Reprinted from Software Magazine
A Sampling of Intrusion Detection Players
A Sampling of Security Consoles and Suites
You've seen the figures by now: e-commerce will generate some astronomical number of dollars per year in revenue by 2004. It's a figure most of us can't fathom. The point is, even if such estimates are inflated by 100%, we're still talking a lot of dough.
Which is exactly what makes e-commerce so enticing to the criminal element, never mind misguided adventurers and disgruntled employees. To fend them all off will take continued vigilance in the ever-growing area of e-commerce security.
"Security challenges will continue to exacerbate and increase in tenacity and complexity," says Dr. Martin Goslar, principal analyst and managing partner of E-PHD.COM, an e-security research and analysis firm in Phoenix. "The bad guys will shift from being interested in thrills to being interested in profitability." On top of that, Goslar expects the payoff from electronic crime will be far greater than from traditional crime, while the probability of perpetrators being prosecuted will be far less.
If that sounds like a dire warning for any IT professional involved with e-commerce security, it is.
But keeping abreast of e-security trends and being alert to the challenges ahead can help you keep out of harm's way.
Integration and interoperability are the current trends. In many respects, the security market is evolving in the same way that the network and systems management market did in the 1990s. Vendors are focused on getting their various security tools to work with one another, typically feeding security data to a central console. Just as Hewlett-Packard's OpenView and SunSoft's SunNet Manager offered a single platform from which to view myriad network element management systems, emerging platforms from players large and small are doing the same for e-security. Key to it all is being able to correlate alarm data coming from your myriad security devices, an area experiencing significant progress.
Similarly, security vendors are trying to bring enterprise-level capabilities to their wares. That means, for example, being able to electronically deliver policy data to firewalls distributed throughout your enterprise, or update signatures on dozens of intrusion detection systems (IDS) at once.
The IDS, one of the more basic building blocks of any security architecture, is itself evolving to keep up with switched networks, ever-increasing network speeds, and the fact that lots of data is now encrypted, making it harder to tell the legitimate packets from the surreptitious.
Finally, the security services market is seeing a huge upswing, bearing witness to the fact that many companies can'tor choose not tofend for themselves when it comes to e-security.
A technology that straddles the line between a current trend and a future challenge is public key infrastructure (PKI), an umbrella term for the various pieces involved in creating a trust network built around digital certificates. Probably not enough companies have implemented PKI to call it a trend, but many have tried. What they're finding is that integration with existing applications is a chore, and interoperability is far from given. Longer term, if the technology is to catch on as many predict it will, some sticky management problems will have to be solved, and companies will have to find a way to convince users that the added security is worth the hassle.
Also looming large in the challenge department is the realm of wireless and mobile computing. The number and variety of end devices create standards issues, while their relatively small footprint and limited processing power make it harder to implement traditional security algorithms.
The Coming of the Console
Of the recent security trends, the one promising the most immediate impact is the security console.
Start-up e-Security, Inc., Naples, Fla., last year claimed to be the first company to deliver a console that integrates alarms and alerts from other vendors' security products. Its Open e-Security Platform (OeSP) uses a series of rules-based agents that monitor components including firewalls, IDS and applications such as databases and e-mail services for security alerts. Alerts are shipped via SNMP to the OeSP console, where they are correlated and displayed in real time.
"I fully expect some traditional net management vendors to get in there along with start-ups like e-Security," says Patrick McBride, executive vice president of METASeS, a security consultancy in Atlanta. He says the same scenario played out in the network management arena, with vendors such as Austin, Texas-based Tivoli Systems Inc. (now part of IBM) and HP being joined by network-specific companies such as Cabletron Systems, Inc., Rochester, N.H., in delivering central management consoles.
Tivoli delivered its own console in June, following the consolidation of various IBM security efforts under Tivoli earlier this year.
"We're finding the integration people want is not a single suite of products that all work together," says Bob Kalka, product line manager for Tivoli's SecureWay family. "Whether security vendors like it or not, customers still buy best of breed, individual products. You can put together the greatest suite in the universe, but between organizational inertia, politics, and simple work ethics, the all-in-one suite has just not been popular, and we expect that to continue."
Tivoli's answer is the SecureWay Risk Manager, a console that uses the same framework and correlation engine as Tivoli's network and systems management tools. To the operator, the security console has the same look and feel as that for network and systems management.
The Risk Manager works with alert- or event-driven security products, such as IDS tools, virus scanners and any vulnerability assessment tool. "The problem with alert- or event-based tools is they generate too many events. The state of the art isn't precise enough to figure out when something is a hack vs. someone working late and sending a ton of data over the network," Kalka says. This creates a problem with false-positive alerts. "People wind up dumbing down the policies that they're checking againstrelaxing the rules in their intrusion detection system, for example."
Correlation can correct that problem. If various vulnerability tools all send alerts to the same central console, the alerts can be correlated against one another to find the root of the problemif a problem exists.
That's the way the theory goes, at least. As McBride notes, network and systems management vendors went through the same correlation woes and it took a good, long time to sort out.
While it stands to reason that, as Kalka says, security vendors will be able to exploit the work that went into previous management tools rather than reinvent the correlation wheel, other issues remain.
