Next Year's Hot Security Tools

Today's pain points are tomorrow's vendor opportunities

These tools also have their limitations. Unfortunately, with the exception of NetWitness, the current generation is mostly reactive, rather than proactive. Unlike intrusion detection systems, these NFATs don't terminate questionable connections that are in progress. Instead, they simply record everything, under the general assumption that somebody in your organization might want to do something with the data at some later point in time.

The problem here is that you need to know when to go looking for something. For those of us who are naturally nosy, that's no problem. Even so, most organizations will find that having an NFAT creates an ongoing requirement for additional man power, and that translates into an ongoing expense. The next generation of NFATs will need to be better at learning baseline behavior and automatically reporting abnormalities if they are to be broadly adopted.

This push for higher-level functionality and focusing on specific tasks is already appearing in the world of security scanners. A few years ago, I ran Internet Security Systems' Internet Scanner on a small network, and I ended up with a report of more than 100 pages about potential security problems on the network. New tools such as FoundScan will combine problem detection with intelligent prioritization, tracking and remediation reports. In other words, more and more scanners will start checking to see if the problems they detect are actually fixed, and that those problems they detect stay fixed.

The Kitchen Sink

I expect more and more products to be delivered as "appliances," rather than as software packages that are loaded onto a Windows or Solaris server. The appliance approach lets a single vendor be responsible for the hardware, the software and the embedded operating system. Appliances also reduce the chances that one program might interfere with another, since the only way that appliances should be communicating with each other (or with the outside world) is through well-established TCP/IP protocols.

The troubling thing about this push to appliances is that most appliances turn out to be rack-mounted PCs running Windows, Linux or FreeBSD. The problem here is that all these operating systems have seen significant security vulnerabilities in the past year and all require constant patching and updating to remain secure. My concern is that many companies selling appliances have failed to devise ways for these systems to be updated in the field; instead, they simply equip the appliance with two Ethernet interfaces and recommend that the management interface be installed behind a firewall. Code Red and Nimda both taught us the fallacy of that approach.