Sales of IDS software licenses are expected to soar as users adopt the technology. Pitfalls remain in installation and management.
By Garry Kranz
Enterprises pondering intrusion detection technologies as part of an overall security strategy may want to take their cue from Forsyth Institute. Twice during 2001, the Boston-based nonprofit research organization suffered system outages caused by hackers. It also was infected, like many other enterprises, with the NIMDA virus. "During a period of four weeks over the summer, I think we experienced network downtime of about 15 to 20 hours," said Doug Hanson, executive director of information systems.
The service interruptions meant employees weren't able to retrieve email and other online services, but also raised concerns that important information might be at risk. After re-evaluating its security posture, Forsyth decided to add intrusion detection tools to provide another buffer of protection. In September, it implemented an intrusion detection technology product provided and remotely managed by SecureWorks Inc. of Atlanta, Ga. Since then, Hanson said, "we have not experienced any network downtime and the virus attacks have stopped."
To install or not to install
Intrusion detection is a security-management system for computers and networks, consisting of special software and sophisticated network sensors. These systems, sometimes called IDS, usually are sold as a package and used to monitor network activity. Information being transmitted across computer networks is gathered and analyzed to detect -- and where possible, prevent -- potential security breaches.
There are two basic types of intrusion detection: network-based and host-based. Network-based systems examine each packet of information, looking for protocol anomalies and known virus signatures. Host-based systems, which are used for individual machines as opposed to networks, read log files, look for inadvisable settings or passwords and other potential policy violations.
Intrusion detection picks up where firewalls leave off. It can be especially critical for enterprises that rely heavily on the Internet to conduct business, said John Pescatore, research director for Gartner Group in Stamford, Conn. "Firewalls do a good job of keeping the 'bad guys' out. Once you start using inbound connections, like e-business or remote access, you poke holes in that firewall. Intrusion detection is a way to make sure that only the 'good guys' remotely access your network."
The chief advantage of network-based systems is that IDS software doesn't have to be installed on every server, as is the case with host-based systems, said Pescatore. "Software installation on individual machines can be horrendously expensive, but keeping the software live, or running constantly, is even more costly."
When alarms have sounded
It's not unheard of for enterprises to cobble together intrusion detection using network- and host-based systems in conjunction. "Generally our advice is to start with network-based IDS at the trust boundaries, like your connections to the Internet or connections to business partners," said Pescatore. "The biggest reason (to start small) is that it takes a lot of work to monitor intrusion detection, especially when you first get started."
Indeed, adding intrusion detection can be like "getting a Christmas puppy," said Pete Lindstrom, director of security strategies for Hurwitz Group of Framingham, Mass. "It sounds like a wonderful idea, until you go and visit your in-laws and you come back to find it's peed in the corner and torn up your couch."
Adding intrusion detection may necessitate hiring new IT professionals and almost certainly will require loads of administrative attention. "Intrusion detection requires care and feeding. You have to watch it," added Lindstrom.
The biggest management headache is separating true threats from false alarms. This is similar to a smoke detector that sounds an alarm even when there is no fire. Eventually, you'll either turn it off or ignore it altogether. "It's the same with IDS. If it's signaling an intrusion and it turns out that's just the way your system works normally, then it's going to cause you a lot of work just finding the false alarms," Pescatore said.
Your IT staff may have to tune intrusion-detection sensors several times to reject false alarms. Also, should you later make changes to your network, such as moving to Windows NT from NetWare, the tuning will change and have to be reset.
Not one size fits all
"The first thing I would be concerned with is where I need intrusion detection: Do I need it at the application level or at the network level? Am I worried about what's happening inside, or simply at the edge of my network?," said Eric Hemmendinger, an information security analyst with Aberdeen Group of Boston.
Despite the administrative costs and management burden, sales of IDS software licenses suggest the technology is gaining steam with users. Gartner Dataquest says U.S. licensing revenue will grow 32% in 2002 to $249 million. By 2004, revenue is forecast to approach $358 million in the U.S.
Costs for these systems can vary wildly, which can make it difficult to get hard-and-fast pricing variables for matching comparable products. A handful of large vendors -- Computer Associates, ISS, Symantec Corp., Network Associates -- provide customized IDS, mostly to larger enterprises. Small to midsize enterprises frequently turn to off-the-shelf applications. "You have some companies like ISS -- all they sell is intrusion detection. They can't really discount very steeply," said Pescatore. "You have (other) companies like Cisco, which sells many things, and they could decide, 'Hey, we're selling this company $10 million of switching equipment, we'll give them a big discount on intrusion detection.' So it's not unusual to see a range of two to one in pricing."
Regardless of your company's size, it's important to first do a security audit to assess your network's vulnerabilities, said Lindstrom. "You need to know what information you want to protect and the network paths people use to access that data. Then you need to deploy your resources to protect the data."
Garry Kranz is a freelance business and technology writer based in Richmond, Va.
MORE INFORMATION ON THIS TOPIC:
>> Go to searchSecurity for additional resources on intrusion detection at http://searchsecurity.techtarget.com/bestWebLinks/0,289521,sid14_tax281928,00.html
>> Visit searchSystemsManagement for more information on securing your network and servers at http://searchsystemsmanagement.techtarget.com/bestWebLinks/0,289521,sid20_tax288450,00.html.
SPONSORED BY: EMC
IS YOUR BUSINESS PROTECTED?
See Industry-Leading Business Continuity Software in Action
Make your business safer and more productive-every day of the year. Watch our online demos and learn how to protect your information through real-time, remote data mirroring. You'll also discover how to work more productively and lower IT costs with software solutions that enable you to:
* reduce backup time
* test applications and speed application development
* load data warehouses and more
>>View the EMC business continuity software demos at http://ad.doubleclick.net/clk;3910850;5058249;k?http://www.emc.com/techtarget/v20/index.html.