Tackling security threats from within

Bolstering your company's security system provides protection against the enemy within

"We typically find that about 40 percent of the valid users in the enterprise are people who no longer work there," says Jeff Drake, director of security strategy at IBM Tivoli in Austin, Texas. "Companies are very good at getting you out of the payroll system when you leave, but they’re very poor at removing accesses to apps that you were granted."

Identity management systems -- from companies such as IBM Tivoli, Netegrity, Oblix, Novell, and Sun -- aim to solve this problem by providing a single mechanism for managing and provisioning account access and for linking that access to HR and payroll. These systems typically provide audit, logging, and policy enforcement to help prevent contractors from getting root access to sensitive systems. (For more on the challenges of automating identity management, see "Who, what, where.")

Intrusion detection and security-event management

To identify insiders who may be exploring internal systems as a prelude to an attack, IDS (intrusion detection system) software provides passive scanning of network activity. These host- or network-based systems listen on the wire for suspect traffic and then use pattern recognition and various algorithms to find what looks like illegitimate activity. When such activity is detected, IDS software alerts security personnel or automatically shuts off access to the resource being probed.

Many vendors, including ISS, Symantec, Cisco, and a host of smaller companies, offer IDS systems. Some, such as Symantec, also offer so-called "honey pot" or decoy systems, designed to catch malicious attackers by luring them into a painstakingly prepared replica of the system they may be trying to penetrate (for example, finance or payroll) but with false data -- essentially catching them in the act.

In the past, IDS systems triggered too many false alarms, which often caused IT personnel to simply shut them off. To address this problem, many vendors are developing so called security-event management platforms -- software that takes data inputs from a multitude of security devices on the network and correlates them in real time or after the fact to identify potential threats. According to Deepak Taneja, CTO of Waltham, Mass.-based Netegrity, the systems work similar to the credit-card companies’ antifraud algorithms by looking for atypical behavior.

"Say Jennifer gets a hold of my password and tries to access that application [by dialing] in from home on a VPN,” Taneja says. “But that’s not how I always do it — from my desktop during business hours." This information might then be passed to the provisioning system to shut down the account Jennifer has hijacked. “Just knowing that those systems are in place is a good deterrent," Taneja adds.