December 19, 2008, 10:29 AM — My team has spent the past couple of weeks on 2009 budget planning, and it's been a real adventure, given the economic climate. We basically have no money to spend on any new technologies or head count, and I'm sure plenty of you are in the same boat. So, how do we move forward without funding? It's going to be tricky.
One option is open-source software. My company has always been reluctant to use free software -- even banning it in a semi-official way until just recently. Objections have been based on the perception that open source is unreliable, would require dependence on a few key people with the expertise to support whichever tools we might use, and would generate high support costs. But now the company's stance has gone from "No open source" to "Demonstrate that open source will save us money." In this economy, money talks.
I think I can demonstrate the cost savings for some open-source security tools, especially since maintenance costs for commercial software are skyrocketing. Some vendors have increased their maintenance charges by as much as 35%! And a lot of the time, that's for some really poor support.
On my wish list for 2009 is better intrusion detection and reporting. We currently use a commercial intrusion-detection system that, while not well tuned, seems to be working fairly well. But the maintenance renewal cost is excessive. I could save the company hundreds of thousands of dollars by replacing the IDS with an open-source product that is almost exactly the same, except that it wouldn't provide automatic updates and update releases would be less frequent. I can live with that trade-off, even though it means building replacements for all of our existing IDS sensors.
I'm more concerned about how we're going to manage a new IDS, especially since we don't have a SIEM (security information and event management) system. There is no way I'm going to get funds for a commercial SIEM system, so I'll have to find a way to build our own or come up with an open-source alternative.
Another priority is data leak prevention (DLP). We've known for a long time that the company is losing huge amounts of client information, some of it confidential. It's not generally getting out into the wild, but it is getting into employees' Web mail accounts and onto USB devices. So, my department has been agitating for a DLP system for the past few years. However, the systems are expensive and cumbersome, and they take years to deploy and tune, so we haven't been able to garner a lot of support for the idea. This will be a hard problem to solve. It would be tough even if funding were unlimited.
I'd also like to have something that could find every device on our network and report on its security compliance. You can't secure what you don't know about, right? I'll try to sell this idea -- and not for the first time. I expect to hit a brick wall again, but what else can I do but keep pushing?
Finally, I'm hoping to get funding for a third-party security audit. I'm a big believer in such reviews, for three reasons: They provide a second set of eyes to help ensure that we don't overlook anything important; third parties generally use frameworks to help provide a foundation for their recommendations, which helps us justify the remediation; and third-party reviews help when it comes to prioritizing security efforts.
Certainly we need more than I can hope to get this year, but any part of my wish list would help make us more secure than we are today. Wish me luck.
To join in the discussions about security, go to computerworld.com/blogs/security .