Last Christmas, five technical support staffers at Boston-based American Tower Corp., a company that builds and manages cellular communications towers in the U.S., Mexico and Brazil, spent the festive season scanning all of the company's 2000 Windows workstations for a variant of the Sobig virus.
"It does not matter how good our perimeter security is. Somebody is always going to introduce a new virus by using Hotmail or bringing their laptop home," said Rob Sherman, American Tower's manager of IT security and network operations.
The company had to scan and fix each workstation manually, a tedious, labor-intensive and expensive task, so it bought anomaly network protection software from Mazu Networks. Mazu is one of a new breed of network security programs that detects attackers by their behavior rather than by their signature. The software works by building a picture of the network traffic and comparing it to behavior that's unusual or suspicious.
In March, when the company was hit with the Welchia-B virus, the software not only notified network security staff of infected machines, it also provided a list of computers they were communicating with.
"The software realized that this was out of the ordinary because until then that machine had only ever connected to a mail server and a file server, so it knew that the machine was probably infected with a virus," said Sherman.
This approach to security is creating a new market, which the Yankee Group estimates will be worth in excess of $300 million for 2004, and is expected to grow to at least $400 million per year by the end of 2008.
"We are seeing a trend where the traditional perimeter is moving back toward the application," said Eric Ogren, a senior analyst, security solutions and services, at the Yankee Group. "It's no longer practical to build a firewall that keeps all people out because the business environment often demands we open our systems."
Mazu Networks is not the only company providing anomaly-based security software. Other vendors include Arbor Networks Inc., Top Layer Networks Inc., Lancope and Network Associates Inc. Riverhead Networks and Okena Inc. were both recently acquired by Cisco Systems. Most are similar in that they use anomaly detection to spot unauthorized behavior, but all have different techniques for achieving this end.
Okena, for example, translates network behavior into a mathematical equation and compares that against previous equations. Mazu's Profiler software records a baseline of all network traffic over time and uses it as an example of "normal" behavior.
"You need this approach because you need to able to distinguish between a busy day, say the end of a quarter and a denial-of-service attack," said Tom Corn, vice president of marketing at Mazu Networks. "For many of our customers, perimeter protection is good but not enough because they have partners, offshore contractors and suppliers who need access to their networks."
Is this the latest and greatest gadget, or something that is here to stay? "We believe that it's the next wave in network security," said Jeff Platon, senior director of product and technology marketing for Cisco Systems. "We've tripled our install base since introducing it into products."