The IT Security Castle

If you think of an IT network as a feudal castle, the IT security system would include the moat, the walls around the castle and the drawbridge leading inside. These three security tools aim to prevent security problems from occurring, and they correspond to the firewall in a network security system. But no matter how much they cost, these tools cannot provide adequate security, says Chuck Adams, chief security officer with NetSolve Inc., an Austin, Texas-based outsourcing firm that manages IT systems, including security, for businesses and institutions

Most network security managers spend too much time and money on prevention — widening the moat, raising the height of the walls, and thickening the drawbridge, continues Adams. In 2003, organizations spent $9 billion trying to secure the IT castle, with 90 percent of money devoted to prevention.

In fact, nothing bad happens to castles and networks most of the time. By implication, most of the money spent on prevention actually prevents nothing.

Adams believes that network security would be more effective and less expensive if managers spent evenly on preventing, monitoring and responding to problems. Such an approach would enable managers to understand where specific threats come from and to devise targeted prevention strategies to deal with those threats.

And what good is a firewall or a moat if someone that lives in the castle escorts an enemy in? Think of the traveling executive whose laptop picks up a virus during a trip. When the executive returns and uploads data from the laptop to the network, the virus will pass into the system. If no one is monitoring inside the castle, the virus will have a free run.

“Effective security systems prevent, monitor and respond,” Adams says. “That’s the standard approach to security, and the IT world is not applying the standard properly. We are spending too much money on prevention and falling down when it comes to monitoring and responding.”

Adams developed his approach to IT security during a 10-year stint with the Department of Defense Computer Emergency Response Team that built the Air Force Information Warfare Center (AFIWC). His responsibilities included making security assessments, reviewing system security designs, and developing appropriate responses to network security incidents.

Now with NetSolve, Adams works to monitor and control critical points in the infrastructure of NetSolve clients. “We embed security tenets or principles in a client’s infrastructure,” he says. “We monitor for events that violate those tenets. When something happens, we respond in real time to control outbreaks. This doesn’t have anything to do with firewalls.”

The embedded tenets or principles are like police officers that might patrol the comings and goings and happenings inside a castle. If an officer sees a robbery in progress, he or she calls for backup, races to the scene and responds to the problem. Likewise, when an IT security monitor — human or technological — spots a stream of data that resembles the beginning of a virus attack, security hones in on the offending computer and responds. “We’ll knock that system off the infrastructure to keep anything else from being compromised,” Adams says.

Monitoring and responding also involves reviewing events and developing prevention tactics. Suppose a security administrator notices that a series of recent attacks have all emanated from a particular Internet Service Provider (ISP). Steps can then be taken to block access to the network by computers operating through that ISP. In such a case, prevention aims at a specific and achievable goal, instead of the impossibly vague goal of keeping all bad things out.

“If you focus on prevention, monitoring and responding, your preventive actions will become more specific over time and your prevention costs will decline,” Adams says. “Monitoring and responding teaches you about problems related to your network and enables you to anticipate and prevent those problems.”

Adams believes the benefits of his strategy go beyond helping to control IT security budgets and extend to improved network performance. “In systems that do not focus on monitoring and response, we have tracked a 2.5-3 percent loss of system availability during virus attacks,” Adams says. “That might translate into a 30-minute system-wide blackout.”