Enterprises large and small are investing ever-increasing amounts of time and money in designing, implementing, and rolling out more complex and theoretically more robust security systems. Security shields are designed, updated, and put into active operation to fortify against the constant bombardment of internal and external attacks. IDC estimates that security-related expenditures for hardware, software, and services reached $32.6 billion in 2005 and will rise to $60 billion by 2009.
Security challenges facing all enterprises are not static. The constant need for changes in IT infrastructures, operations, and software applications is driven by dynamic and evolving business strategies. These evolving business factors are principal driving forces behind both perimeter and infrastructure changes. Moreover, the need to adapt and integrate new technology components aimed at further broadening and strengthening perimeter defenses makes the overall task of managing this moving target a particularly challenging and difficult one.
WHI T E P AP E R C o m p r e h e n s i ve T h r e a t M a n a g e m e n t: S h i e l d i n g O r ga ni za t i o ns fr o m T o da y' s S e c u r i t y C h a l l e nge s Sponsored by: Symantec Gerry Pintal February 2006 I D C O P I NI O N Enterprises large and small are investing ever-increasing amounts of time and money in designing, implementing, and rolling out more complex and theoretically more robust security systems. Security shields are designed, updated, and put into active operation to fortify against the constant bombardment of internal and external attacks. IDC estimates that security-related expenditures for hardware, software, and services reached 32.6 billion in 2005 and will rise to 60 billion by 2009. Security challenges facing all enterprises are not static. The constant need for changes in IT infrastructures, operations, and software applications is driven by dynamic and evolving business strategies. These evolving business factors are principal driving forces behind both perimeter and infrastructure changes. Moreover, the need to adapt and integrate new technology components aimed at further broadening and strengthening perimeter defenses makes the overall task of managing this moving target a particularly challenging and difficult one. Further complicating the task of maintaining a secure environment for corporate and customer information by IT is the strong business need to perforate existing secure perimeters. These "perforations" are necessary to support an ever-increasing requirement for access to business information by corporate branches, business partners, company citizens, and, in many cases, customers. IDC believes that to successfully establish strong enterprise security defenses, enterprises must begin to view the overall security problem in a broader context that includes anticipating and dealing with zero-day and other real-time threats. By introducing its comprehensive threat management solution, Symantec is stepping up to help IT and security professionals meet this challenge at all levels of the IT infrastructure. Untitled Document2 #200658 2006 IDC IN TH I S W HI TE P AP E R In this white paper, IDC reviews the issues relating to enterprise security needs and briefly examines the increasing level of malware and other intrusive threats facing enterprises. We present a broad overview of the issues enterprise stakeholders and IT organizations are facing with newly introduced regulatory mandates. We also present a description of Symantec's unique multilevel approach to threat management with its comprehensive threat management solution, which provides a proactive approach to defending against internal and external security threats while giving users trusted access to information. The solution is based on Symantec's DeepSight Threat Management System, an early warning security service designed to provide IT with timely information regarding the potential launch and spread of unknown and/or zero-day attacks. This early warning system provides detailed technical information and data about the nature of impending threats. With the DeepSight early warning service, IT can take immediate action to proactively protect against developing threats. S I TU AT I O N O V E R V I E W IDC's research has shown that the nature of threats continues to change and the frequency of threats to the enterprise continues to increase at an alarming rate. Threats to the enterprise are no longer driven solely by hackers and malware developers who launch attacks simply for the fun of it, to create havoc, or for self-serving edification. Figure 1 offers a view of successful enterprise attacks reported in IDC's 2005 Enterprise Security Survey. Forty percent of respondents reported successful attacks, and 30% reported 10 or fewer successful attacks against their systems. Additionally, 50% of respondents from large companies stated that they had more than 11 successful attacks on their enterprise. The clear message from this chart is the overwhelming prevalence of at least one successful attack on the enterprise. Untitled Document 2006 IDC #200658 3 FI G U R E 1 Num ber of Succ essf ul A t t acks in th e Past 12 Mo nt h s by C om pan y Si z e Q. How many attacks, including (but not limited to) viruses, hacks, Trojan horses, and worms, against your company's enterprise network defenses successfully breached security in the past 12 months? 