Intrusion detection appears to have hit the bottom of its hype cycle with a particularly loud thud. Is there value beyond the hot air, and how can you make it work productively?
There is something uniquely serene, hunters will tell you, about the thrill of the chase. It's about quietly tracking some elusive piece of fauna, piecing together faint clues to figure out which direction it's gone, then lying in wait until it comes within range. The crack of a gunshot through the early morning mist, and one less deer or kangaroo roaming the countryside.
Now imagine the deer stalking you--running in a circle to double back behind you, then ransacking your 4WD, deflating your tyres, and drinking your beer while you chase its tracks in an entirely different direction. It may sound ridiculous--deer, after all, have no opposable thumbs and could never even open the door handles--but it's not entirely unlike the challenge that faces IT managers charged with the thankless job of maintaining the security of corporate networks.
No matter how hard they try, most companies are still far less secure than they want to be, and even less secure than they should be. Playing on fears both real and imagined--and fuelled by histrionic surveys showing the rate of virus attacks and security breaches skyrocketing--vendors have flooded the market with all manner of security products that will, they claim, help keep intruders away from your sensitive bits. Some of them work, but experience is gradually showing that many of them simply do not.
They do not, that is to say, work effectively unless they're being monitored by a security specialist with enough knowledge to use them appropriately. And in today's world of shrinking IT budgets, who's got any of those sitting around? In most companies, security is just another responsibility piled atop already inundated IT managers whose understanding of hacking techniques was fuelled more by movies like Swordfish and Sneakers than actual experience with the tactics of sneaky and persistent hackers.
Where there's smoke, there's a paradigm
For those sadly overworked IT staffers, intrusion detection systems (IDSes) must have seemed like a dream come true when they began emerging on the market in the late 1990s. Here, they were told, was a tool that would monitor individual systems (host-based IDS) and network traffic (network IDS) to pick up on spurious activities. Even better, it could automatically disconnect or finger the intruder so his or her identity could be ascertained for law enforcement authorities.
It was like hiring a bouncer for the network gateway, an idea that was the dream of IT managers and a great-sounding business case for executives eager to be seen as proactive when it came to network security.
It's a pity it doesn't work. Or, to be more accurate, it's a pity that it works too well. IDSes, when installed on the average company network or server, do indeed capture incoming data.
They can, indeed, pick out anomalies such as massive numbers of connection requests that typify a denial of service (DoS) attack. They can even, thanks to ever-improving technology, sniff out chronologically separated penetration attempts that might slip under the radar of most security systems.
Unfortunately, today's IDSes are still overly sensitive. The endless variety of networked applications used in the real world means that IDSes often raise the alarm when nothing untoward is going on, sending security response forces on wild goose chases that could mask a real attack, waste precious resources, and gradually desensitise security staff to its pleas. Given their extreme sensitivity, IDSes are the car alarm of the security world--often used but treated as background noise by many.
However effective they are, there's one thing that IDSes universally do well: generate data. Lots of it. So much, in fact, that after a few weeks, anecdotal reports from multiple sources suggest that a growing number of customers are doing just one thing with their IDSes: switching them off.
"People believe IDS is a technology that will solve problems, but they quickly realise that it takes a lot of knowledge to be able to operate it in an efficient way," says Pierre Noel, international security strategist with security consulting firm TruSecure.
Noel recounts the experience of one customer: a large government organisation with a very popular Web site that wanted to secure its network. The organisation purchased an IDS as part of a larger information security tender, but quickly found that the system was collecting so much data--600MB per day--that it was quickly filling up the IDS server's hard drive.
Worse still, legal requirements meant the organisation had to keep its data for seven years, which forced it to develop a way of regularly copying the data to CD, then making the CDs available in the enterprise data centre. Needless to say, this sort of policy was hardly conducive to helping the IDS sift through mountains of data to pick out network attacks.
| “Technology on its own is never going to solve a problem.” |
"I could personally say that after about 15 days, about 50 to 70 percent of customers that purchased an IDS just turn it off," he says. "Most customers will continue to see no obvious value in installing IDSes, and I believe that [standalone] IDSes will disappear."
That sentiment was echoed in a widely circulated research report issued in June by Gartner, which added IDSes to its Information Security Hype Cycle and predicted that high rates of false alarms, the need for the IT team to monitor an IDS 24x7, a "taxing incident-response process", and IDS' inability to scan network traffic at more than 600MBps, would contribute to the technology's obsolescence by 2005.
