|
Telecom and Logistics Associates |
Security NEWs Service: TLAnews |
| publication: Christian ALT |
TLAalert
Security Service |
|
|
| English
version |
|
It was 2 a.m. when the intrusion-detection alarm sounded at DefendNet Solutions
Inc. Security technicians at the managed-security services firm scrambled to
find the source of the suspicious traffic, which was hitting one of its client's
networks. Once they traced it to the source, DefendNet's techs phoned the IT
department of the company running the culprit machine. Turns out the
unauthorized traffic wasn't a hack attack, but the result of an innocent
mistake-a misconfigured Simple Network Management Protocol machine.
False alarms such as this unfortunately are all too common for intrusion-
detection technology. Companies can't rely on the software alone to determine
whether, for instance, Internet Control Message Protocol traffic hitting a
router is carrying legitimate messages to the device or instead is being used as
a vehicle for a denial-of-service attack. So the choice is either to have your
own security technicians on duty around-the-clock or go with an outsourcing
company.
"You really need human interaction to sort and analyze whether an alarm
event is significant," says Vincent Giordano, president and CEO of
DefendNet.
|
|
| Résumé
en français |
Les systèmes de détection
d'intrusion se déclenche tres facilement et il est difficile de
déterminer si il s'agit d'une erreur de manipulation, de trafic de
contrôle du réseau ou d'une véritable agression.
Pour analyser une alarme il faut des êtres humains.
Les prestations de détection d'intrusion consistent à analyser
les informations des systèmes de détection d'attaques, exploiter
les firewalls, evaluer la sécurité des sites. Le marché pour les
prestations de gestion de la sécurité est très prometteur.
La principale difference entre gèrer son propre système
de détection d'intrusion et "outsourcer" sont les
ressources hommes et "l'expertise".
Beaucoup d'entreprises recourent à une combinaison de la sécurité
proposée par les départements informatiques et les experts de sociétés
externes ce qui s'avère souvent un model efficace.
|
|
Intrusion-detection services come with around-the-clock outside experts who
collate and sift through all the information, superfluous or not, generated by
intrusion-detection sensors sitting on a network. These services manage all the
hardware and software tools, too. Companies typically pay a monthly fee for such
services.
Most security providers package intrusion detection as part of a suite of
managed-security offerings that also include firewalls, vulnerability
assessment, and, in some cases, secure virtual private networks (VPN). The
market for managed-security services is expected to reach more than $2 billion
worldwide by 2003, up from $512 million in 1998, according to research firm
International Data Corp.
Still, intrusion detection is in its infancy. It wasn't long ago that intrusion
detection meant paying so-called "white hat" hackers to simulate
break-ins to a company's network and search for clues of any real attempts.
Companies now are under pressure to place full-time monitoring tools at the hot
spots in their networks to continuously sniff out and deter intruders.
An intrusion-detection tool works much like an antivirus package. Sensors look
for known "signatures," or potential hacker tools and footprints, and
notify the main intrusion-detection server if it finds any. The server then
sends out an alarm. Depending on the security tool or service, the sensor
records all these events locally in a log, which can be plucked by the server
into a relational database to track trends and generate reports. A tool or
service can also be customized to automatically shut down a particularly
sensitive port if it receives unauthorized traffic.
With more hackers, crackers, and script kiddies attempting to punch holes in
firewalls and plant nefarious codes in the pores of operating systems, it's no
longer enough to plop down a firewall at the edge of a network. There are four
times as many hacker attacks a day in North America as there were just one year
ago, according to ICSA, a security consulting firm.
And the attacks are getting more high-profile and widespread: The distributed
denial-of-service attacks on sites such as Amazon.com, CNN, and Yahoo in
February boosted awareness-and business-for intrusion-detection technology,
which basically acts as a burglar alarm on the network.
Security experts predict that the next round of hacker attacks will be more
deadly, potentially taking down significant chunks of the Internet by exploiting
domain name system servers and Hypertext Markup Language and JavaScript codes to
do their dirty deeds.
Some tools and services, focus only on intrusions at the network level,
rather than inside the operating system. But the trend is toward a hybrid
network- and host-based solution. That way, potential problems such as known
holes in operating systems as well as the internal corporate security threats
are covered by the intrusion tools. "A combination of network- and
host-based intrusion detection is critical," "If you just do one
or the other, you're missing half of the events."