0102030405060708090100SmallMedium sizedLargeVery largeNone1 1011 5051 100101 1,000More than 1,000Don't know n = 435 Note: Small companies are those with 1 99 employees, medium-sized companies are those with 100 999 employees, large companies are those with 1,000 9,999 employees, and very large companies are those with 10,000+ employees. Source: IDC's Enterprise Security Survey, 2005 Businesses, government agencies, and educational institutions are now experiencing attempted and successful breaches as a result of criminal activities. Cyberthieves represent a real threat to enterprises, with crimes such as identity theft, credit card fraud, and personal data theft. These activities place enterprises at more risk to security breaches than ever before. Attacks on enterprise information assets now stem from the activities of corporate citizens, delinquents, rogues, and thieves. IDC's 2005 Enterprise Security Survey also revealed that very large company respondents (43%) believe that the single greatest source of threat is from within the enterprise. Figure 2 shows the survey results, including responses from small to very large companies. Untitled Document4 #200658 2006 IDC FI G U R E 2 Gr eat est T hr eat to En ter pr i se N etwo rk S ecu ri t y by C om pan y S i ze Q. What is the single greatest threat to your company's enterprise network security? 0102030405060708090100SmallMedium sizedLargeVery largeExternal sourcesInternal sourcesAbout evenDon't know n = 435 Note: Small companies are those with 1 99 employees, medium-sized companies are those with 100 999 employees, large companies are those with 1,000 9,999 employees, and very large companies are those with 10,000+ employees. Source: IDC's Enterprise Security Survey, 2005 As discussed earlier, enterprise IT architectures are becoming more complex as business dynamics and security issues continue to challenge IT professionals. Figure 3 provides a high-level graphical overview of the functional layers of a typical corporate computing infrastructure. In our conceptual overview, the architecture comprises four layers: ! Central resources ! Control ! Perimeter ! Extended perimeter Untitled Document 2006 IDC #200658 5 FI G U R E 3 Po rou s P er i m et er R equi r es B et t er Vi si bi l it y Extended PerimeterExtended PerimeterRemoteRemoteusers/users/telecommuterstelecommutersCustomersCustomersBusiness Business partnerspartnersBranch Branch officesofficesRoad Road warriorswarriorsMobile Mobile workersworkersWireless Wireless LANLANPerimeterPerimeterVPNVPNFirewallFirewallIDSIDSWireless Wireless access pointaccess pointEmail Email scanningscanningVirus Virus checkingcheckingManaged Managed security security servicesservicesControlControlRADIUSRADIUSAccess Access controlcontrolIdentity Identity managementmanagementSingle Single signsign--ononPolicy Policy enforcementenforcementPolicy Policy managementmanagementVLANVLANResourcesResourcesDevicesDevicesApplications:Applications:voice, CRM, UCvoice, CRM, UCOperating Operating systemssystemsDataDataVideoVideo45310*Extended PerimeterExtended PerimeterRemoteRemoteusers/users/telecommuterstelecommutersCustomersCustomersBusiness Business partnerspartnersBranch Branch officesofficesRoad Road warriorswarriorsMobile Mobile workersworkersWireless Wireless LANLANPerimeterPerimeterVPNVPNFirewallFirewallIDSIDSWireless Wireless access pointaccess pointEmail Email scanningscanningVirus Virus checkingcheckingManaged Managed security security servicesservicesControlControlRADIUSRADIUSAccess Access controlcontrolIdentity Identity managementmanagementSingle Single signsign--ononPolicy Policy enforcementenforcementPolicy Policy managementmanagementVLANVLANResourcesResourcesDevicesDevicesApplications:Applications:voice, CRM, UCvoice, CRM, UCOperating Operating systemssystemsDataDataVideoVideo45310* Source: IDC, 2006 Centrally positioned in this conceptual enterprise architecture (the resources layer) are the corporate computing and networking resources. This core is made up of central computing systems managing data storage and execution of centrally managed applications. Also included in this core are voice and other centrally located computing, network, and infrastructure devices. The control layer implements and manages functions such as access control, identity management, policy management, auditing, and single sign-on methodology. The perimeter layer is made up of security-related devices and security functions. It includes the implementation of firewall, IDS/IPS, antispam, antivirus, managed security services, email scanning, wireless access, and VPN access. Untitled Document6 #200658 2006 IDC The extended (or perforated) perimeter layer provides screened access to selected applications and core data and depends on the access privileges defined by the control layer. The outer perimeter is