A security signature may be written to detect a vulnerability. However, if a single or variants of an exploit can beat the signature, it is clear that either a signature is weak or a configuration change needs to be made. It should be noted though that some offerings have hundreds of variants of the same exploit when all you need is a select few that will test the security rule for the vulnerability. Recent tests by renowned labs have shown threats have not been spotted or evasion has not been detected simply because the 'out the box' configuration had certain functions switched off for performance reasons.
A risk analysis will show what the dangers are in balancing detection rates with performance. In most cases, unless there is a bandwidth problem, existing devices can be enhanced and performance maintained or even improved.
The test/fix/test cycle has many functions. Nevertheless, whichever way you look at it, you can see without a doubt whether your devices are performing the way they should. It is through audit, vulnerability detection, deployment of high quality signatures/rules and the performance tuning of the device that its effectiveness can be increased. This raises the bar on effectiveness without massive investments in new equipment, which often offer the same level of effectiveness, only faster.
Ray Bryant is CEO of Idappcom, a private UK registered company, which provides excellence in the field of IT security and application security and management. Their main product, Traffic IQ, is a vulnerability assessment tool and has wide acceptance with security professionals throughout the world.
Sign up for Computerworld eNewsletters.