Maksim Kabakou - Fotolia

Security Think Tank: UTM attractive to SMEs, but beware potential pitfalls

How can organisations best use unified threat management tools to help stem the tide of data breaches?

For many years, enterprises have purchased myriad point products and appliances to prevent, detect and respond to cyber attacks. A threat appears, a security technology supplier produces a product to address the threat, the enterprise buys the product, and so it goes on.

Unsurprisingly, this has become a difficult situation for most organisations, but most especially for those enterprises without a dedicated security function. Managing a huge range of security appliances and products is – quite simply – unmanageable.

Usually appliance-based, unified threat management (UTM) provides security capabilities across a range of threats, combined in a single view. Centralised management of the threats is delivered through a console. It is not difficult to appreciate the appeal of UTM for smaller organisations with resource-strapped security capabilities. Ovum forecasts that the UTM market is growing at a compound annual growth rate (CAGR) of 13.2% and will be worth around $4.7bn by 2022.

UTM appliances have a range of features, but always include a firewall, antivirus, anti-malware, virtual private network (VPN), intrusion detection/prevention (IDS/IPS), content filtering, and data leakage protection (DLP). Most organisations deploy layered security controls and UTM enables layers of technology-focused controls. These will always be supplemented by security controls covering people and process.

One downside of UTM is that the appliance itself is a single point of failure. However, some enterprises choose to deploy a second appliance to mitigate that risk. Another potential issue with UTM is that the extent to which it can address cloud security requirements – in particular software as a service (SaaS), frequently used by small and medium-sized enterprises (SMEs).

These organisations may also be making initial forays into platform as a service (PaaS) and infrastructure as a service (IaaS), and this may be one area into which UTM providers may be considering moving in the future.

The security industry has moved from guaranteeing prevention (stages 1, 2, and 3 of the cyber kill chain) to offering detection of a breach once it has begun (stages 4 and 5), with rapid action to mitigate and ultimately remediate it (stages 6 and 7).

Traditionally, UTM has focused on preventing and detecting cyber attacks. Ideally, security incidents and breaches should be prevented. However, organisations recognise that not everything can be prevented, so it is essential that the potential for a security breach is detected while an attacker is within the network, before the breach actually happens.

As we have seen with enterprise approaches to security across all sectors and in organisations of all sizes, there is increased focus on the third objective of technology security controls – responding to an attack.

More of these types of technology capabilities will be deployed as part of UTM. Data leakage protection (DLP) is generally included today, but may be joined by data breach reporting capabilities to comply with the EU’s General Data Protection Regulation (GDPR), for example.

The many benefits of UTM, led by the reduction of complexity in the security environment for SMEs, mean that UTM will be around for years to come.

Read more from Computer Weekly’s Security Think Tank about unified threat management

Read more on Hackers and cybercrime prevention