where the interface to business partners and remote users, including telecommuters, customers, suppliers, and mobile workers, occurs. Effectively implementing and maintaining extended perimeter functionality in a secure way present significant challenges for IT. The ability to thwart attacks at the enterprise perimeter, or within the enterprise infrastructure, has been achieved, to a large degree, through knowledge of existing and past known vulnerabilities. Many infrastructure components are vulnerable to attacks as a result of security deficiencies in equipment components, software components, as well as errors in configurations or deficient or incomplete security policies. Tracking and maintaining current knowledge of vulnerabilities in all equipment and software, coupled with establishing sound security policies, also present challenges for management and IT professionals. The four main areas of an IT infrastructure requiring security considerations are: ! Extended perimeter (gateway) barrier ! Effective network intrusion detection and prevention ! Critical resource intrusion prevention ! Client/user security These areas of enterprise infrastructure form the basis for establishing the components of a comprehensive security-based architecture. Establishing a security-oriented infrastructure based on the considerations described above does not complete the list of issues involving the establishment of a secure enterprise at the levels illustrated in Figure 3. To be optimally effective, a security infrastructure must also have the following characteristics: ! Be easily deployed, configured, and managed ! Be scalable ! Provide updates with minimal service interruptions ! Provide a high degree of protection at all levels ! Provide auditable reporting for compliance ! Offer preemptive actionable information Untitled Document 2006 IDC #200658 7 From a practical and architectural standpoint, no single component will provide the integrated functionality required to establish a completely secure environment for the enterprise. New legislation and regulatory mandates such as SarbOx, HIPAA, PIPEDA, GLBA, EUPA, CA SB 1386/1950, Basel II, and FISMA hold corporate stakeholders responsible for ensuring that their companies protect corporate and customer information. As a result of these regulatory mandates, corporate stakeholders face potential fines should they fail to develop, implement, and maintain auditable policies. These new regulations will provide companies with real incentives to further invest in security-related budget line items that were previously considered to be optional or of lower priority. The estimated cost of conforming to these new regulatory mandates will be significant. IDC estimates that midmarket enterprises could spend over 2 million to completely outsource a compliance program during the first year. If they decide to undertake the task internally, the manpower costs could be as much as 600,000. This figure does not include the opportunity cost as a result of assigned staff not being available for other core business-related activities. A primary focus of IT management has been to set up and maintain defensive mechanisms and strategies to protect against known threats to their enterprises. Newly introduced regulations compel stakeholders to focus on their security-related investments. Establishing a solid perimeter shield to ensure protection of corporate information assets and customer data from all forms of threats, while conforming to regulations for audit purposes, has become of paramount importance. While it is crucial for enterprises to focus on establishing secure perimeter and core network architectures, it is equally important for enterprise stakeholders and IT organizations to periodically step away from their chaotic day-to-day challenges to broaden the view and scope of their strategic and tactical approaches to defending against impending security breaches. Secure defenses against zero-day attacks and threats are the most difficult challenges facing IT today. Early warning of impending zero-day class threats is commonly achieved through informal mechanisms such as email notices, word of mouth, Web sites, and other industry and community alerts. Although these mechanisms provide some level of early warning, a complete picture of the impending threat is not generally available from a single source. The main issue confronting enterprises today is that by the time the threat behavior is understood and defense strategies are established, dangerous payloads have made significant progress in infecting vulnerable targets of opportunity. Figure 4 provides an alarming view into the narrowing window of time available to react to exploits. Untitled Document8 #200658 2006 IDC FI G U R E 4 Tim e to Au tom at ed E xpl oi t Witty WormSasserCode RedFile VirusBlasterWitty WormSasserCode RedFile VirusBlasterZero dayWeeks1 month2 months3 months4 months19922004Witty WormSasserCode RedFile VirusBlasterWitty WormSasserCode RedFile VirusBlasterZero dayWeeks1 month2 months3 months4 months19922004 Source: Symantec, 2006 What is needed is the equivalent of an