Potential attacks, software and platform vulnerabilities, malware, and misconfiguration issues can pose serious threats to organizations seeking to protect private, confidential or proprietary data. Fortunately, various technologies – collectively known as unified threat management (UTM) – make it easy to use virtualized and/or appliance-based tools to provide thorough and comprehensive security coverage.
When combined with regular updates, monitoring and management services, and key security research and intelligence data, organizations can erect defenses using UTM and sound security policy to cope with this array of threats.
What goes into unified threat management?
The history of information security and palliative technologies goes back to the 1980s when the elements of perimeter security (through firewalls and screening routers) and malware protection (primarily in the form of early antivirus technologies) became available. Over time, as threats evolved in sophistication and capability, other elements designed to secure business or organizational networks and systems became available to counter such things. These include email checks, file screening, phishing protection, and whitelists and blacklists for IP addresses and URLs.
From the mid-1990s to the first decade of the 21st century, there was an incredible proliferation of point solutions to counter specific types of threats, such as malware, IP-based attacks, distributed denial-of-service (DDoS) attacks and rogue websites with drive-by downloads. This led to an onslaught of software solutions and hardware appliances designed to counter individual classes of threats. Unfortunately, a collection of single-focus security systems can't help but lack consistent and coherent coordination.
Alas, this confers no ability to detect and mitigate hybrid attacks that might start with a rogue URL embedded in a tweet or an email message, continue with a drive-by download when that URL is accessed, and really get underway when a surreptitiously installed keylogger teams up with timed transmissions of captured data from a backdoor uploader. Worse yet, many of these applications are web-based and use standard HTTP port addresses, so higher-level content and activity screening becomes necessary to detect and then counter unwanted influences at work.
Simply put, the basic premise of UTM is to create powerful, customized processing computer architectures that can handle, inspect, and (when necessary) block large amounts of network traffic at or near wire speeds. The same data that must be searched for blacklisted IP addresses or URLs must be inspected for malware signatures, proofed against data leakage, and checked to make sure that protocols, applications, and data involved are both allowed and benign. That's why typical UTM solutions normally bundle a great many functions, including these:
- Proxy services block revealing details of internal IP addresses on networks, and examine communications and data transfers at the application level.
- Stateful packet inspection distinguishes legitimate network communications from suspect or known malicious forms of communication.
- Deep packet inspection enables the data portion or payload of network packets to be checked. This facility not only protects against malware, but also permits data checks to block leakage of classified, proprietary, private or confidential data across network boundaries. This kind of technology is called data loss prevention (DLP). DPI technology also supports all kinds of content filtering.
- Real-time packet decryption exploits special hardware (which essentially reproduces software programs in the form of high-speed circuitry to perform complex data analysis) to permit deep inspection at or near network wire speeds. This lets organizations apply content-level controls even to encrypted data, and to screen such data for policy compliance, malware filtering and more.
- Email handling includes malware detection and removal, spam filtering, and content checks for phishing, malicious websites, and blacklisted IP addresses and URLs.
- Intrusion detection and blockage observes incoming traffic patterns to detect and respond to DDoS attacks, as well as more nuanced and malicious attempts to breach network and system security or obtain unauthorized access to systems and data.
- Application control (or filtering) observes applications in use – especially web-based applications and services – and applies security policy to block or starve unwanted or unauthorized applications from consuming network resources, or accomplishing unauthorized access to (or transfer of) data.
- Virtual private network (VPN) or remote access devices enable remote users to establish secure private connections over public network links (including the internet). Most organizations use such technologies to protect network traffic from snooping while it's en route from sender to receiver.
Modern UTM devices incorporate all these functions and more by combining fast, powerful special-purpose network circuitry with general-purpose computing facilities. The custom circuitry that exposes network traffic to detailed and painstaking analysis and intelligent handling does not slow down benign packets in transit. It can, however, remove suspicious or questionable packets from ongoing traffic flows, turning them over to programs and filters. In turn, these agencies can perform complex or sophisticated analysis to recognize and foil attacks, filter out unwanted or malicious content, prevent data leakage, and make sure that security policies apply to all network traffic.
