Prevention shapes tools of choice

Intrusion detection systems (IDS) are so last century with a new set of technologies and new buzzwords intrustion prevention systems (IPS) taking over.

In fact analyst firm Gartner did it's final IDS research note in April 2004 bluntly stating the technology has reached the peak of its usefulness as a stand-alone technology. There is little point in assessing this market, the researcher said, as IDS vendors that do not introduce the technologies featured in IPS products now will not be viable providers by the end of 2005.

Network Associates (NA) ANZ regional director Gavin Struthers willingly admits that IDS is a failed technology describing it as costly and complicated.

Thankfully, the move to IPS products allows for detection and prevention and joins an armoury of tools used to protect the enterprise such as vulnerability management, firewalls and antivirus.

Unlike the IDS technology of old, the new IPS products include signature-based inspection and in-line blocking making them a tool of prevention - today's IT security buzzword.

"IDS is a bit of a wet rag; it is resource intensive providing lots of logs and reports, but it is only reactive and doesn't prevent attacks," Struthers said.

Too bad for all those companies that made significant investments in IDS products.

Struthers said most of the top 200 enterprises in Australia would have some form of IDS, but IPS has really only gained traction in the last six months.

While market education is still at the low end, Struthers says NA has been working closely with companies revamping their IDS strategies in recent months.

"IPS has been on the market for almost two years, but it is only in the past nine months that the market has really been making noise about it; most enterprises now are focusing on prevention to avoid the high cost of cleanup after an attack," he said.

An effective IPS product, Struthers said, can inspect traffic at multiple gigabit speeds and of course boast accuracy and uptime. So basically, PC sensor-based monitoring is out and in-line blocking is in.

Fittingly, security is the hot topic that IT managers face on a daily basis simply because of the amount of viruses and worms that interrupt workflow and their ability to cripple systems and put IT staff well into overtime.

The pace at which wireless LANs are being adopted by companies in Australia has led many to consider the advantages of wireless integration, however increased mobility poses the very real threat of opening the door to an intruder inside their network through either lax or ineffective policies, protocols, unknowing staff or outdated software. Which, in turn, highlights the need for a robust network security.

Gartner research director Steve Bittinger said "everything security-wise is heading towards intrusion prevention as opposed to intrusion detection".

Bittinger added that in some ways intrusion prevention systems cost more, but the technology is far more effective.

"Previously, creating a fortress model for security was the way to go; having three firewalls back-to-back was supposed to have created an impervious external perimeter of security, but people have seen it as just not good enough because you need well-architected internal security," Bittinger said.

"If you look at what the Blaster virus affected (August 2003), while most organizations had adequate external security, the minute someone bought a laptop in it infected a high proportion of machines. This was because the internal architecture could not prevent a lapse in security; it is difficult to prevent staff from connecting PDAs and laptops.

"You are never going to be able to respond to threats fast enough, but what you can do is build systems and networks that are completely tolerant to threat. You do not have to have a specific virus signature to find an actual virus, what you need to do is design systems that limit the spread or impact and take a broader architectural perspective to network security.

"The immaturity level of understanding of security architecture is the challenge in business today."

Bittinger said the best way to ensure that business conducted online was failsafe and bulletproof was to push for ground rules for interaction between organizations that offer a level of trust.

"The culture of the industry now is driving to trust each other enough to interact; to run business throughout the world we need basic platform requirements like processes, policies, architecture, training, robust technology and now mutual certification," Bittinger said.

"Maybe we did not build enough security in the Internet to start with – after all it was created by academics who were not worried about security."

Bittinger said Microsoft's move to include a firewall into the operating system (Windows XP) is better than nothing and over time will push other vendors to follow suit.

IBM ANZ Tivoli security executive Con Yianakos said the biggest move in the IT industry currently is the move towards compliance as the marketplace moves away from network security firewalls back to policy level security.

"Corporate policies that address corporate security also now respond to regulations and are audit compliant in a way that is manageable for senior executives," Yianakos said.

"This will then lead to IT providing the technology to enable the policy shift from network and firewall to a substantial front-end policy in Australia and around the world.

