Recently I was talking with a fellow security professional, and I was surprised when he said, “It has been my experience that intrusion detection and prevention system (IDS/IPS) use is declining.” Now I know back in 2003, Gartner analyst Richard Stiennon stated, “IDSs have failed to provide value relative to its costs and will be obsolete by 2005.” Stiennon went on to say, “Intrusion detection systems are a market failure, and vendors are now hyping intrusion prevention systems, which have also stalled.” It is three years after Gartner predicted IDSs would be obsolete. Are they?
Samuel Langhorne Clemens, better known as Mark Twain, once wrote, “Rumors of my death have been greatly exaggerated!” It seems worldwide IDS/IPS revenue grew 19% in 2006. In 2007, the IDS/IPS marked was a $932 million industry. Frost & Sullivan expects the market to grow to $2.1 billion in the next five years, citing “complex attacks, ongoing vulnerability discoveries, and the need for companies to comply with new legislation” as major contributing drivers. Of course these numbers are focused on the commercial side of IDS/IPS.
“Computers are like Old Testament gods; lots of rules and no mercy,” wrote Joseph Campbell, an American mythology professor, writer, and lecturer. I often think of this quote when it comes to the use of signature based solutions in security. As I previously posted, IDS/IPS technology is moving aware from being solely signature based, to a blend of signature based, anomaly detection, and activity based methodologies. The Race to Zero contest is being held right now (August 8-10th) during Defcon 16. It is a hacking competition where known viruses will be tweaked in an attempt to foil signature-based blacklists of several major antivirus engine. The point is to demonstrate how easy it is to get around signature based solutions.
Liam Tung, over on ZDnet has written a very good article titled, “Signature-based antivirus is dead: Get over it“. In the article, Simon Clausen, founder & CEO at PC Tools, reports that the security industry has been looking beyond blacklists. “I would very much disagree that AV is dead. Really, traditional signature-based AV is going to be dead in a few years, but what every antivirus company is evolving towards, like us, is behavioural AV technology, so AV will be alive.”
Martin Roesch, CTO and Founder of Sourcefire, has posted concerning the upcoming Snort 3 architecture that has as a key component a contextually aware engine. This will add to Snort the ability to understand what it is defending. Snort 3 architecture is built around the concept of network context, which is essentially data about the environment and the composition of the hosts in the network as well as the local network composition. The software framework is called SnortSP (the Snort Security Platform) and the initial beta has been released. By leveraging network context, Roesch hopes to reduce/simplify/eliminate tuning as much as possible, be able to generate event priorities, and address network and transport layer evasion.
Peter Judge, in his ZDnet article “Sourcefire: Don’t Snort at open-source security,” quotes Roesch talking on the future of the security market:
Threat management has three phases. Before the threat, the firewall and patch management should prevent threats; during the attack, the IPS should block them; and, afterwards, network-behaviour analysis [NBA] should reveal damage and remedy it. These tend to be stove-piped technologies, where nobody talks to anyone. There are not enough people. You have got to get people out of the equation. You have to automate.
The US government, through the Department of Homeland Security, has issued a Request for Information (RFI) which highlights the analytical skills that DHS is seeking from a staffing perspective. Through this RFI, one can determine the technological focus DHS has for the administration’s requested $294 million fiscal cybersecurity budget. The 2009 cybersecurity budget is a significant increase over the 2008 enacted budget of $210 million. Ben Bain, in his article “DHS seeks cybersecurity capability info” quotes Alan Paller, research director at the SANS Institute, as saying that most DHS department employees don’t know how to do complex intrusion detections, log analysis or reverse engineering malware. DHS is looking for folks with experience with EINSTEIN data analysis, tools, techniques and network flow analysis capabilities, the TIC deployment environment, and compliance metrics. Ben Bain reports on the highly classified Comprehensive National Cybersecurity Initiative (CNCI) that DHS is “planning on implementing a new version of the intrusion detection and alert system — EINSTEIN 2 — designed monitor agencies’ Internet access points for malicious activity and capture intrusion data along with data transmitted in proximity to an alert.” It sounds like the government believes there is still life in some form of intrusion detection technology.
While I have mentioned Snort, it is not the only IDS/IPS. Keeping to the world of open source, most of my IDS/IPS time is split between Snort and Bro. I am very interested in Roesch’s work on the contextually aware engine. It will make Snort a more powerful tool. Now Bro has advance features giving it the ability to discern network anomalies that are caused by hostile activity. Bro also has some ability to detect violations of expected traffic rules to defend against previously-unknown attack techniques. For additional information on Bro, there are three blogs particularly helpful. Seth Hall of The Ohio State University has started the “A Bro Blog.” The ICSI Networking Group has a blog with contributions from the big names in Bro: Mark Allman, Sally Floyd, Christian Kreibich, Vern Paxson, Robin Sommer, and Nicholas Weaver. C.S.Lee (geek00L) on his site “When {Puffy} Meets ^RedDevil^” will frequently do postings involving Bro.
I started this post asking if Gartner was correct and are IDS/IPS a dying technology? By looking at both the IDS/IPS market and the government’s cyber security focus, we see the technology is very much alive. Not so much much because Gartner was wrong about IDS/IPS producing false positives and negatives, that monitoring puts a burden on the organization, that incident response can be a taxing process, nor that being able to monitor an increasingly higher bandwidth is challenging. Those problems still exist. Because of that, there is much work being done to help the IDS/IPS industry handle data more flexibly, efficiently, or accurately. Gartner was wrong with the assumption that the technology would remain stagnant and if something is difficult, it will not be implemented. IDS/IPS exist because organizations need the detection and prevention capabilities. Companies face an ever increasing reliance on information technology for competitive advantage while dealing with increasingly complex attacks, ongoing vulnerability discoveries, and the need for companies to comply with new legislation. IDS/IPS solutions continue to be part of organizations’ security programs because the technology continues to evolve while integrating new solutions. In the world of evolution, adaptability will trump better design if the better design is incomplete and inflexible in an ever changing environment.
[...] and followed that post with “Law Makers Concerned Over Einstein Program” and “IDS/IPS: The Mark Twain of the Security World.” I wanted to provide an update concerning the plan and report on questions being raised [...]
[...] As readers of this blog know, I have been looking at the Bro IDS. I hope to shortly release a post on setting up Bro 1.4, which was released this Friday. It will be interesting to watch these two IDS/IPS systems develop. With two such development eforts, it was somewhat surprising to read the news release from the Open Information Security Foundation (OIS) that “OISF Receives Grant Funding for Open Source Next Generation IDS/IPS.” Good to see that innovation is occurring in an area of security previously given up for dead (see post, “IDS/IPS: The Mark Twain of the Security World“). [...]