Unified threat management providers
UTM devices usually take the form of special-purpose network appliances that sit at the network boundary, straddling the links that connect internal networks to external networks via high-speed links to service providers or communication companies.
By design, UTM devices coordinate all aspects of security policy, so they apply a consistent and coherent set of checks and balances to incoming and outgoing network traffic. Most UTM device manufacturers build their appliances to work with centralized, web-based management consoles. This lets network management companies install, configure and maintain UTM devices for their clients. Alternatively, centralized IT departments can take over this function for themselves. Such an approach ensures that the same checks, filters, controls and policy enforcement applies to all UTM devices equally, avoiding the gaps that integrating multiple disparate point solutions (discrete firewalls, email appliances, content filters, virus checkers and so forth) can expose.
Choosing the best UTM providers
Gartner reported $2.18 billion in sales for the UTM market in 2017. It expects this market to continue growing in tandem with overall IT investment for the foreseeable future (rates in the 2-5% range apply for most economies, but are higher for leading economies like the BRIC countries).
Savvy buyers look for features like those described in the previous section (sophisticated firewalls with deep packet inspection, intrusion detection and prevention, application control, VPN, content filtering, data loss/leakage protection, malware protection, and so forth). These days, buyers also look for these features:
- Support for sophisticated virtualization technologies (for virtual clients and servers, as well as virtualized implementations for UTM appliances themselves)
- Endpoint controls that enforce corporate security policies on remote devices and their users
- Integrated wireless controllers to consolidate wired and wireless traffic on the same device, simplifying security policy implementation and enforcement, and reducing network complexity
Finally, advanced UTM devices must also support flexible architectures whose firmware can be easily upgraded to incorporate new means of filtering and detection and to respond to the ever-changing threat landscape. UTM makers generally operate large, ongoing security teams that monitor, catalog, and respond to emerging threats as quickly as possible, providing warning and guidance to client organizations to avoid unnecessary exposure to risks and threats.
Some of the best-known names in the computing industry offer UTM solutions to their customers, but not all offerings are alike. Look for solutions from companies like Cisco, Netgear, SonicWall and Juniper. You're sure to find offerings that provide the proper mix of features and controls, along with size, speed, and cost characteristics designed to meet your security needs without breaking your budget.
IT infosec certifications that address UTM
As a visit to the periodic survey of information security certifications at SearchSecurity confirms, more than 100 active and ongoing credentials are currently available in this broad field. Not all of them address UTM directly or explicitly, however. While there is no credential that focuses exclusively on this aspect of information security, the following well-known certifications include coverage of this subject matter in their exam objectives or the associated common body of knowledge that candidates must master:
- ISACA Certified Information Systems Auditor (CISA)
- Cisco Security certifications: CCNA Security, CCNP Security, CCIE Security
- Juniper Security certifications: JNCIS-SEC, JNCIP-SEC, JNCIE-SEC, JNCIA-SEC
- (ISC)2 Certified Information Systems Security Professional (CISSP)
- SANS GIAC Certified Incident Handler (GCIH)
- SANS GIAC Windows Security Administrator (GCWN)
- Global Center for Public Safety Certifications (CHPP and CHPA Levels I-IV)
Of these credentials, the generalist items such CISA, CISSP, CHPP/CHPA and the two SANS GIAC certifications (GCIH and GCWN) provide varying levels of coverage on the basic principles that govern DLP and the best practices for its application and use within the context of a well-defined security policy. Of these, the CISSP and CISA are the most advanced and demanding certs. On the other hand, the Cisco and Juniper credentials concentrate more on the details of specific platforms and systems from those vendors designed to deliver working UTM solutions.
With the ever-increasing emphasis on and demand for cybersecurity, any of these certifications can be a springboard to launch you into your next information security opportunity.