Integrated threat management (ITM) is the evolution of stand-alone security products into a single, unified solution that is generally cheaper and easier to implement and maintain. Combine a single console for management, updates, reports, and metrics, and you will wonder why you do not have one at home too. This chapter will introduce what an ITM solution is, the benefits and drawbacks of the solution, what to look for, and how to select a solution. Finally, the chapter will wrap up with some lessons learned to help avoid some of the common pitfalls and gaps in a typical ITM solution.
Introduction
One cannot read an information security magazine or attend a trade show without hearing about ITM. Within the same magazine or across the aisle, the next vendor may be advertising "unified threat management" or even perhaps "universal threat management." What these are, what the benefits to an organization are, what to look for when evaluating solutions, and lessons learned are discussed in this chapter. Even if you have no intention today of deploying an integrated or unified solution, this chapter provides you with a solid background to understand thoroughly and leverage this emerging technology in the future.
Integrated, unified, and universal threat management all have much the same implementations and goals; their names are different only because they were chosen by different vendors. For the sake of consistency within this chapter, we will choose to use the phrase "integrated threat management."
To start, let us examine the definition of ITM and what it brings to the enterprise. First, ITM is focused on threats that may affect an organization. A threat is defined as some entity that may be capable of attacking or affecting the organization's infrastructure. When used in a quantitative manner, the threat component also includes likelihood and impact considerations as well. Perhaps it is a malicious payload carried via Hypertext Transfer Protocol or via e-mail, or perhaps it is a "0-day" virus not yet seen by an antivirus software manufacturer. It may be a phishing site and the accompanying e-mails inviting users to visit the site to verify their account information or it may be a polymorphic worm whose purpose is to evade firewalls while continuously morphing its signature as it attacks the next target.
An ITM platform should, by definition, protect an enterprise against all of these threats and provide a platform to monitor and manage the ITM. To address these threats, the platform may include the following functions:
-
An intrusion detection system (IDS) or an intrusion prevention system (IPS)
-
Antivirus solution
-
Antispyware solution
-
Unsolicited commercial e-mail filtering
-
Content filtering that includes e-mail and instant messenger content management
-
Uniform resource locator (URL) filtering, which may include serving as a Web cache proxy
-
Firewalls
-
Virtual private network (VPN) connectivity
It is important to note that in the absence of a defined standard for ITM, almost any product with an integrated (unified) combination of functions listed here can and likely has been called an ITM solution. Fortunately, if you follow the steps identified under "Evaluating an ITM Solution," you will learn how to identify and include the components that are important and relevant to your ITM requirements.