early warning system that detects or senses the impending threat while it is in its very early stages of deployment. Data collection and analysis of network traffic and behavior are crucial first steps to the establishment of a worldwide early warning system designed to alert enterprise IT organizations of impending threats. Such a system is analogous to nations of the world cooperating in setting up defenses against the impending threat of a bird flu pandemic. Early detection, dissemination of information, and cooperation by world health organizations provide early warning of the spread of potentially deadly infections and allow the medical community and governments to prepare for such situations and establish mechanisms to prevent the further spread of diseases. To establish and maintain a secure and effective enterprisewide threat management system that will address the aforementioned aspects of enterprise security infrastructure, security vendors must provide the building blocks necessary to cost-effectively implement secure architectures. Symantec, with its comprehensive end-to-end security architecture, provides a cost-effective and scalable security solution for enterprises. Symantec's comprehensive threat management solution offers a series of tools, which, when integrated, provides point product solutions to proactively block known, unknown, internal, and external threats at all layers of the IT infrastructure. Untitled Document 2006 IDC #200658 9 The architecture is scalable and provides cost-effective and comprehensive security solutions for companies ranging in size from 100 employees to large enterprises with more than 5,000 employees. Table 1 provides a list of the main components of Symantec's comprehensive threat management solution. TABLE 1 Main Components of Symantec's Comprehensive Threat Management Solution Symantec Product Description Gateway Security SGS-300, SGS-400, SGS-5400/5600 " Full inspection firewall with protocol anomaly and signature-based intrusion prevention and intrusion detection, virus protection, URL-based content filtering, antispam, and IPsec-compliant VPN Network Security SNS-7100 " Designed to stop threats from propagating throughout networks " Combines multiple detection technologies, including protocol anomaly detection and vulnerability attack interception, to accurately identify and block both known and unknown attacks and worms Critical System Protection (Host Intrusion) " Locks down the operating system, high-risk applications, and databases, preventing unauthorized executables from being introduced and run " Protects against zero-day attacks, hardens systems, and helps maintain compliance by enforcing behavior-based security policies on clients and servers Client Security Symantec Antivirus " Ensures client protection by providing comprehensive and proactive defenses against blended threats of spyware, unauthorized network access, and mass-mailer attacks, with virus and vulnerability-based detection DeepSight Service " Tracks security events on a global basis, providing early warning of active attacks " Includes personalized notification triggers and expert analysis, enabling enterprises to prioritize IT resources in order to protect critical information assets against a potential attack Source: IDC and Symantec, 2006 CHALLENGES/OPPORTUNITIES Security challenges facing IT professionals and management are becoming increasingly more complex. Thus, it is of critical importance that they make sound management, technical, and auditable policy decisions. Symantec's comprehensive threat management solution provides enterprise stakeholders with the opportunity to approach this multifaceted problem with a comprehensive end-to-end solution that is both scalable and cost-effective. Untitled Document10 #200658 2006 IDC CO N C L US I O N Symantec's comprehensive threat management solution is cost-effective, scalable, and adaptable to the profile and size of enterprises. It extends threat mitigation coverage beyond the internal infrastructure and perimeter boundaries with its unique DeepSight Service. DeepSight is a proactive early warning system that provides IT professionals with near-real-time data and information about the impending spread of threats. It is based on Symantec's comprehensive data gathering network, which comprises over 20,000 registered data partners spanning over 180 countries. Symantec's security system components also address regulatory requirements for producing auditable compliance reporting. Reporting tools are available to produce data and information required to fulfill regulatory and internal compliance reporting. C o p y r i g h t N o t i c e External Publication of IDC Information and Data Any IDC information that is to be used in advertising, press releases, or promotional materials requires prior written approval from the appropriate IDC Vice President or Country Manager. A draft of the proposed document should accompany any such request. IDC reserves the right to deny approval of external usage for any reason. Copyright 2006 IDC. Reproduction without written permission is completely forbidden.