Users and Vendors Speak Out: Intrusion Detection and Prevention

Transcription

1 Market Analysis Users and Vendors Speak Out: Intrusion Detection and Prevention Abstract: With network security concerns multiplying, intrusion protection systems are a hot commodity. But don't count out intrusion detection systems just yet. They still offer useful forensic and legal benefits. By Elroy Jopling and Andy Rolfe Strategic Market Statements An intrusion protection system (IPS) represents a new technology in the early stages of the Hype Cycle, so expect the hype to intensify and disillusionment to follow; it does offer a significant degree of future potential that enterprises should keep abreast of and test on noncritical applications. Even though we went through a lot with the intrusion detection system (IDS) in false positives and performance issues, don't throw them out as they can be useful because of the detail they provide for attack signatures, which can be of forensic and legal benefit. Automated patch management systems are further along than most enterprises are aware and should be reviewed for their primary purpose of ensuring all users stay up to date with the latest patches; automated patch management can provide a methodology for ensuring a new user comes on to the system with the correct security posture to ensure the last defense the patch is there. Publication Date:4 August 2003

2 2 Users and Vendors Speak Out: Intrusion Detection and Prevention Introduction IDS has proved to be of questionable value. At the same time, IPS and automated patch management, although in their infancy, seemingly offer significant potential. Unfortunately, in a parallel, hacker attacks have become more efficient, and the velocity of the propagation of these attacks has increased greatly. Enterprises must simultaneously follow the evolution of these technologies and attacks. (Note: The body of this Perspective reflects the thoughts of users and vendors, not specifically those of Gartner. The users' and vendors' thoughts are from the Gartner IT Security Summit 2003 as part of Sector5 telecommunications and information services users and vendors industry panel discussions.) Intrusion Detection, Response and Prevention IPS is within the early stage of moving up the Gartner Hype Cycle (see "Hype Cycle for Transportation Technologies, 2003," R ), with two to five years before reaching the adoption plateau. IDS is considered obsolete before having reached the adoption plateau. IDS tried to characterize attacks by "malicious signature" (a profile that might indicate trouble). IPS looks at more specifics such as known hacks, protocol violations and abnormal traffic conditions. In some ways, IDS tried to catch everything, failing to do so because of false positives. IPS should be much better at preventing (and not just finding) known hacks and actual violations, but not so good at identifying malicious behavior. IPS is a tool to prevent attacks. If a new attack occurs, a worm may be created to run wild on your system. No patch is available for this. Even with a patch, if you have 100 systems and take 10 person hours per machine to patch, it will cost 1,000 person hours obviously taking too much time. With an accurate reliable signature of the attack, the IPS can peel off trafficasitentersyoursystem. A multimethod approach of doing intrusion detection is required, for example, upfront protocol validation and checking the uniform resource locator (URL) against a set of absolute values from a signature file. Where are users placing the IPS in position to the firewall? Forty percent before, 40 percent after and 20 percent are for dedicated systems (for example, Web farms and hosting facilities). An IPS may stop the problem, but it is not a cure. A patch may be required Gartner, Inc. and/or its Affiliates. All Rights Reserved. 4 August 2003

3 3 Don't Throw Out Your IDS IDS may be a technology that has come and gone or has it? For many users, IDS is considered a waste of money. But then again, the waste may be the result of the people who interpreted the results. In the last few years, we have suffered through a lot with IDS, including a number of false positives and performance issues. However, don't throw out your IDS just yet. IPS may stop an attack, but it does not keep the full "flavor" of the signature. IDS can be useful for forensics and legal reasons. A hacker will use some sort of vulnerability-scanning tool to see what holes you have. Not all hackers are equal; some will leave traces in your IDS logs that can lead to their apprehension. Security Patches and Patch Management No software will be perfect: Security patches will always be a requirement as the last defense. Software has become more complex, with various versions, numerous patches and resulting impacts with other applications. Software has become a living entity. When vendors make new patches and fix a major vulnerability, they also fix five or six unknown or hidden vulnerabilities, effectively complicating the assessment of a new patch. With more enterprises getting on the Web, the speed required to get patches out is becoming a significant issue. Most enterprises don't realize the technology is available for automated patch management. Ninety-nine percent of the people hit with the Slammer virus didn't have a policy in place to manage the existing patch. Some enterprises want their system shipped with security on. Tools are available so that when you plug in a new computer it is automatically updated with the patches you have defined. Patch management systems will become more automated and will include software updates for the firmware in the network hub, routers and switches, handheld devices, and wireless. What's Next? Slammer's Conspiracy Theory The speed of replication of new attacks raises frightening possibilities. Slammer just tried to replicate itself. Seventy thousand hosts were infected in 30 minutes Gartner, Inc. and/or its Affiliates. All Rights Reserved. 4 August 2003

