This disclosure relates to security provisioning.
The prevalence and accessibility of computer networks requires security measures to protect valuable information. An enterprise, for example, can implement such security measures by use of a layered security system. Such a layered security system can be implemented at the network edge of the enterprise, e.g., firewalls, gateway security agents, etc. Additionally, a layered security system can also include security processes and agents that are implemented throughout the enterprises, e.g., virus scanning software on each computer device within the enterprise, content filtering software, content monitoring software, etc.
Such layered security systems are prone to processing inefficiencies and can require many resources within the enterprise to maintain the systems. For example, a company may have a multi-layered security system deployed within its network. A file received on company computers may be processed by a content filtering system, an intrusion detection system and pass through the company's firewall to each computer that receives the file. Furthermore, each computer may include virus scanning software that may scan the file when it is received. Thus, regardless of the file integrity, each file may potentially be inspected multiple times by multiple processes, causing processing delays. Thus, while the objective of protecting enterprise is met, it is nevertheless met in a relatively inefficient manner.
Additionally, many of these layered defenses operate independently and do not provide feedback to different security layers. For example, the virus scanning software a company uses may not be able to communicate with a company firewall. Thus the firewall may continue to pass the infected file, and each computer that receives the infected file will expend resources performing security operations, and each user of those computers will likewise spend time to perform manual remedial actions in response to the security threat.
Many layered security systems do not implement a distribution infrastructure to communicate and share content intelligence. This results in repeated processing of both good and bad content. For example, information related to a virus outbreak detected in an enterprise location can not be readily propagated to a central office or other branches of the enterprise; uniform resource locators (URLs) found to include malicious software (“malware”) or objectionable content can not be readily propagated to a central office or other branches of the enterprises, etc.
Many layered security systems also cannot readily maintain a central data store of threat data that classifies content items such as files, URLs, e-mails according to security classifications (e.g. virus, malware, spam mail, etc.).
Bandwidth is also a practical limitation in layered security systems implemented in enterprises. Often a threat detection happens at the enterprise perimeter and inside the network edge of the enterprise, after consuming the link bandwidth. For example, an enterprise can stop downloading music content or news feeds by examining the content at an enterprise gateway; however, such monitoring necessarily sacrifices at least the amount of bandwidth required to recognize it as a particular type of content.
Additionally, many computing devices may not have enough resources to run malware or virus detection software, such as cellular phones, internet enabled appliances, and the like. Thus these devices may be vulnerable to attack.
Finally, generating a consolidated security view of the enterprise is a difficult process, as this requires the collecting of data from different locations and user groups and arranging the data in a common time order before abstracting and generating reports. Due to disparity in the security products across locations, there is difficulty in capturing the information into a common format. In addition, the cost of communicating these records in real-time is substantial. For example, an enterprise with 10 small branches and a head office can have a mean transaction rate of 100 requests per second. Each transaction yields a log record of 512 bytes. This results in the usage of 50 Kbytes/sec (400 kilobits per second) of uplink bandwidth. Small locations that are served through DSL links have an uplink bandwidth of 300 Kbits/sec-500K kilobits per second, and thus the transfer of the log records would significantly impact system response time. The bandwidth constraint is only increased for larger enterprises with thousands of users.