4. Security products don't work well together
Point products can be a pain -- your firewall, IPS, vulnerability assessment, antivirus, antispyware, and host-based security tools for the most part all do their own thing and don't talk to one another. Some enterprises complain that the danger of these tools not sharing is they may not have a true picture of their security landscape until it's too late and they've been hacked.
But does sharing data among all of these tools really make sense? The promise of security information management (SIM) has yet to be fulfilled, says Ptacek. And the all-in-one security tool approach so far is mostly a small- to medium-sized business phenomenon.
"People don't need a lot of correlation between tools. When they do, it's specific, and they build their own" interfaces," Ptacek says.
And integrating security data may not be useful anyway. "Security vendors haven't demonstrated that you can take these pieces of a broken mirror and get a clear picture," Ptacek adds. "These products are built separately and aren't related to one another."
Michael Rothman, president of Security Incite, says it's up to customers to press vendors for the integration if they need it -- not the other way around. "If you need shared data, you should push vendors for it," Rothman says. "The vendor that's going to prevail is the one that provides the most actionable information to make sure you can block those attacks. If that means you pull it out of a syslog, or there's a product-integration relationship, that's what they're going to have to do."
But it's not a matter of security tools interoperating, says Nate Lawson, engineering director for Cryptography Research. The missing link is a standard way for security tools to report their vulnerability data in a common format, he says. "There's room for standardization here -" if an IDS and AV scanner throw their report data into a database, that would be useful," he says.
Meanwhile, AV, anti-spyware, and host-based IPS products are gradually becoming integrated. Antivirus vendors such as Symantec and McAfee are adding more host-based IPS and spyware, for instance, and spyware and host-based IPS vendors are adding more AV features.
Still, not all security tools will, nor should, work together, says Tom Maufer, director of technical marketing for Mu Security. "AV scanners, penetration testers, and Web app scanners are designed to do a very specific job," Maufer says. "That's where that vendor's expertise lies."
