Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Analytics

Security's Risk And Change Management Tools: Drawing A Picture Of Security Posture

Apps that track and manage change and configuration of firewalls and other security systems are finding a home as security and risk monitoring tools in large enterprises

It's a question that business executives love to ask -- and IT people hate to answer. "What's our security status?"

If you've been around IT security for more than a week, then you know there's no definitive, empirical way to answer that question. Recently, however, some large enterprises have been getting a little closer to providing some metrics for security posture, using an emerging class of products that is coming into its own.

The technology category -- championed by vendors with names such as AlgoSec, RedSeal, Skybox, and Tufin -- has been variously referred to as "security risk management," "security life cycle management," "firewall configuration management," and "security posture management" (SPOM), among other names. At its heart, it refers to tools that track various changes made to an enterprise's network defenses -- principally firewall and router settings, as well as other security system data -- and evaluates the potential impact of proposed changes.

SPOM (let's use that term for now, since it's the shortest and goodness knows we *need* another acronym) is sometimes referred to as the "preventative" side of security monitoring because it focuses on how enterprises are enforcing their security policies --and what might happen if they change those policies. This separates SPOM from security information and event management (SIEM), which reports on security-related network activity after it occurs.

"SIEM is a useful tool, but although it's been around for years, enterprises are finding that their risk is continuing to rise," says Michelle Cobb, vice president of marketing at Skybox. "It's collecting data after the fact -- after the horse is out of the barn. What we try to do is reduce the window of risk, reducing the possibility that a bad 'event' will occur in the first place."

Unlike SIEM, SPOM enables an enterprise to set an acceptable level of risk and then tune its security systems and configurations to meet that requirement. Steve Dauber, vice president of marketing at RedSeal Systems, compared the current evolution of security management systems to the evolution of network management systems a decade ago.

"First we had element management systems that collected data from individual devices," he recalled. "Then we had enterprise network management systems that collected all the data from the element management systems into a single console, which is basically what SIEM does. After that, we saw the development of correlation engines, change management, and service-level management, which allowed you to intelligently set specific service levels for critical applications and business services. SPOM is sort of the service-level management of security -- but you're using risk as the variable, rather than network performance or uptime."

At the core of most SPOM systems is the task of firewall configuration, which is how most enterprises "tune" their level of risk. If a certain application or type of data presents a high risk, then the firewalls are configured to restrict its transmission. If another application presents little risk, then the firewalls will be configured to allow data to flow more freely.

Coordinating these policies and changes across a whole network of firewalls is no simple task, which is why Tufin's products are designed to monitor changes in real time, according to Ruvi Kitov, CEO of Tufin. "We want to be able to tell you right away if a change that was made might affect security or business continuity," he says. "More importantly, we want to tell the approver of a potential change what the effect of that change might be, so that problems can be avoided in the first place."

Firewall configuration might be a key function in the product category, but a true SPOM product goes beyond the firewall and helps monitor and tune change and configuration data in a variety of security systems -- and even routers -- in the enterprise, Dauber says. In fact, there are accounts where Tufin and RedSeal products work side by side -- Tufin is used to do firewall configuration, and RedSeal provides a broader set of "posture management" capabilities, he says.

In other cases, SPOM products might work alongside conventional vulnerability management tools, such as those offered by Qualys or nCircle, to provide a more complete picture of the potential flaws in the enterprise's security posture -- the potential risks that the enterprise faces, Dauber says. Using this data helps the enterprise evaluate its weaknesses and prioritize the vulnerabilities it wants to fix first, he states.

Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
97% of Americans Can't Ace a Basic Security Test
Steve Zurier, Contributing Writer,  5/20/2019
How Security Vendors Can Address the Cybersecurity Talent Shortage
Rob Rashotte, VP of Global Training and Technical Field Enablement at Fortinet,  5/24/2019
TeamViewer Admits Breach from 2016
Dark Reading Staff 5/20/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-7068
PUBLISHED: 2019-05-24
Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010.20069 and earlier, 2017.011.30113 and earlier version, and 2015.006.30464 and earlier have an use after free vulnerability. Successful exploitation could lead to arbitrary code execution .
CVE-2019-7069
PUBLISHED: 2019-05-24
Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010.20069 and earlier, 2017.011.30113 and earlier version, and 2015.006.30464 and earlier have a type confusion vulnerability. Successful exploitation could lead to arbitrary code execution .
CVE-2019-7070
PUBLISHED: 2019-05-24
Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010.20069 and earlier, 2017.011.30113 and earlier version, and 2015.006.30464 and earlier have an use after free vulnerability. Successful exploitation could lead to arbitrary code execution .
CVE-2019-7071
PUBLISHED: 2019-05-24
Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010.20069 and earlier, 2017.011.30113 and earlier version, and 2015.006.30464 and earlier have an out-of-bounds read vulnerability. Successful exploitation could lead to information disclosure.
CVE-2019-7072
PUBLISHED: 2019-05-24
Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010.20069 and earlier, 2017.011.30113 and earlier version, and 2015.006.30464 and earlier have an use after free vulnerability. Successful exploitation could lead to arbitrary code execution .