IDS: Alarms, Not Walls

Acronyms and coined phrases bedevil us, but during 2002, we probably aren't getting rid of them.

If you are concerned with crackers, viruses and denial-of-service attacks, then read on.

IDS (intrusion detection systems) is one catch-phrase that we will suddenly hear used far more frequently. Standing in the office near the water dispenser and the HR bulletin board, we'll hear it tossed around by people who don't know the basic distinction between signatures and heuristics, nor the historical evolution of network and systems intrusion detection products. Is this good, or bad?

It doesn't matter. The relevant fact is that they now care. Suddenly, IDS is one of the top CIO-level acronyms.

Consensus has always been slow to catch up with the facts about complex technologies. As a result, IDS system sales have grown, but the products are probably not as well understood as they should be. Perhaps this is because many people have believed that a prophylactic approach could work by walling off intruders. The modern mind often harbors a decidedly medieval brand of thinking, and one explanation is that even educated people have preferred to think of firewalls as a sizable 'moat' to encircle and protect their fortified keeps.

Medieval defenders fully expected sappers - the people willing to tunnel under the moat, then the walls, and then, game over. In order to counter this, the medieval fortress probably put listening post 'volunteers' in place, at bedrock level. Sappers were trying hard to get past the barriers, and they were determined to get in. I propose we use 'sapper' to denote a harmful intruder, based on the historical use of the term.

What has changed with the Internet is that nobody is forcing the sappers to try, and most of them won't die in the attempt. Walls are less effective, and they are porous.

Denying Intruders

Lessons: Alarms are the first line of defense, not walls. To circle back from the analogy, a coordinated combination of IDS and firewalls is integral to the overall defensive strategy of IT. This is an apt analogy to use in selling the idea of IDS to management: "Security is systemic, not element-based. Security is a process; it is not static."

The moat analogy works pretty well because this is what intrusion detection is all about. Perhaps you can use it to sell the idea to management, replete with blueprints for the moat. If that sounds workable, let me know if you can manage to sneak in the budget for a 'trebuchet' - a medieval siege catapult. If you can sell that idea, I'll buy you lunch anywhere near where you work.

Why is it time for people to accept the need for IDS? Events of 2001 (Sept. 11) changed the consensus that was established but not stated - that we can be rendered invulnerable. Nobody thinks that now.

Conceptually, intrusion detection is nothing new. In an IT context, the basic idea is to collect data about the behavior of networks and/or systems, analyze it for security purposes, and issue basic security reports about patterns that vary from the norm - or patterns that might require a security response. Although the category of products is broad, most IDSs filter out alarms and automated responses, such as those based upon content filters, network management tools or firewall policy rules.

These systems are 'nothing new' because fraud detection and other pattern-recognition applications have been used for years in commercial applications. When you use your credit cards in an unfamiliar location, a fraud detection system may evaluate the behavior, correlating the type and amount of purchase against your user profile and other aggregated statistics in order to prevent theft. These commercial applications, which have been around for years, help secure services across networks, registries and financial back-ends; they are generically known as 'data mining' products.

IDS is data mining in the specific context of security. In practice, the IDS market is a wide-open opportunity, with only a few companies, such as ISS, having commercialized it on a relatively large scale. Product vendors also include network systems companies and others seeking to offer secure product lines.

Recently, I spoke with an expert about the outlook for 2002, and it was no surprise that the conversation shifted entirely to the coming boom in intrusion detection services. This expert, who works for high-profile security clients in government and international enterprises, sees IDS as fundamental to what he does in security.

Ken Ammon, CEO of NETSEC, runs a managed security services firm with service offerings in managed firewall and intrusion detection. Many of the services NETSEC has developed are custom, including hands-on businesses like incident response, but the core of his security services, he says, are managed services, which he makes every effort to deliver as "cookie-cutter services, designed to provide good systems management."

Here are some points Ken made that may prove useful to you:

  • IDS is the number one issue for 2002: "If you are chief infosecurity officer and don't have an IDS, getting one will be your number one priority, because your industry competitors are taking care of it right now."
  • Reporting is key: "A big international customer has used our service because they had no real-time reporting on compliance. This is a big benefit of IDS: regular reporting on compliance and audits of system changes." Ken notes that in the wake of the Code Red and Nimda attacks, NETSEC has been able to "notify customers what time of day the sweeps would hit them."
  • Customization is inherent: The generic requirement is that managers want to know when the "good guy/bad guy" policy is working. The anecdotal sale for managed service is telling the CEO her kids' credit card numbers (after sapping their laptop). However, "company policies are unique, and managed services players can adapt their reporting only if they have a system that can meet scalability requirements."
  • Filtering alerts is needed: "NETSEC handles over 5 million alerts a day, and without analysis, this data is useless. The value of our managed service is filtering through these alerts and handling response. For one customer where the CEO created the policy, over 40 percent of alerts were from, requiring us to filter alerts defined outside of their access control policy, and leading to a new configuration issue."

NETSEC has developed its managed services using IDS as the basis for managed services including monitoring and reporting, using a product initially developed by Dragon Systems, and later acquired by Enterasys, as part of a networking and layer 2 switching product line.

Last week I read my calendar. It said this: "2002 is the year of the IDS." For those of you who feel pressured, I understand that the Chinese New Year, the Year of the Horse, begins on February 12. That means that there's still time to be self-reliant, to take care of IDS for 2002!

Barton Taylor is a partner with Giotto Perspectives, an industry analysis firm researching security and policy management services. He can be reached at [email protected]

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.