Does Your Intrusion-Detection System Really Work?

By Richard Karpinski

Security administrators are in a tough spot. They are facing more and more attacks -- in both numbers and variety. And in many cases their current generation of intrusion-detection systems (IDSs) just isn't up to the task of keeping networks and applications safe.

The problems are manifold. Signature-based systems are difficult to keep updated and still let some canny attacks slip through. False-positives keep security administrators chasing events that aren't really attacks at all. And increasingly distributed networks -- made all the more complicated by telecommuters and VPNs -- not to mention more distributed application architectures, make the holes harder to plug than ever before.

In short, enterprises need better defenses -- and vendors are scrambling to help them out.

"Your exposure on public networks is getting worse, and it's getting worse much faster than you're able to respond," said Eric Hemmendinger, an analyst with the Aberdeen Group. "There's more of an effort to close the window of vulnerability, the time span that begins when you're aware of a vulnerability, and ends when you've done something to remediate your exposure."

This week saw a slew of new IDS product launches, many targeted at moving beyond the limits of traditional intrusion detection systems.

Securify, for example, this week released SecurVantage 3.0, which it dubs an "automated network security management system." The system gets around the problems associated with signature-based systems by taking a snapshot of a network environment and letting in traffic that adheres to "correct" security behaviors and policies.

"When you're thinking about finding attackers, everybody has a base technology where you sniff packets coming across the line," Mark Hangen, president and CEO of Securify, told InternetWeek.com recently. "The question is, what do you do with them?"

Traditionally, vendors rely on signature-based detection, where they compare sequences of packets to sequences they know to be bad, called signatures. Securify does the opposite.

"We compare events to a database of good events and policies about what is acceptable. It's guilty until proven innocent," Hangen said. "The problem with the other approach, innocent until proven guilty, is that there are so many different ways to be guilty, it's impossible to imagine a scenario where you can uncover all the different permutations of bad."

E-Security, meanwhile, launched e-Security Advisor, which is based on Symantec's SecurityFocus Vulnerability Database. The product aims to close the loop between incident detection and response by combining a real-time view of events with knowledge about how to deal with attacks, said Joseph Payne, e-Security president and CEO.

Using e-Security Advisor, enterprises can associate multiple events collected by e-Security's core product, e-Sentinel, to known vulnerabilities. Security teams then generate reports that rate the impact of the attack, describe the attack category and the vulnerabilities the attack exploits, as well as how the attack affects their systems. Finally, the system offers expert remediation advice.

Another new product introduced this week, Finjan Software SurfinGate 7.0 for Web and Email, blends antivirus scanner, URL filtering, and behavior analysis to identify threats to the system. Rather than waiting for someone to identify a virus and generate a signature for detecting the virus, the Finjan software looks for typical virus behavior and blocks it.

--Mitch Wagner contributed to this story.