Security /

Managed security monitoring

By M. E. Kabay
Network World Security Newsletter, 07/04/01

Readers will know that I admire and respect Bruce Schneier, founder and chief technical officer of Counterpane Internet Security. The man is brilliant, his take on security makes sense and he writes clearly and simply. His free monthly e-mail newsletter, " Cryptogram, " [www.counterpane.com/crypto-gram.html] is always worth reading and includes lucid opinion pieces and brief summaries of recent information security developments with pointers to the full articles. His book " Secrets and Lies " (see www.counterpane.com/sandl.html) is a stimulating exploration of the fundamental issues in security today and is suitable not only for network managers and security experts but also for general management who have even the slightest interest in security.

I recently received a booklet entitled, " Managed Security Monitoring: Network Security for the 21st Century " by Bruce Schneier and found it up to Schneier's usual standard of excellence. The document is available on the Web in HTML [www.counterpane.com/msm.html] and in PDF [www.counterpane.com/msm.html ].

Schneier's introduction reiterates his emphasis on the human side of security as he believes that sole dependence on technology products is futile. In the section on " The Importance of Security, " he summarizes risks for organizations using the Internet. He describes direct losses as, " theft of trade secrets, customer information, money [and] productivity losses, " and indirect losses as, " loss of customers, damage to brand [and] loss of goodwill. "

He points to increased legal liability for officers of organizations that fail to protect the privacy of customers or data subjects in the financial and health care industries. In " The Failure of Traditional Security, " Schneier condemns " traditional " security, by which he means the fruitless search for " magic preventive technology, " and insists that only a commitment to process will allow us to manage risks in the face of changing threats and vulnerabilities.

In subsequent sections, Schneier builds a compelling case for the well-established view that risk management must depend on protection, detection and response. He then discusses intrusion-detection technologies and asserts that software alone is insufficient. He believes that we need people to improve the power of the test, i.e., to distinguish between real incidents and false alarms. Next, network personnel must be ready with well-thought-out plans for responding effectively to particular intrusions or other attacks.

Finally, Schneier discusses his view of how to outsource network security monitoring and goes on to discuss how his company's services meet the criteria he has established. One of his most important messages is that monitoring should be the first step in establishing network security, not the last. Monitoring can provide a baseline that supports effective risk management even before security policies are established and technology is implemented.

As I have written in other articles, it is always a pleasure to see a white paper that is worthy of the name. Schneier's booklet is a truly well-designed, thoughtful definition and analysis of a problem that includes valuable suggestions for evaluating alternatives with company- or product-specific details. I hope more techies can convince their marketing colleagues to emulate this model.