Intrusion Detection Playing Bigger Role In Networks


'Ounce of prevention' adage finds new meaning in security market


The old adage that an ounce of prevention is worth a pound of cure is finding new meaning in the security market.

Solution providers said sales of intrusion-detection systems (IDSes) are on the rise as customers increasingly look to emerging technology to secure networks.

"That seems to be the one piece that's been a significant upturn for us," said Bob Joyce, president of Perfect Order, a Harrisburg, Pa.-based systems integrator.

"Intrusion detection has to be something that's now coming up on the radar for everybody," said Ed McPherson, director of the technology security practice at PricewaterhouseCoopers. "It's the next level of defense."

According to research firm IDC, the worldwide market for intrusion-detection and vulnerability assessment software will exceed $1 billion in 2003.

The IDS market is crowded with companies competing for customers against established players such as Internet Security Systems (ISS), Enterasys Networks and Cisco Systems.

Atlanta-based ISS last month expanded its product line with RealSecure Network Sensor 7.0, which combines anomaly detection with signature-based detection and can integrate rules from Snort, an open-source IDS. Pricing for RealSecure starts at $8,995.

Anomaly-based technology looks for irregular behavior in network traffic to detect attacks, giving an administrator time to take preventive action instead of having to wait for a new signature, McPherson said. "You don't have to wait for a vendor to come back to you with a fix," he said.

ISS also rolled out RealSecure Guard, which uses protocol-analysis techniques to detect and block network attacks and is priced starting at $11,000. Also, the RealSecure Site Protector, which is used for centrally managing security devices, now can be used for monitoring third-party products, including those from Check Point Software Technologies, ISS said.

As for the SOHO space, ISS this month launched BlackIce PC Protection, which combines intrusion-detection and firewall functions with "application protection," which integrates outbound blocking, file locking and application control, according to ISS. The suggested retail price is $40.

But ISS faces competition from an increasing number of companies, including Entercept Security Technologies, San Jose, Calif., and Okena, Waltham, Mass. Another new firm, San Jose-based IntruVert Networks, formally joined the market last month.

IntruVert's architecture, IntruShield, combines a variety of techniques to protect networks from known, unknown and denial-of-service attacks in multigigabit speeds, said Parveen Jain, IntruVert's president and CEO.

Customers are frustrated with current IDS solutions because they rely on known threat signatures, can generate false alarms and are hard to manage, Jain said. IntruShield overcomes those problems by combining signature, anomaly and denial-of-service detection techniques on a single, hardware-based platform, he said.

The company plans to send products based on IntruShield to beta customers this month. The products are slated for general availability at the end of June.

The competitiveness of the IDS market is spurring the rise of buzzwords such as prevention and realtime detection, said PWC's McPherson, adding that he expects IDS technology will shift from signature-based software to anomaly-based appliances.

In addition, companies will need a combination of host-based and network-based IDSes and will need to either work with an MSP or use a console that collects data from a variety of security devices to manage the systems, McPherson said.

"The trend I see is companies buying some type of intrusion detection as a pilot but never truly implementing it because they don't have the staff to manage it," McPherson said.

Ken Ammon, president and CEO of Netsec, Herndon, Va., said corporate adoption of IDS technology already is spurring engagements that use his company's managed security services. That's because IDS solutions need to be monitored regularly to be effective.

"[IDS doesn't provide value unless someone is looking at it," he said.