"What these enterprise security consoles don't do a good job of is letting you drive the car," McBride says. "They've got the dashboard, but they don't have a gas pedal or a stick shift yet. They don't control the products on the other end."
A Matter of Policy
In addition to event-driven security products, Kalka says you also have to grapple with user-based products, such as firewalls, access control engines, and PKI systems. These all entail defining users, groups, and roles, and enforcing policies regarding those definitions. The vast majority of user-based security data, however, resides in individual applications, each of which may have a flat-file directory containing security policy information.
"Forrester found last fall that the average large company has 181 directories deployed because of these application-specific directories," Kalka says, referring to Forrester Research, a market research firm in Cambridge, Mass. "If someone gets promoted, where do you have to make changes? In all these little flat files. That's where the security problem is and that's where a lot of money is being blown."
To address the issue, Tivoli sells the SecureWay PolicyDirector, which combines an authorization tool IBM acquired when it bought DASCOM, Inc. (Santa Cruz, Calif.) with internally developed administration capabilities. The product amounts to a central directory from which you can manage security policy and have any updates sent out to the servers, applications and other devices that need to enforce that policy.
That is an example of a trend toward what McBride calls "enterprise capabilities" in security products. Whereas security tools used to focus on small workgroups, vendors now build in capabilities that suit these products for large enterprises.
Firewall vendors were among the first to offer enterprise capabilities, such as the ability to monitor multiple remote firewalls and to distribute policy data from a central site. Other, less mature technologies will follow suit.
"I've seen this play three times, basically, with network management tools, client/server systems management, and now, security management," McBride says. "If it's a four-act play, we're in Act Two."
Intrusion detection is still a relatively young technology and, thus, is continuing to evolve. Whereas once IDS devices essentially watched packets as they crossed the network, looking for patterns of suspicious activity, they are becoming far more sophisticated.
Chris Rouland is director of Internet Security Systems' (ISS) X-Force, an internal research and development unit of the Atlanta-based security firm. He says the elements that differentiate IDS products are becoming management, performance, and content, with content as the driver.
In IDS terms, content amounts to the number of signatures a system supports, with each signature identifying a pattern that denotes a specific type of attack. Signatures are written in response to vulnerabilities discovered in computer operating systems, applications, and any other potential intruder entry point. The number of distinct vulnerabilities discovered has been rising rapidly over the last few years.
For example, according to Rouland, in June 1998 ISS found seven new vulnerabilities, while in June 1999 it found 15. But this past June the company found 77 new vulnerabilities.
"We see the number of new computer vulnerabilities approaching or exceeding the number of computer viruses pretty quickly, to the tune of about 100 a month by the end of this year," he says. "That's 100 new attack patterns we have to look for every month."
Why the dramatic increase in potential vulnerabilities? Much of it has to do with the way software is developed, no matter if it is open or closed source.
While peer review is encouraged with open source software, it's nobody's specific job to do quality assurance and find potential security vulnerabilities. "In security software development, you find a one-to-one relationship of security developer to QA," Rouland says. "That relationship doesn't exist in open source."
On the other hand, independent software developers are under pressure to get products out the door quickly. "With IPOs and Wall Street driving a lot of the goals of these software companies, specifically Internet-enabled client/server software, security is frequently looked at as a tax upon their company budget," he says. "When they don't pay the tax, they don't put enough resources into securing a new product before they release it."
To combat the problem, IDS vendors have to not only find the vulnerabilities and write signatures to protect against them, they also have to quickly get the signatures out to customers. ISS, for example, now has an express update capability whereby customers can click to download the latest signature files and update their IDS, a process analogous to antivirus updates.
ISS is also getting into the console business. Its Safesuite Decisions system takes data from IDS engines and correlates it with data from firewalls and vulnerability assessments to help detect high-risk attacks. Such correlation is critical to detect low-impact attacks, which Rouland says have become more common in the last few years.
In a low-impact attack, the intruder probes multiple entry points simultaneously. Individually, the attacks would not likely appear overly suspicious, but taken together, the attacks can be recognized as the major security threat they are.
"I previously worked at a big brokerage firm, with 10 Internet connections," Rouland says. "If I saw someone probe all of them globally, that's a much bigger concern, a systematic attack."
Safesuite Decisions is also based on a secure framework that encrypts all data flowing between the console and attached security devices. Using SNMP to support security-related message flows is in itself dangerous, Rouland contends, because the protocol is too easily spoofed. "SNMP we refer to as, Security Not My Problem," he says.
Research currently under way may lead to a new form of real-time anomaly detection. The idea is to profile a system to identify its common pattern of behavior, then detect events outside the norm. For example, an IDS could look at log-in profiles for individual users over the course of a year, then flag a user that starts to log in at odd times.
Much work has to be done to avoid the great potential for false positives. "The science and algorithms for this have to be built and tuned," Rouland says, noting it will likely be years before the technology is put to commercial use.
