Users and Vendors Speak Out: Intrusion Detection and Prevention



Similar documents
Midsize Enterprises Lead in Adoption of Payment Outsourcing

IT Services Opportunities in IP Telephony (Executive Summary) Executive Summary

North American Call Centers Market Share and Forecast, 2002 (Executive Summary) Executive Summary

Enterprise Resource Planning Software Market: Europe, 2002 (Executive Summary) Executive Summary

Managers Begin to Apply Business Activity Monitoring

How Deal Size Matters in IT Infrastructure Outsourcing (Executive Summary) Executive Summary

Responsible Vulnerability Disclosure: Guidance for Researchers, Vendors and End Users

Small and Midsize Business IT Outsourcing Vendor Market Trends, 2003 (Executive Summary) Executive Summary

Web Services Development, North America (Executive Summary) Executive Summary

Managing Security Risks in Modern IT Networks

Organizations Must Employ Effective Data Security Strategies

Managing Vulnerabilities For PCI Compliance

Business Intelligence Software Market: Europe, 2002 (Executive Summary) Executive Summary

Home Cable Providers Combine Voice, Video, Data

How To Make A Call Center More Independent From The Physical Infrastructure

How To Protect Your Network From Attack From A Virus And Attack From Your Network (D-Link)

CIO Update: Enterprise Security Moves Toward Intrusion Prevention

What s Wrong with Information Security Today? You are looking in the wrong places for the wrong things.

Outlook for the CRM Software Market: Trends and Forecast (Executive Summary) Executive Summary

SCADA SYSTEMS AND SECURITY WHITEPAPER

Now Is the Time for Security at the Application Level

IT asset management (ITAM) will proliferate in midsize and large companies.

Endpoint Security Management

NetDefend Firewall UTM Services

What Do You Mean My Cloud Data Isn t Secure?

New Sales and Marketing Models Required to Sell Business Process Services

HIPAA Compliance Hindered by Lagging Vendors

Organizations Should Implement Web Application Security Scanning

Network Instruments white paper

Analyzing Logs For Security Information Event Management

Analyzing Logs For Security Information Event Management

CHAPTER 3 : INCIDENT RESPONSE FIVE KEY RECOMMENDATIONS GLOBAL THREAT INTELLIGENCE REPORT 2015 :: COPYRIGHT 2015 NTT INNOVATION INSTITUTE 1 LLC

IQware's Approach to Software and IT security Issues

Notebook Market Predictions, 2003

Analyzing Logs For Security Information Event Management Whitepaper

Hierarchy of Needs for Content Networking

Analyzing Logs For Security Information Event Management Whitepaper

Asia/Pacific VoIP: A Change of Heart

NetDefend Firewall UTM Services

Intrusion Detection. Tianen Liu. May 22, paper will look at different kinds of intrusion detection systems, different ways of

Symantec Security Information Manager 4.8 Release Notes

Towards End-to-End Security

Cisco IPS Tuning Overview

Breach Found. Did It Hurt?

for Critical Infrastructure Protection Supervisory Control and Data Acquisition SCADA SECURITY ADVICE FOR CEOs

White Paper. April Security Considerations for Utilities Utilities Tap Into the Power of SecureWorks

Realize That Big Security Data Is Not Big Security Nor Big Intelligence

What Are Network Security Platforms?

Managed Security Services

How to Develop an Effective Vulnerability Management Process

Research Agenda and Key Issues for Converged Infrastructure, 2006

IP Centrex and IP Telephony Offer Different Capabilities

Hype Cycle for Customer Relationship Management, 2003

Highlights of the 2015 CEO Survey: Business Leaders Are Betting on Tech

Second-generation (GenII) honeypots

The Dirty Secret Behind the UTM: What Security Vendors Don t Want You to Know

Taxonomy of Intrusion Detection System

What is Really Needed to Secure the Internet of Things?

1 Introduction Product Description Strengths and Challenges Copyright... 5

WHITE PAPER PROCESS CONTROL NETWORK SECURITY: INTRUSION PREVENTION IN A CONTROL SYSTEMS ENVIRONMENT

Cost Optimization: Three Steps to Saving Money on Maintenance and Support for Network Security Products

Choose Your Own - Fighting the Battle Against Zero Day Virus Threats

case study Core Security Technologies Summary Introductory Overview ORGANIZATION: PROJECT NAME:

The Truth about False Positives

RTEs Must Anticipate New Network Demands

Building A Secure Microsoft Exchange Continuity Appliance

Software Engineering 4C03 Class Project. Computer Networks and Computer Security COMBATING HACKERS

Cloud-Client Enterprise Security Impact Report Increased Protection at a Lower Cost