The main differences between managing your own intrusion detection and hiring an
outsourcing company are manpower and expertise. When intrusion detection is
handled in-house, the alarms can be overwhelming. "When an alarm sounds, no
one knows what to do with it," an intrusion-detection company that
operates similar to the home-security system model.
The advantage of a service provider acting as a security guard is that it can
analyze all the traffic that gets logged on the intrusion-detection
devices-something many enterprise IT departments just don't have the time or
resources to do. "The servers, routers, and firewalls log millions of lines
of audit logs a day-among all of this are the footprints of an attack," he
says. "We're the ones who look through those audit logs and figure out if
an event is real."
Costs
For startups such as iApex Inc.-an application service provider in Alamo,
Calif., that handles transactions for online buyers and sellers-the answer is
outsourcing everything, including the network, Web servers, and security
technology. The ASP uses Pilot Network Services' VPN service, which comes with
intrusion detection built in. "We don't have an infrastructure-Pilot hosts
it," says Arun Shrestha, CEO and founder of iApex. "We didn't want to
do security on our own. Our strength isn't in keeping up with hacker
techniques," he adds.
The company pays Pilot about $2,000 per month for the VPN service, in addition
to a per-server charge. Building a secured network would have cost the company
more than $1 million, says Shrestha. |
Still, many businesses that run intrusion-detection tools typically do a
combination of in-house and outsourced security.
"The risk is high enough, so why not have a second pair of eyes?" says
Stash Jarocki, chief information security officer at Depository Trust.
Jarocki says he may bring more of the intrusion work in-house, although he
hasn't ruled out outsourcing. Another outsourcing arrangement may depend on
whether the potential provider lets him pick his own intrusion-detection tool,
rather than being forced to go with a vendor solution. "I still want to be
able to pick my own intrusion-detection product," Jarocki says. "I
don't want to just use the one they provide."
But staffing can be a problem for businesses that want to keep intrusion
detection in-house. The IT labor shortage has been especially painful in the
security market. "There's a shortage of experts in intrusion detection, and
they don't want to work 24-by-7.
Whatever the approach, there's no such thing as bulletproof security. Even if a
company goes with an intrusion-detection service provider, there are no
guarantees its security tools and experts will catch every unauthorized ping or
Trojan horse. Intrusion-detection tools can't actually stop a denial-of- service
attack, but they can at least give a heads up if one is infiltrating a network.
And as with antivirus software, network managers have to keep intrusion tools
up-to-date with the latest threats. They can't just install the software and let
it go. That's the advantage of going with a security provider, which would be
responsible for keeping the software updated.
Even with an intrusion-detection service, there's the risk of hackers shutting
down the sensors so they can sneak into a network. That's why risk management
and regular audits by white-hat hackers are crucial.
Intrusion-detection software has a long way to go before it's truly automated
and intelligent, experts say. An intrusion-detection service must be customized
to protect a company's internal applications, such as human- resource tools, so
its security software can defend against any attacks on that app.
An ironic twist is that encryption can block a sensor. Intrusion tools can't
read traffic encrypted in a Secure Sockets Layer session. But an intrusion tool
or service that includes host-based monitoring would have a chance of detecting
an attack once the server on the receiving end decrypts the traffic.
The next generation of intrusion-detection products and services will be more
intelligent and able to make more informed decisions on whether to shut down a
port under siege. "Down the road it will be more self-learning, with the
system being able to pick up trends from signatures of attack," says
DefendNet's Giordano.
Even with all the potential automation for these tools, intrusion detection
still will require human interaction from a security group, which could include
the help desk, the telecommunications staff, and, if it's a big event, the
management and legal staffs.
Author information.
Copyright © [Telecom and Logistics Associates Sàrl]. All rights
reserved.
Revised: mai 31, 2000
.
|
All information provided is of a general nature and is not
intended to address the circumstances of any particular individual or entity.
Although we endeavor to provide accurate and timely information, there can be no
guarantee that such information is accurate as of the date it is received or
that it will continue to be accurate in the future. No one should act upon such
information without appropriate professional advice after a thorough examination
of the facts of the particular situation.
