Maksim Kabakou - Fotolia

Security Think Tank: Many routes to UTM to boost security capabilities

How can organisations best use unified threat management tools to help stem the tide of data breaches?

The General Data Protection Regulation (GDPR) that came into full force in May 2018 is certainly giving many organisations cause to worry about data breaches as the fines levied for a breach can be eye watering (up to 4% of global turnover for a major breach).

That raises the question as to whether unified threat management (UTM) systems can help reduce the threats that could lead to a breach.

The simple answer is that UTM can help, but first there needs to be an understanding of whether an infrastructure is to be completely redesigned and rebuilt (or it is green field build) or whether it is a case of selective updating an existing infrastructure.

While the basics are the same in both cases, such as the need for an effective set of IT and information security management processes and controls to be in place, there will be trade-offs and compromises between these approaches.

For a complete network redesign of an existing infrastructure there is greater scope in UTM tool selection from on-site UTM network appliances to outsourced cloud-based services, or a combination of approaches. Such a redesign should lead to an optimal solution for an organisation, but would typically cause major disruption while being implemented. 

Updating of an existing infrastructure to bring in UTM could be simply the replacement of existing infrastructure devices with a UTM appliance offering greater capability and a single unified management interface or the implementation of a software-based central management system offering UTM capabilities.

For example, replacing a firewall with a UTM appliance offering firewall, intrusion detection (IDS) and intrusion prevention (IPS) can be viewed as a basic UTM approach. A more comprehensive UTM approach would be the implementation of a UTM appliance offering not just firewall, intrusion detection (IDS) and [intrusion prevention (IPS) functions, but also content filtering and email spam and message handling, data loss prevention (DLP), virtual private network (VPN) and end-point control.

However, implementing a UTM appliance with many functions might require a partial redesign of an organisation’s infrastructure. Software-based systems generally offer a unified view of network events based on device logs and/or “agents” installed on devices with some products additionally offering the ability to manage some devices. 

The advantage of implementing a UTM appliance is that there is a single interface to both manage UTM appliance functionality and the ability to monitor network events in a consolidated view.

Other UTM appliance functions can include prioritising events and the alerting of significant events via video screens, short messaging service (SMS) and email plus comprehensive reporting capabilities. Some products also offer artificial intelligence (AI) to aid diagnosis of security related events while most offer tools to aid investigations.

The advantage of a software solution comes from a potential saving of a major disruption to an infrastructure (existing devices such as firewalls and proxies being retained). Though these products offer the same consolidated security event view, alerting and reporting capabilities as a UTM appliance solution, they often lack device management capabilities, meaning existing management systems must be kept in place. 

UTM appliances are available from a range of suppliers and all offer a single interface for appliance management and event monitoring, alerting and reporting. These companies offer a range of products aimed at differing markets (small and medium-sized enterprises to large corporates) and budgets.

Centralised device management

Software-based centralised device management and monitoring applications with UTM capabilities are available from a number of suppliers, but while all these give a centralised correlated view of what is happening on a network, not all have the capability to manage devices. 

Implementing UTM, however it is done, will help with maintaining good security and so help prevent breaches. It does this by virtue of the UTM supplier undertaking ongoing research into security threats and vulnerabilities that lead to UTM product development.

But UTM is not a fit and forget exercise – the appliances and their management systems or UTM software needs to be maintained at the latest supported level. UTM is not a silver bullet either – the basics must also be in place, including security patching, IT security health checks and penetration testing, as well as effective in use and maintained policies, procedures and practices.

Read more on IT risk management