bank of California installed security-management software from ArcSight Inc. about 18 months ago to help correlate threats across its many applications and security devices. "We chose this path so we could remain vendor neutral. ArcSight has the ability to adapt and be nimble," says Bob Justus, senior VP of corporate information security and IS/IT contingency. The bank uses ArcSight to monitor events from many network devices, business applications, and security software, including routers, firewalls, and application event logs. "This allows us to show the value of the security program in a comprehensive way," he says.
Law firm Sonnenschein Nath & Rosenthal also uses a security-event manager, OpenService Inc.'s Security Threat Manager. It monitors the firm's security apps, such as firewalls and intrusion-detection systems, and it also uses data from vulnerability-management and antivirus applications. That helps the firm focus on what's important and determine whether "someone is beating on our door," says security manager Hansen. "I don't want to be alerted about a bunch of garbage."
Nearly a third of survey respondents say they're deploying technology to spot anomalous behavior on their networks and lock down their applications. And more are experimenting with new intrusion-prevention systems.
They're also putting more pressure on software vendors by adding new requirements to contracts. "More people are requiring vendors to put in their contracts that the vendor is being diligent when developing security apps," says Michael Overly, a technology attorney with law firm Foley & Lardner. Such clauses require software vendors to promise that their products have undergone testing and a quality-assurance process. They also require that a software maker comply with best practices regarding security.
Around a third of all survey respondents say software vendors should be held legally and financially liable for software flaws. However, in the United States, 47% say vendors shouldn't be held legally or financially responsible if they can prove they have secure development practices in place. The bulk of worldwide respondents (68%) say they're "somewhat satisfied" with the security efforts of software makers, while 17% are extremely satisfied and 15% extremely dissatisfied.
Most security professionals say it will take time before applications are more secure. "You don't recover from years of code deployment that really didn't have the scrutiny from a security perspective," says Union Bank's Justus. "It's going to take a long time to catch up."