The leading network security vendors try to provide all of the UTM features described in my last article, but the unified threat management appliances of tomorrow might advance to include those in tandem with the UTM features described below.
Likely, or possible, future directions for unified threat management appliances
Here’s the list of items that pop up in many analyst reports, speculative stories and conversations with forward-looking UTM appliance vendor spokespeople:
- Web 2.0 and up: With increasing Web-based and -centric applications everywhere hitting desktop and smart devices of all kinds look for security appliances, particularly unified threat management appliances, to up their ante on Web security. In recent conversations with companies like M86 Security, Trusteer and the Xacti Group, lots of interesting technologies lie ahead. These include more and better real-time behavior and content analysis for Web pages and subsidiary content (especially downloads and active content, all of which can potentially introduce malware), and more powerful client-side sandboxing and isolation technologies. It’s not inconceivable to me that future Web communications will take place in rapidly-spawned and easily disposed-of virtual machines that can disappear at the first sign of danger or attack.
- Increased application awareness: Security vendors who build heuristic or behavioral detection and prevention technologies will tell you that understanding how applications should (and shouldn’t) behave is increasingly becoming the key to protecting users, systems and information assets against attack. I expect a whole slew of new technologies in this arena, possibly led by a whole cohort of innovative Israeli security companies, to take up residence in security appliances someday soon. Look for the market’s understanding and appreciation of proxying to increase by several orders of magnitude in the process as well.
- Applying appropriate data protection: Mickey Boodaei, the CEO of Trusteer, explained its data protection technology to me as data-centric. Instead of watching the registry or the access to protected dynamic link libraries (DLLs) and application programming interfaces (APIs), Trusteer stakes out financial account information, and it reacts strongly whenever unexpected or unwanted attempts to access (or even request) such information occurs. Look for more such data-centric protection mechanisms to find their way into security appliances sometime soon as well.
- Crowdsourcingsecurity wisdom: More and more, security vendors talk to me about the benefits and importance of observing and interacting with large user populations. This gives them the ability to see threats as they start to emerge and begin to apply countermeasures as these threats start to proliferate. Although the benefits of observing and capturing information from enormous user populations are already positive and well-known, we haven’t seen anything yet. The release of the W3C’s global Web standard for Efficient XML Interchange (EXI) promises to be a total game-changer in this space!
- Boosting intrusion prevention technologies: Look for vendors to start building comprehensive and virtual intrusion prevention systems using individual security appliances as building blocks to establish a holistic view of intrusion and attack activity. What’s driving this bus? The continued emergence of multivector threats, which often attack multiple systems simultaneously and in concert. Technologies that inspect encrypted traffic, filter and screen “safe traffic” (to perform deep packet inspection on traffic that firewalls might ordinarily pass through without checking), control and manage more applications, and track and report vulnerabilities more quickly all seem to be right on the horizon.
Though it’s impossible to tell when (or if) these functions will be in next year’s security appliances, it seems pretty clear that they will be in the mix before the end of this decade. One shudders to consider the threats that will be devised to test these technologies and to attack those enterprise networks that fail to keep up.
This was first published in March 2011