The 2014 Next Generation Firewall Challenge

How To Prevent Hacker Attacks With Network Behavior Analysis

Extreme Networks Security Analytics G2 Vulnerability Manager

Business Intelligence: The European Perspective

SANS Top 20 Critical Controls for Effective Cyber Defense

ABB s approach concerning IS Security for Automation Systems

Network Intrusion Prevention Systems Justification and ROI

How To Create An Intelligent Infrastructure Solution

Top 5 Essential Log Reports

SECURING YOUR SMALL BUSINESS. Principles of information security and risk management

WEB ATTACKS AND COUNTERMEASURES

Reducing Application Vulnerabilities by Security Engineering

INSIDE. Malicious Threats of Peer-to-Peer Networking

Prediction 2003: CRM Software Market Faces Tough Times

IDS or IPS? Pocket E-Guide

2. From a control perspective, the PRIMARY objective of classifying information assets is to:

Gartner Updates Its Definition of IT Infrastructure Utility

CLOUD CLIENTS AND VIRTUAL CLIENTS

IBM Security QRadar Vulnerability Manager

Netsweeper Whitepaper

INTRUSION DETECTION SYSTEM (IDS) D souza Adam Jerry Joseph I MCA

Cisco & Big Data Security

Closing Wireless Loopholes for PCI Compliance and Security

Getting Ahead of Malware

Observation and Findings

Solution Path: Threats and Vulnerabilities

CONTENTS. 1.0 Introduction

ITG Executive Summary

Why Leaks Matter. Leak Detection and Mitigation as a Critical Element of Network Assurance. A publication of Lumeta Corporation

Data Center Security in a World Without Perimeters

Intelligent. Data Sheet

THE BUSINESS CASE FOR NETWORK SECURITY: ADVOCACY, GOVERNANCE, AND ROI

Transcription:

Market Analysis Users and Vendors Speak Out: Intrusion Detection and Prevention Abstract: With network security concerns multiplying, intrusion protection systems are a hot commodity. But don't count out intrusion detection systems just yet. They still offer useful forensic and legal benefits. By Elroy Jopling and Andy Rolfe Strategic Market Statements An intrusion protection system (IPS) represents a new technology in the early stages of the Hype Cycle, so expect the hype to intensify and disillusionment to follow; it does offer a significant degree of future potential that enterprises should keep abreast of and test on noncritical applications. Even though we went through a lot with the intrusion detection system (IDS) in false positives and performance issues, don't throw them out as they can be useful because of the detail they provide for attack signatures, which can be of forensic and legal benefit. Automated patch management systems are further along than most enterprises are aware and should be reviewed for their primary purpose of ensuring all users stay up to date with the latest patches; automated patch management can provide a methodology for ensuring a new user comes on to the system with the correct security posture to ensure the last defense the patch is there. Publication Date:4 August 2003

2 Users and Vendors Speak Out: Intrusion Detection and Prevention Introduction IDS has proved to be of questionable value. At the same time, IPS and automated patch management, although in their infancy, seemingly offer significant potential. Unfortunately, in a parallel, hacker attacks have become more efficient, and the velocity of the propagation of these attacks has increased greatly. Enterprises must simultaneously follow the evolution of these technologies and attacks. (Note: The body of this Perspective reflects the thoughts of users and vendors, not specifically those of Gartner. The users' and vendors' thoughts are from the Gartner IT Security Summit 2003 as part of Sector5 telecommunications and information services users and vendors industry panel discussions.) Intrusion Detection, Response and Prevention IPS is within the early stage of moving up the Gartner Hype Cycle (see "Hype Cycle for Transportation Technologies, 2003," R-20-1558), with two to five years before reaching the adoption plateau. IDS is considered obsolete before having reached the adoption plateau. IDS tried to characterize attacks by "malicious signature" (a profile that might indicate trouble). IPS looks at more specifics such as known hacks, protocol violations and abnormal traffic conditions. In some ways, IDS tried to catch everything, failing to do so because of false positives. IPS should be much better at preventing (and not just finding) known hacks and actual violations, but not so good at identifying malicious behavior. IPS is a tool to prevent attacks. If a new attack occurs, a worm may be created to run wild on your system. No patch is available for this. Even with a patch, if you have 100 systems and take 10 person hours per machine to patch, it will cost 1,000 person hours obviously taking too much time. With an accurate reliable signature of the attack, the IPS can peel off trafficasitentersyoursystem. A multimethod approach of doing intrusion detection is required, for example, upfront protocol validation and checking the uniform resource locator (URL) against a set of absolute values from a signature file. Where are users placing the IPS in position to the firewall? Forty percent before, 40 percent after and 20 percent are for dedicated systems (for example, Web farms and hosting facilities). An IPS may stop the problem, but it is not a cure. A patch may be required. 2003 Gartner, Inc. and/or its Affiliates. All Rights Reserved. 4 August 2003

