Aug 20 2008

Detect and Protect

Faster response time, more efficient reporting and tighter integration with existing security apps have made intrusion technologies a valuable part of small-business security strategy.

Photo: Douglas Levere
M&T Bank's John Walp says intrusion products have come a long way in the past five years.

Even a fast glance at network-security statistics can cause heart palpitations. Thefts of electronic personal records more than doubled in the first three months of this year compared with the same timespan in 2007, according to data from the nonprofit Identity Theft Resource Center.

Across the board, costs associated with security breaches are up, with industry estimates pegging expenses associated with each compromised file as high as $300 and rising. So if there’s any good news in the recent findings, it’s that with the right security controls most IT security breaches are preventable.

Prevention can be an extreme challenge even for companies with deep pockets. Small businesses face many of the same risks as larger companies, but without much of the security expertise their bigger counterparts possess.

Many SMBs now compensate for this disadvantage with security technologies such as intrusion-detection and intrusion-prevention systems. Gartner in Stamford, Conn., estimates 50 percent of all SMBs have already deployed an IDS or IPS. Another 20 percent are currently testing some form of the technology, which senses, reports and, in the case of intrusion prevention, actually blocks malicious or otherwise unwelcome traffic from the network.

Yet with so many variants of the technology and numerous manufacturers competing, choosing the right system for a particular SMB environment can be a challenge in its own right. At the highest level, intrusion-detection systems can be an affordable option for small businesses. But IDS products lack the automated-response capabilities that more sophisticated (and more expensive) IPS technology promises. And with IPS technology, there is always a risk that valid business traffic will be blocked.

Intrusion Evolution

John Walp, vice president and corporate information security officer for M&T Bank, says intrusion detection and prevention systems have evolved from the technology that existed five or six years ago, which was widely denigrated for its negative impact on network performance and large number of false positives.

Intrusion products today are more sophisticated. Manufacturers have advanced detection and prevention capabilities by adding features such as deep content inspection, which looks beyond the packet header to spot problem traffic, including spam and phishing schemes. Manufacturers also have ramped up other features, improving reporting capabilities and simplifying integration with other security applications.

“The systems have gotten faster, and the reporting and integration are much improved,” confirms Walp. “Intrusion detection and intrusion prevention [technologies] have become a valuable part of our defense strategy.”

Positive though he is about the latest intrusion products, Walp cautions that the path to success is not easy. M&T Bank, a regional bank with more than 700 branches in seven states and Washington, D.C., invested a lot in software, hardware and personnel to make the technology work for the organization. Walp cautions SMBs not to underestimate the staff needed for the care and feeding of these systems. It’s also crucial, he says, to understand what “normal” is on the network so that real anomalies can be spotted.

Clark Sykes, vice president of information technology at Buffalo-based Merchants Insurance Group, says the Cisco IDS the company deployed about 18 months ago has helped network managers move from a labor-intensive, hands-on process of managing firewalls to one in which threat monitoring is automated. Now all incidents are sent directly to the network managers for analysis and action.

59% of all system breaches are related to an intrusion or hacking attack. Intrusions take aim more frequently at the application layer rather than the operating system.
Source: Verizon Business

While the technology is a very big help, Sykes says companies need to look beyond technology to make sure they have the right policies and processes to handle a security breach.

Sykes says Merchants relies on a security steering committee with members from each of the company’s three businesses to set specific policies and procedures for each kind of breach or breach attempt. This helps the insurer manage legal issues and provides
the group with a plan to manage other challenges, such as statutory compliance reporting, employee privacy concerns and when to notify corporate communications.

“Companies really need to think about who needs to be involved and the processes that are set in motion in the event of a breach,” he adds. “It’s one thing for the incident report to go to the IT manager, but what happens after that?” he poses.

Mix It Up

The IDS/IPS decision doesn’t have to be an either/or proposition. M&T Bank uses a mix of both technologies. Intrusion detection recognizes the signatures or patterns of malicious or otherwise unwanted traffic, logs the data and passes it on to a security console. Intrusion prevention takes traffic inspection a step further and actually blocks nefarious traffic in real time.

Which of the following best characterizes your company's use of an intrusion detection system?

48% We have already deployed an intrusion detection system.
4% We are in the process of implementing an intrusion detection system.
15% We are currently evaluating an intrusion detection system.
27% We have no plans to deploy.
6% Don't know

Source: 547 BizTech readers

IDS/IPS technology can also use sources other than heuristic data to determine whether traffic is potentially dangerous, including network-layer data that indicates port of entry and source reputation information. M&T Bank uses IPS technology at each point where data leaves or enters the network to stop threats outside the network perimeter, relying on the IDS within its network to get a better picture of activity for forensic analysis.

“We’ve used our IDS/IPS not just to identify and block an attack, but also to determine if someone on our own network is breaking policy,” says Walp. The bank was able to use IDS technology to identify a peer-to-peer application running on the network and tie that traffic to a specific IP address. 

Greg Young, research vice president for network security at Gartner, says a multifunction device that includes IPS functionality along with other security capabilities, such as a firewall, can be an affordable option for many companies. Businesses might also consider a subscription to an intrusion prevention or unified threat management service, in which a third-party managed-security services provider monitors network threats.

Corey Brock, vice president of operations and IT at Haven Trust Bank, a regional bank with four branches and 78 employees based in Duluth, Ga., says the bank tried to manage its own intrusion technologies, but as the company grew, it became clear that it needed to hire a third party: Gladiator Technology.

“We just realized that monitoring the intrusion technology after hours wasn’t going to work, that it would be more effective to have a third party do it during the work day,” Brock explains.

The bottom line is that intrusion technologies have become mainstream.

“The pillars of any good information security strategy cover data confidentiality, integrity and availability,” M&T Bank’s Walp says, adding that intrusion technologies address the integrity issue.

Walp is careful to caution companies that while intrusion prevention technologies are an important component of a successful security strategy, they are not a silver bullet.

CEO Takeaway
Gartner has described three distinct types of companies. Rate your company's intrusion technology needs based on your category:
• Type A: So-called hyper-adopters of technology that have minimal tolerance for outages, such as online casinos or banks, should use an IPS.
• Type B: Brokerage houses and organizations in other heavily regulated industries should deploy multifunction security appliances that include IPS functionality.
• Type C: Manufacturers, retail concerns and other businesses for which the network is less integral to operations should at the very least deploy an IDS.