ITM is focused on threats that may affect an organization. A threat is defined as some entity that may be capable of attacking or affecting the organization's infrastructure. Perhaps it is a malicious payload carried via HTTP or via E-mail, or perhaps it is a virus not yet seen by an antivirus software manufacturer. It may be a phishing site and the accompanying e-mails inviting users to visit the site to verify their account information or it may be a polymorphic worm whose purpose is to evade firewalls while continuously morphing its signature as it attacks the next target. An ITM platform should, by definition, protect an enterprise against all of these threats and provide a platform to monitor and manage the ITM. To address these threats, the platform may include the following functions:
An Intrusion Detection System (IDS) or an Intrusion Prevention System (IPS)
Antivirus solution
Antispyware solution
Unsolicited commercial e-mail filtering
Content filtering that includes e-mail and instant messenger content management
Uniform resource locator (URL) fi ltering, which may include serving as a Web cache proxy
Firewalls
Virtual private network (VPN) connectivity
It is important to note that in the absence of a defined standard for ITM, almost any product with an integrated (unified) combination of functions listed here can and likely has been called an ITM solution.
Metrics
One of the most important functions of an ITM platform from a senior management perspective will be the development of metrics and reports that highlight the overall effectiveness (or ineffectiveness) of the ITM platform. Typical metrics include the following:
New threats identified
Total threats encountered
Effectiveness of managing new threats
Trouble tickets generated
Trouble tickets closed
Metrics and reports should be generated to identify areas of the ITM program that need improvement or require some additional action to support, to measure progress, and very important, to measure compliance to existing corporate policies and regulations.
The development of an effective program including the ITM solution is imperative to ensure that it is properly used, monitored, and reacted to. Too many companies focus on the IT aspects of a deployment and fail to include any of the requisite training, awareness, documentation, and integration into the existing infrastructure. Without a program that addresses those areas, an organization will, at best, not fully utilize the solution. At worst, the security posture of the organization will be significantly reduced below an acceptable level if alerts are missed, personnel are not trained, parameters are not properly configured, etc.