New acronym, same product
Gartner's appraisal of the IDS market raised hackles with supporters of the technology, and was assessed as laughable by more than a few of the IDS users who had found ways to turn IDSes to their advantage. However, in the way these things always operate, it is with little surprise that many vendors chose to simply distance themselves from the concept of an IDS and instead begin touting their products as IPSes (intrusion prevention systems).
Ask the vendors to define what an IPS is, and it may sound very familiar. Indeed, conceptually it's never possible to prevent intrusion except by having 100 percent effective security--and that, as is often said, is an ideal that is virtually impossible and very expensive to attain. By definition, the only way you're going to deal with intruders is when they've attacked the network; the key, then, is how quickly you can respond to the attack.
None of this is improved by simply creating new three-letter acronyms. "I passionately believe there's no such thing as intrusion prevention," concedes Dick Bussiere, Asia-Pacific chief technology officer of Enterasys Networks, which offers intrusion detection capabilities through its Dragon Intrusion Defence System.
"It's pure marketing, and people are being led to believe that they can prevent intrusions. I believe in [IDS] technology and believe it's going to provide some value, but it's still a few years off to really be trusted. It's going to be a slow and evolutionary process."
That's not, however, to say that an IDS can't provide some value now; the key is to choose your battles, and avoid jumping headfirst into technology you don't understand. Start small, perhaps first just enabling detection mode but not blocking traffic, so you can see what would have been filtered out; then introduce selective prevention, which blocks known attacks such as SYN flooding. Then consider going the full hog, where IDSes use heuristics to detect new types of behaviour that they just don't like.
Most companies, however, will struggle to make effective use of in-house IDSes. "It's the symptom of an age-old problem," says Michael Warrilow, the META Group's Asia-Pacific research analyst for security and risk strategies. "Technology on its own is never going to solve a problem."
That's why the IDS could well be the killer app that drives the corporate world into the arms of emerging managed security service providers (MSSPs).
Calling on the advice--and manpower--of an MSSP can be invaluable in helping release the technology's value. Just as a conventional security firm would provide an instant response service when monitoring your company's physical alarms, a MSSP employs teams of security-trained staff who will take over the nasty parts of running an IDS: watching for problems, sorting out the large number of false alarms, and taking appropriate action should a real threat be detected.
Unless companies are ready to pay exorbitant sums to hire and keep their own security specialists, the decision to hire an MSSP is a no-brainer for anyone who is serious about tightening information security. "If you want to do IDS right, you need an MSSP," says Bussiere. "I don't think most organisations have the staff to actually analyse what one of these things is trying to tell them. Given the expense of such people, the smaller organisation is always going to have to rely on MSSPs."
| “I don’t think most organisations have the staff to analyse what one of these things is trying to tell them.” |
Even with the help of an MSSP, however, companies need to temper their expectations from the technology: it can take a long time before the programs have learned enough about normal network traffic to be able to detect anomalies. "IDSes can take three to six months to bed down, and it takes an enormous amount of effort to do that," says Arthur Argyropoulos, CEO of Zento, an MSSP that manages IDS systems for 10 of the company's 45 total MSSP customers.
Argyropoulos concedes that waiting for an IDS to get up to scratch can be frustrating for customers, but believes the technology will ultimately prove its worth. "The value that you get over those three months is negligible, and probably negative if you did an ROI calculation," he says. "Even when it's bedded down, you're still getting around 80 percent of alerts being false positives. But we've built a correlation engine that brings this down to maybe 50-60 percent of alerts being false positives."
As with everything in IT security, it's important to develop formal, written policies that highlight business objectives and rules. Security technologies--IDS or otherwise--will then mirror and enforce those policies. For example, it's a pretty safe bet that most of your employees won't be trying to log in between midnight and 6am; any unusually large volumes of traffic, or repeated attempts to log in under one particular user ID, would certainly suggest something strange is going on.
Argyropoulos says Zento, as a security company, has learned how to shape its IDS practice around its own experiences as a target for hackers. "The level of activity peaks at around 3am," he says. "We're talking thousands of alerts coming through."
Another important point for companies drowning in software vendors' marketing-speak, he adds, is that IDSes don't have to be expensive: just consider SNORT, a free open-source IDS that's currently in version 2.0.1 and can be a real eye-opener for companies keen to get a better grasp on the traffic flowing over their network. SNORT may well be enough for many businesses, or it can at the least be an introduction to the more complex commercial systems offering more sophisticated features such as integration with firewalls and other network security elements.
4%
1%
