August 13, 2012, 11:52 AM — It's budget time again, which is a good chance to assess our information security defenses and decide which areas we can best afford to beef up. Here's a look at what I think we'll be able to add this year.
It's time to make the case for funding in the 2013 budget. Action plan: Prioritize the company's security needs, and have justifications at the ready.
First, I want to increase our investment in security incident and event management. SIEM has been a great investment thus far, helping us thwart attacks and identify other malicious activity that could have resulted in the loss of sensitive data, unauthorized access or a denial-of-service attack on our network. I can point to a lot of things that justify further investment. My plan is to expand our license and add more network sensors to remote offices. The return on those investments will be that more data will be correlated with additional log and netflow feeds from network and server resources.
Next, I want to upgrade the security assessment tools that automatically scan our DMZ infrastructure on a weekly basis, as well as satisfy our regular audit and assessment schedule of internal apps and infrastructure. Our current tools, though fairly effective, lack some of the rich functionality that Qualys, nCircle and Rapid 7 offer. Any of those would give us a more robust, centralized management console, integration with other tools and better reporting options. The productivity gains that these products would make possible are a selling point; the tool we end up choosing should pay for itself in short order just in the area of collecting security compliance data each quarter.
Then there's data leak prevention (DLP). When we implemented DLP earlier this year, our budget didn't allow for any decryption infrastructure. A main feature of DLP is that it can detect documents being sent via Web-based apps such as webmail and personal storage sites, but we need to decrypt the SSL traffic before our DLP tool can inspect the data. In addition, we recently migrated our Exchange deployment to Microsoft's Office 365 cloud offering, so now even our corporate email is encrypted. All of that means we need to buy proxy appliances and then send all our Web traffic to them for decrypting ahead of going to the DLP engine for inspection. We'll be looking at either Cisco or Bluecoat to satisfy this need.