What is Unified Threat Management (UTM)?

| By: Geoffrey Willison

In recent years, single security strategies have become incapable of keeping companies completely protected against threats, causing them to require a multi-layered defense that integrates various technologies into one IT security strategy. Unified threat management (UTM) has emerged in response to this need and has developed into the default solution for many information technology integrators and managed services providers (MSPs).

Unified threat management is a simplified approach to security management that allows an administrator to monitor and manage a wide variety of security-related applications and infrastructure components on one, integrated platform. UTM consolidates a range of security features into a single appliance that is designed to protect users from a blend of sophisticated cyber threats. Typically, a UTM is an appliance that includes several security technologies – such as next-gen firewall, intrusion prevention system (IPS), antivirus, virtual private networking (VPN) and content filtering.

Integrate our BDR into your existing tech stack.  See How >>

UTM and Managed IT Services

Today’s organizations can’t be too careful when it comes to IT and network security, especially when client data and regulatory compliance are at risk. Multiple layers of security are now required to keep attackers out and to secure sensitive data. At the same time, organizations continue to be challenged by managing security in-house, due to the heavy burden of day-to-day management requirements and rising costs. However, this is where partnering with a managed services provider is most beneficial. When MSPs include unified threat management in their technology stack, it provides clients with a comprehensive IT security solution. Also, UTM is highly compatible with most solutions and services MSPs already have in their portfolio.

Unified threat management is considered an all-in-one solution for network security, but when integrated with other managed services it allows MSPs to become a one-stop-shop for all their clients’ IT needs. Specifically, UTM can become most valuable when combined with remote monitoring and management (RMM), endpoint protection and backup and disaster recovery (BDR).

Since UTM solutions include features such as application control, intrusion detection and content filtering, pairing them with an RMM solution can provide more effective and higher-level network monitoring. RMM technology specializes in proactively staying ahead of issues, resolving them remotely and giving in depth insight into client servers and desktops. Unified threat management can further support an RMM solution by providing more sophisticated alerts for security incidents and 24x7x365 monitoring of an entire network, which allows for an unprecedented level of efficiency, communication and attention. Similarly, including endpoint protection with UTM and RMM adds an additional layer of security, further protecting your devices and networks from intrusion.

A BDR solution is another ideal counterpart to UTM because it acts as a safety net – ensuring you can roll back to a previous version should your files become encrypted or stolen. Pairing a BDR solution with a UTM device can fill in any gaps in the data protection and recovery process, while providing additional human resources to offer end-to-end monitoring and troubleshooting for backup failures.

Key Terms & Definitions

Anti-Malware – Software that prevents, detects and eliminates malicious programs on computing devices and IT systems.

Antivirus – Software that prevents, scans for, detects and eliminates computer viruses and other malicious software.

Application Control – A security practice that blocks or restricts unauthorized applications from executing in ways that put data at risk. The control functions vary based on the business purpose of the specific application, but the main objective is to help ensure the privacy and security of data used by and transmitted between applications.

Bandwidth Management – The process of measuring and optimizing the communication and data being transferred over a network in order to control traffic and ensure that business-critical applications have the necessary resources.

Content Filtering – Also known as information filtering, it’s the use of a program to screen and exclude access or availability to Web pages or e-mail that is deemed objectionable.

Data Loss Prevention (DLP) – A strategy for ensuring that end-users or malicious applications do not send sensitive or critical information outside the corporate network. The term is also used to describe software products that help a network administrator control what data end-users can transfer.

Endpoint Protection – A solution or process that secures and protects various endpoints from getting infected and prevents infections from spreading throughout a network; also known as endpoint security.

Firewall – A barrier that controls and protects information from spreading between networks. Intrusion

Detection System (IDS) – A device or software application that monitors a network or systems for malicious activity or policy violations and reports any detected activity to an administrator.

Intrusion Prevention System (IPS) – A network security appliance that monitors network and/or system activities for malicious activity.

Load Balancing – The even distribution of processing and communications activity across a computer network so that no single device is overwhelmed. Load balancing can be implemented with hardware, software or a combination of both.

Next-Generation Firewall (NGFW) – A hardware- or software-based network security system that can detect and block sophisticated attacks by enforcing security policies at the application level, as well as at the port and protocol level.

