Security professionals are increasingly acknowledging an uncomfortable truth: No network is secure from a sufficiently skilled and determined attacker. So while every effort should be made to prevent intruders getting on to the corporate network, it’s important that you can quickly spot an intrusion and minimize the damage that can result.
Anton Chuvakin, a security expert at Gartner, points out that if hackers are made to work hard to find what they are after, intrusion detection systems (IDS) have a far greater chance of spotting them before they can do too much damage.
“What companies need to be doing is switching away from trying to prevent hackers from getting in to their networks,” Dr Chuvakin said. “Thinking about how they can slow hackers down so they can catch them is much more sensible. If hackers steal your encrypted data but then have to spend three days searching for your encryption keys, then you have a much better chance of detecting them.”
Breach prevention involves measures such as firewalls, intrusion prevention and detection systems (IPDS) and anti-virus software. Intrusion prevention and detection systems may include anomaly detection, log monitoring and even non-traditional approaches, such monitoring dummy documents which legitimate network users would never need to access. They can attempt to block the intrusion by taking automatic action such as blocking IP addresses or closing network ports.
In addition to such tools, you should also consider Wi-Fi monitoring systems to prevent attackers taking advantage of wireless connectivity (perhaps from unauthorized “rogue” access points) to jump on to your network and security distributions which contain a variety of tools to help you monitor activity and detect intrusion attempts.
A Proprietary Advantage
Supplying security products is big business, and the intrusion prevention and detection market is dominated by well-known names including Symantec, McAfee, Juniper, Fortinet and Check Point.
Proprietary vendors enjoy an advantage for two key reasons:
- They are more likely to have the resources and expertise to develop and sell sophisticated hardware to go with their software.
- Many enterprises choose to take an integrated approach to security which involves running different systems (such as authentication systems, VPNs, firewalls and so on) from a single vendor, accessed via a central management console.
This makes it harder for open source security products to compete in intrusion detection. Only a subset of open source security software projects have sponsors that can make and sell hardware, or are broad enough to offer a range of integrated security applications.
Open Source Software Inside
However, open source security software has been shown to be highly effective.
Skilled software developers who contribute to open source projects often contribute to ones that aim to solve a problem that affects them. Since security is an issue that affects everyone, it follows that many open source developers contribute to open source security projects.
Whatever the cause, there is lots of high quality open source security software available. Available as standalone point solutions, open source security products are also often incorporated into commercial breach prevention and detection offerings from security vendors including appliance vendors.
Open Source IDS
A good example is the Snort open source IDS software, which was originally developed in 1998. Author Martin Roesch founded a company called Sourcefire which sold a commercial version of Snort and a network security appliance based on Snort. Networking giant Cisco purchased Sourcefire in 2013, and as a result some Cisco products such as the Cisco 4000 Series Integrated Services Router use Snort technology.
Despite its use in commercial products, Snort is still available today as an open source IDS engine. Rules, which enable the IDS to recognize intrusion attempts, are available both free and via subscription for commercial use.
Read about 10 useful open source breach prevention and detection tools.
Paul Rubens has been covering enterprise technology for over 20 years. In that time he has written for leading UK and international publications including The Economist, The Times, Financial Times, the BBC, Computing and ServerWatch.