4 4 Users and Vendors Speak Out: Intrusion Detection and Prevention Gartner Dataquest Perspective Slammer may be just the warm-up, as it infected but didn't do anything significant. Its damage could have been much worse: It could have formatted the hard drive. Hackers continue to increase the velocity of the attacks as though they are fine-tuning their exploits, getting the algorithms right, seemingly preparing for the next wave of attacks. Slammer was many times faster than Code Red. The threat of "cyberterrorism" has become much more of a reality. Other Vulnerabilities and Concerns Still more vulnerabilities and concerns exist: Many old hubs, routers and switches are out there running on vulnerable old firmware. Expect to see hackers begin to attack these older systems. In the last couple of years, "denial of service" attacks have become more common and much more expensive. They will persist because of fundamental problems with Transmission Control Protocol (TCP)/Internet Protocol (IP). IPS is a new technology in the early stages of the Gartner Hype Cycle. Expect to see IPS garner more press and more enterprise interest, as conceptually it is a sound idea meeting a real enterprise need. With the hype will follow an overestimation of IPS's capabilities and the resulting slide down the Hype Cycle. The question is, with what velocity will IPS drive through the Hype Cycle? Considering enterprise interest, this velocity may be fairly rapid. It will become a replacement for IDS, but its relationship to IDS may also be a retarding factor, as enterprises are "once burned, twice shy." IPS represents a technology that enterprises should track and, where applicable, a methodology to test on noncritical applications. IDS has ridden the waves of the Hype Cycle and now languishes in the Hype Cycle's Trough of Disillusionment a final resting spot. Don't throw out your existing IDS as it has value from a forensics and legal resource perspective. But equally, don't invest further in the technology. Security attacks are bad enough, but knowing an attack could have been preventedwithanavailablepatchmakesitmuchworse.theformerhas been accepted as a cost of doing business, while the latter has become a legal liability to the enterprise. Patches are the last defense and the final solution. Automated patch management tools can represent a methodology to ensure patches are applied, but also a methodology to ensure new users are up to date before even entering the enterprise network. It will get worse before it gets better. Slammer may be a precursor to the speed of attacks to come, and if the attacks become more vicious (an extra few lines of code), the ramifications could be catastrophic Gartner, Inc. and/or its Affiliates. All Rights Reserved. 4 August 2003

5 Moreover, it will become more complex before it becomes simpler. As networks, hardware and applications become faster, the threat is heightened, and the processing speed required to change from detection to prevention must be faster. The costs of preventing intrusion will become more expensive. 5 Key Issue How are network security concerns impacting enterprise communications networks? 2003 Gartner, Inc. and/or its Affiliates. All Rights Reserved. 4 August 2003

6 6 Users and Vendors Speak Out: Intrusion Detection and Prevention This document has been published to the following Marketplace codes: TELC-WW-DP-0570 For More Information... In North America and Latin America: In Europe, the Middle East and Africa: In Asia/Pacific: In Japan: Worldwide via gartner.com: Entire contents 2003 Gartner, Inc. and/or its Affiliates. All rights reserved. Reproduction of this publication in any form without prior written permission is forbidden. The information contained herein has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information. Gartner shall have no liability for errors, omissions or inadequacies in the information contained herein or for interpretations thereof. The reader assumes sole responsibility for the selection of these materials to achieve its intended results. The opinions expressed herein are subject to change without notice