Other IDS vendors claim they are already essentially operating in real-time. ClickNet Software Corp., San Jose, Calif., for example, focuses on protecting computer operating systems and applications. Its IDS resides on a server and intercepts calls made to the operating system, says Robin Matlock, the firm's senior vice president of marketing. Before the server executes the call, ClickNet's software refers to its collection of signatures to determine whether the call is malicious. If a call is identified as an attack, the IDS refers to a policy database to determine how to handle it: terminate the call, terminate the process that launched the call, or let the call pass through, but log it and send an alert.
"The key thing is, we're protecting the operating system from being compromised, and we're doing it before any damage is done to the server," Matlock says.
For Web servers, ClickNet has an additional shielding technology that defines a set of operations as normal. The server can't execute anything outside this set of normal operations.
"Because Web servers are dedicated to a certain function, they behave in patterns - accessing certain files, changing certain registry settings, and so on," Matlock says. "We define all that first."
Romain Agoftini, ClickNet's director of security research, says his company's focus on protecting servers and operating systems enables it to avoid some limitations of traditional network-based IDS products that monitor packets on a particular network segment. The problem with those systems is threefold, he says.
For one, switched networks make it more difficult to track packets because network segments are not so easily definable. Ever-increasing network speeds present another problem. "With any network-based IDS, you'll see problems creeping up at 40M, 50M, and 60M bit/sec," Agoftini says. "They'll start dropping packets. Finally, more and more traffic is encrypted, which he says makes it impossible for a network-based IDS to read packets.
Security Services on the Rise
If you think handling all these security is too much to deal with, any number of security service firms are willing to do the job for you.
David Tapper, senior analyst at research firm International Data Corp., Framingham, Mass., says in 1999 the worldwide market for security service stood at $703 million. He expects that figure to grow at about 34% per year to reach more than $2.2 billion by 2003.
Managed firewall, router, and intrusion detection services are already big, and Tapper says he is seeing more bundled services, such as PKI bundled with antivirus services.
Vulnerability detection services also seem to be in vogue. Ernst & Young, for example, in June announced a spin-off, eSecurityOnline.com, based in Kansas City, Mo. The company's Online Vulnerability Service finds vulnerabilities in customer networks, ranks them according to level of urgency, and sends patches to fix them.
Dorothy Denning, Georgetown University professor of computer science and director of Georgetown University's Institute for Information Assurance, says she sees a trend toward such remote security services.
Another example of this trend is Qualys Inc., Sunnyvale, Calif. Since July 1999 it has been offering its QualysGuard network auditing service. Users log on to the service from a standard Web browser and can scan their networks to get instant risk assessments and diagnoses of vulnerabilities, along with suggested corrections.
Companies such as ISS also offer around-the clock monitoring of corporate networks for security events. "Small to midsize businesses that don't have the technical talent to maintain things like intrusion detection systems will be best served by managed security services," Rouland says.
ISS expects big things from its services business. A corporate goal is to have its managed and professional security services total more than 50% of company revenue within the next three years.
A New Target: Databases
One final trend that some experts point to is the emergence of databases as both a target for intruders and a potential liability.
"Hackers are targeting databases now because that's really where the data they want is," ISS' Rouland says. "Databases are kind of a new area for hackers, and they are finding bugs in those systems." ISS' Database Scanner product assesses databases, pointing to vulnerabilities and providing tips on how to fix them.
Another issue is that the sheer size of these data stores makes it harder to find the telltale signs an intruder may leave behind. For example, hackers often install packet sniffers on a network in an effort to steal passwords. They may install the sniffer and leave it running for a period of hours or days, with the sniffer continually logging volumes of data.
Such an activity would be relatively easy to detect if you've got a small disk infrastructure, because the logging would take up a fair amount of disk space. "Nowadays, there's so much disk out there, it's pretty easy for hackers to leave their tools and data laying around without it being detected," Rouland says. "On a 10G-byte file system, it'll be found, but on a 500G RAID array, nobody's going to notice it."
Georgetown's Denning notes that larger storage space also makes it tougher to check for corrupt files and viruses, and to perform computer forensics, in order to assess damage after an attack. "When they do forensics now, they make a perfect copy of a database and do forensics off of that," she says. "Given the size of these data stores, that's not going to be practical."
A related problem is data in files users believe they have deleted. On Windows-based PCs and servers, files are not actually deleted until they are overwritten by other data. When users click on "delete" or even empty the Recycle Bin, they are merely removing a pointer to the file, so that it no longer appears in the file system.
That creates a possible security vulnerability, especially when companies get rid of old PCsperhaps, by donating them while they are still, in reality, full of corporate data.
However good the e-security utilities and policies are, security teams are going to need tools to disseminate security information, perhaps some sort of portal, McBride says. "It's one thing to have security policy, but if it's sitting up on someone's shelf, it's not doing any good." The key is to have policies in a form that allows people to read just what they need to read, rather than reams of instructions nobody will look at.
The good news is that, whereas security used to be on the back burner, an issue many companies didn't adequately fund, it has become front and center in the e-commerce world. "It's not an additional expense; it's a survival expense," E-PHD.COM's Goslar says.
Desmond is editor of the ecomSecurity.com Web site and vice president of King Content, a strategic publishing company in Framingham, Mass. E-mail him at firstname.lastname@example.org.