"You have to ensure your network security not only keeps the bad guys out but also chooses who of the good guys are let in and how do we control it?

"Companies need to address security, not just for audit reports, but to build the processes and data management requirements that go way beyond protecting a hacker coming in."

Honeypots, heuristics and intrusion prevention are now the buzzwords for IT executives. Current intrusion prevention software has become a purpose-built arsenal for network security, allowing for the predictive modelling of potential infections and of course counteracting the dreaded spam.

Behavioural Anomaly Detection (BAD) technology is sweeping the industry at the moment, with one example being Tier-3's Huntsman software. The BAD software collects statistics of how a network is being used and detects abnormal behaviour in real time, building profiles of all enterprise events.

Heuristics take into account the total effect of suspicious activity over time making it possible to track suspicious behaviour which does not warrant an alert but when viewed in the context of past activity, may indicate a likely security threat.

Geoff Sweeney, chief technology officer for Tier-3 said heuristics are the way of the future, given the fact there is no way to predict what someone will be doing next so basing the software methodology on the basis of past attacks will just not cut the mustard.

"Most customers don't have an adequate and responsive method for detecting any type of intrusion because it comes in, incubates and then the network is down; it is very difficult to work out where it came in from because the switch is under so much load," Sweeney said.

"If you are first hit on a network you notice you are down when it stops working, but Huntsman can determine who is affected on a network on any scale and deal with the situation before it is too late.

"Huntsman works by collecting audit messages from the network telling you which machines are talking to each other and when. Then, using a series of agents which, depending on data source, it retrieves information from sources and firewalls and brings data back to the Huntsman central server which then begins the predictive modelling that you can see in real time."

The software then allows an IT manger to take back control of a network – or choose to trust the software currently in place.

"In autonomous mode, the software will make all decisions for you and respond automatically. When operating in manual mode it still gives set responses to potential worms, hacker and virus attacks; however, the system will not do anything without the decision being made by an IT staffer as to what is abnormal.

Sweeney said there is a baseline period where Huntsman learns about the network, how applications behave and which machines talk to others at particular times of the day in order to, for want of a better term, learn.

"Initially, the software makes no behavioural assumptions because everyone on a system behaves differently even though they have all the same gear, but Huntsman learns the network as people, applications and procedures change."

Education an effective weapon of choice

End user education is a favoured and effective weapon against attack.

Sure, using the best technology available can virtually guarantee a robust network and cut down on the time it takes to recognize potential security problems so that counter measures can be deployed. But a well-educated user base adds an integral and necessary defence layer to any network.

While no one expects users within an organization to possess the IT skills that would make them an effective unit to battle 'behind the lines', a little education into what viruses do, how they spread and how they can be recognized could dramatically cut down on the number of end-point incidents.

Brad Engstrom, security expert at Cisco, has details of just that experience, and considers a little user education an invaluable resource in keeping a network running.

For educational purposes only Engstrom went into detail regarding just one incident of when the Bagle virus first hit a network.

The initial Bagle virus infected systems when a user opened an e-mail attachment that contained the infection and in the example case, Engstrom said, an entire network could have been compromised through the simple process of opening an e-mail due to an end user's lack of education. "In a network of 37,000 desktops everyone received the attachment and 640 end users 'double clicked', opening the virus," Engstrom said.

"From those 640 users that opened the virus, 52 installed the virus, and they are a smart user base. But IT got the patches in place minutes too late. From this the organization learnt that 640 staff members needed e-mail training!"

In breaking news, heavyweights Cisco Systems and Trend Micro announced a partnership earlier this month which will see Cisco integrate Trend Micro's network worm and virus signatures with the Cisco Intrusion Detection System (IDS) software deployed in the IOS Software-based routers, Catalyst switches and network security appliances.

The initial integration is scheduled for the second half of 2004.

Engstrom said the development of the new system allows IT managers to deal with a virus issue and develop policies to stop viruses and people from installing the dangerous software.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

More about ANZ Banking GroupCiscoGartnerGartner ResearchGatewayGood GuysIBM AustraliaIPSMacquarie UniversityMacquarie UniversityMicrosoftNASARAGTivoliTrend Micro Australia

Show Comments