Security
• Why vender neutrality matters, including what it means and so on
o Example: You bring a security vender in to help you begin your security efforts beyond a basic firewall.
A Securityvender with “partnerships” with the venders may spend your entire budget on the security devices alone, such as Intrusion Detection, Data Loss Prevention, Antivirus, Email Security, and so on, leaving no budget for any solutions or personnel that will actually monitor these devices. You end up with a ton of cameras, having nobody or no technology to watch them. Many of these devices produce thousands of events each day, but these providers won’t mention this to you. Instead, they’ll wait for you to discover it and have to come up with more budget to have them come back in and “solve the new problems”.
A vender neutral provider will determine what your budget limitations are and present a holistic solution. This may combine free or open source options, such as Snort, Nessus, and other solutions, to allow budget for security information management technology, personnel, or managed security services to drive value and protection from the visibility these devices provide.
• What security providers/venders don’t want you to know!
o Security service providers often tailor what they offer to what they have expertise and profitable technology for. Over years of performing security services, this fundamental fact has not only become apparent from working for these providers, but also from the customers we talk with. In fact, many security professionals working at organizations world wide are equally naive in focusing their security efforts and security in areas they also have the best expertise in.
It’s human nature. One of the most prominent examples of this is application security. Application security and risks have become one of the most prominent areas of risk exploited by Internet attackers. Almost every company today has some custom technology or an outside vender producing custom code for things like their website, ERP/MRP system, or other business solutions. These programs often times touch our most critical data and traverse our most sensitive networks.
Within organizations, it is not uncommon for security professionals to work primarily with IT, networking, and compliance. It is rare for these professionals to work closely with development and even more rare for them to have development skills beyond scripting abilities.
Security service companies are equally under proficient and understaffed to deal with application security issues. More often, they depend on packaged application assessment solutions. While these scanners, like Web Inspect and others can do an excellent job of identifying common code risks, they often times are lacking in providing practical solutions. This is not so much their fault per se, but simply a result of having to make generic recommendations without knowing a thing about an applications business purpose and related requirements.
Making effective security solutions for applications requires a core understanding of both the business they serve and development skills used to serve them.
A simple historical fact that serves an excellent example of this issue with security venders can be seen by the thousands of organizations running intrusion detection that has no visibility to HTTPS (SSL) traffic. In fact, many intrusion detection systems, including Juniper IDP, have been shown in our own services to have features to allow the installation of SSL certificates, but do not actually work. For most, this isn’t even the issue because these features are never configured or discussed by security venders. The fact is, many don’t want to discuss application specific issues or even come to close to them knowing they have little knowledge and suddenly will become a leman if a developer is present.
Compliances are beginning to catch up to these facts. Many compliances, including PCI, now include requirements regarding both application security, training, monitoring, and overall due diligence. Unfortunately, many applications lack basic auditing or general logging of pertinent information necessary for operations. Yes, many include “logging”, but these logs are designed for developers and debugging. Effective monitoring many have to sift through thousands of debug level logs to see real information. In addition, most security information management technologies do not integrate with custom applications or require significant purchases of services to create the necessary integration. Vault Ecommerce addresses this issue through technology we’ve developed that fully integrates with custom applications without significant investment, using a modular method for definition.
In addition, many SIM technologies may integrate with some of these technologies, such as SQL Server, but provide little value or analysis to identify threats. In fact many of them are guilty of mostly showing pretty graphs with little decision making knowledge in their delivery.
Having strong security and development knowledge, %link2Vault Ecommerce focuses on many of these issues. While not being limited to application security issues, it has been our finding that they often represent the most critical of risks in our client environment and the important to focus on.
Fetch realistic advice in the sphere of traffic to website – make sure to study the webpage. The time has come when concise information is really at your fingertips, use this possibility.