Security Information and Event Management (SIEM) – An approach to security management that seeks to provide a holistic view of an organization’s IT security through the identification, analysis and recovery of security events.

Threat Monitoring – A type of solution or process dedicated to continuously monitoring across networks and/or endpoints for signs of security threats such as attempts at intrusions or data exfiltration.

Virtual Private Network (VPN) – A technology that creates an encrypted connection over a less secure network, providing safe online access and information protection.

Web Filter - A program that can screen an incoming Web page to determine whether some or all of it should not be displayed to the user by blocking objectionable content or material believed to decrease employee productivity.

Features and Functions of UTM Appliances

Many organizations have turned to UTM solutions to avoid the expensive, labor-intensive approach of traditional firewalls supplemented with multiple standalone security technologies. As cyber threats evolve and new threats emerge, network security must change and adapt to protect against such threats. This adaptability can make UTM difficult to define because the technologies included can vary from vendor to vendor, however, nearly every unified threat management appliance includes these same core features:

  • Antivirus/anti-malware
  • Firewall Intrusion prevention
  • Virtual private networking
  • Web/content filtering

Some more advanced features that are incorporated into specific UTM models include application control, bandwidth management, data loss prevention, identity-based access control, load balancing and more.

The primary function of UTM is to provide increased security, protection, visibility and control over network security while also reducing complexity. UTM solutions typically do so by employing different inspection methods to address various types of threats. These two methods include:

Flow-based inspection, also called stream-based inspection, which samples the data entering a UTM device and uses pattern matching to determine whether there is malicious content.

Proxy-based inspection, which reconstructs content entering a UTM device and performs a full inspection of the content, looking for possible security threats. If the content appears clean, then the device sends the content to the end-user. If a virus or other security problem is detected, the device removes the problematic content before sending the file, or web page, to the user.

UTM functions similarly to SIEM, which is another approach to security management that is able to gather, analyze and present information from network and security devices. The difference between these two approaches, however, is that SIEM tends to focus less on threat prevention and instead is used to log security data and generate reports for compliance purposes. Still, it is an IT security strategy that offers similar capabilities and functionalities as UTM.

Ultimately, UTM has become the modern approach to IT security because it allows for a consolidated management of security technologies that are essential to keeping today’s organizations secure and protected.

The Advantages and Disadvantages of UTM

Unified threat management delivers a flexible, future-ready solution to meet the challenges of today’s networking environments. The promise of UTM lies in its simplicity and its ability to reduce costs by rolling the capabilities of several technologies into one. The most common alternative to UTM is to have multiple separate devices, each designed to perform one or more security functions. However, utilizing specialized appliances for specialized services adds complexity and cost, as each new technology means a new device to deploy, a new set of policies to configure, and a new management console to monitor. Therefore, today’s businesses are beginning to adopt solutions that include everything in one box. Below are a few pros and cons of unified threat management as compared with a traditional, multi-box solution.


  • Consolidated security management – UTM solutions provide a more convenient way of achieving a layered defense strategy because there's only a single product to deploy, manage and monitor.
  • More accurate detection and prevention – One of the most important benefits of UTM is that it integrates several detection and prevention capabilities to provide improved overall efficiency and effectiveness with less effort.
  • Lower up-front cost – Generally speaking, a single all-in-one appliance costs less than buying multiple dedicated systems.
  • Less space – If an organization has limited space for networking equipment, UTM’s ability to fit all the services into a small, self-contained package can be a large benefit.
  • Lower power consumption – One power supply means less power used and less lost while reducing line voltage to the levels network devices use.
  • Easier to install and configure – With one appliance, there are less wires to connect and one interface to use when setting up the device.
  • Fully integrated – A UTM device’s features are designed to work together without leaving holes in protection or creating interoperability challenges.


  • Single point-of-failure – The one main argument against UTM is that if the appliance fails, everything fails. However, this could be considered an opportunity for managed services providers to pair a pre-existing BDR solution with UTM to provide full backup and additional data protection. A BDR solution can frequently and automatically back up a business’ critical data. Should any files become stolen or encrypted due to an appliance failure, the most recent version of that data can be recovered immediately to minimize downtime and damages. Additionally, most BDR solutions will provide backup management and verification, and troubleshooting for backup failures – so should the UTM device or other defenses fail, the business’ essential data will remain protected and easily recoverable.