3 Don't Throw Out Your IDS IDS may be a technology that has come and gone or has it? For many users, IDS is considered a waste of money. But then again, the waste may be the result of the people who interpreted the results. In the last few years, we have suffered through a lot with IDS, including a number of false positives and performance issues. However, don't throw out your IDS just yet. IPS may stop an attack, but it does not keep the full "flavor" of the signature. IDS can be useful for forensics and legal reasons. A hacker will use some sort of vulnerability-scanning tool to see what holes you have. Not all hackers are equal; some will leave traces in your IDS logs that can lead to their apprehension. Security Patches and Patch Management No software will be perfect: Security patches will always be a requirement as the last defense. Software has become more complex, with various versions, numerous patches and resulting impacts with other applications. Software has become a living entity. When vendors make new patches and fix a major vulnerability, they also fix five or six unknown or hidden vulnerabilities, effectively complicating the assessment of a new patch. With more enterprises getting on the Web, the speed required to get patches out is becoming a significant issue. Most enterprises don't realize the technology is available for automated patch management. Ninety-nine percent of the people hit with the Slammer virus didn't have a policy in place to manage the existing patch. Some enterprises want their system shipped with security on. Tools are available so that when you plug in a new computer it is automatically updated with the patches you have defined. Patch management systems will become more automated and will include software updates for the firmware in the network hub, routers and switches, handheld devices, and wireless. What's Next? Slammer's Conspiracy Theory The speed of replication of new attacks raises frightening possibilities. Slammer just tried to replicate itself. Seventy thousand hosts were infected in 30 minutes. 2003 Gartner, Inc. and/or its Affiliates. All Rights Reserved. 4 August 2003

4 Users and Vendors Speak Out: Intrusion Detection and Prevention Gartner Dataquest Perspective Slammer may be just the warm-up, as it infected but didn't do anything significant. Its damage could have been much worse: It could have formatted the hard drive. Hackers continue to increase the velocity of the attacks as though they are fine-tuning their exploits, getting the algorithms right, seemingly preparing for the next wave of attacks. Slammer was many times faster than Code Red. The threat of "cyberterrorism" has become much more of a reality. Other Vulnerabilities and Concerns Still more vulnerabilities and concerns exist: Many old hubs, routers and switches are out there running on vulnerable old firmware. Expect to see hackers begin to attack these older systems. In the last couple of years, "denial of service" attacks have become more common and much more expensive. They will persist because of fundamental problems with Transmission Control Protocol (TCP)/Internet Protocol (IP). IPS is a new technology in the early stages of the Gartner Hype Cycle. Expect to see IPS garner more press and more enterprise interest, as conceptually it is a sound idea meeting a real enterprise need. With the hype will follow an overestimation of IPS's capabilities and the resulting slide down the Hype Cycle. The question is, with what velocity will IPS drive through the Hype Cycle? Considering enterprise interest, this velocity may be fairly rapid. It will become a replacement for IDS, but its relationship to IDS may also be a retarding factor, as enterprises are "once burned, twice shy." IPS represents a technology that enterprises should track and, where applicable, a methodology to test on noncritical applications. IDS has ridden the waves of the Hype Cycle and now languishes in the Hype Cycle's Trough of Disillusionment a final resting spot. Don't throw out your existing IDS as it has value from a forensics and legal resource perspective. But equally, don't invest further in the technology. Security attacks are bad enough, but knowing an attack could have been preventedwithanavailablepatchmakesitmuchworse.theformerhas been accepted as a cost of doing business, while the latter has become a legal liability to the enterprise. Patches are the last defense and the final solution. Automated patch management tools can represent a methodology to ensure patches are applied, but also a methodology to ensure new users are up to date before even entering the enterprise network. It will get worse before it gets better. Slammer may be a precursor to the speed of attacks to come, and if the attacks become more vicious (an extra few lines of code), the ramifications could be catastrophic. 2003 Gartner, Inc. and/or its Affiliates. All Rights Reserved. 4 August 2003

Moreover, it will become more complex before it becomes simpler. As networks, hardware and applications become faster, the threat is heightened, and the processing speed required to change from detection to prevention must be faster. The costs of preventing intrusion will become more expensive. 5 Key Issue How are network security concerns impacting enterprise communications networks? 2003 Gartner, Inc. and/or its Affiliates. All Rights Reserved. 4 August 2003

6 Users and Vendors Speak Out: Intrusion Detection and Prevention This document has been published to the following Marketplace codes: TELC-WW-DP-0570 For More Information... In North America and Latin America: +1-203-316-1111 In Europe, the Middle East and Africa: +44-1784-268819 In Asia/Pacific: +61-7-3405-2582 In Japan: +81-3-3481-3670 Worldwide via gartner.com: www.gartner.com Entire contents 2003 Gartner, Inc. and/or its Affiliates. All rights reserved. Reproduction of this publication in any form without prior written permission is forbidden. The information contained herein has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information. Gartner shall have no liability for errors, omissions or inadequacies in the information contained herein or for interpretations thereof. The reader assumes sole responsibility for the selection of these materials to achieve its intended results. The opinions expressed herein are subject to change without notice. 116491

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information