The evolution of IDS
- 09 November, 2004 14:12
Drowning in signature libraries and reactive event information that is of little value in locating attacks in progress, network security managers are fed up with signature-based intrusion-detection systems that have been the backbone of network security. Amid an ever-shrinking time gap between vulnerabilities and exploits, signature-matching IDS already has become obsolete, analysts and users say.
"We've hit the wall with IDS," says Bill Boni, chief information security officer of Motorola. "We get a million IDS alerts a week. It's choking our consoles, and we can't tell the difference between an event and a non-event."
Sales of the burdensome, expensive technology are flattening, according to Infonetics Research. The research firm predicts that this year will close with sales of US$281.1 million, and sales are forecast to edge up to US$341.5 million in 2007.
But don't count on IDS to die in 2005 as Gartner predicted in a controversial report last year. Instead, IDS will become part of a greater framework of security information management (SIM), in which IDS data can be augmented by more reliable monitoring and reporting technologies. In the near term, this relegates IDS to a forensics and analysis role for after-the-fact inspection, users and analysts say. In five years or so, a coalescence of compliance management and endpoint, kernel-level security could cause the demise of signature-based IDS altogether.
"What we're going to see is a hybrid. Monitoring at the edge and core, sensor devices and remediation consoles all over the network that work together," says Joel Snyder, principal at Opus One. "Just like your network isn't one box that you plug everything into, it's the same with your IDS landscape."
Already, frustrated IT leaders like Boni are working around IDS' maddening shortcomings by correlating IDS alerts with other security and vulnerability information - something Boni's team did by writing its own middleware. SIM vendors also have become more modular in their approach to security information analysis by layering proprietary vulnerability management, anomaly detection, network assessment and even honeypot modules with IDS modules to better pinpoint and respond to security events.
"Where we've failed is in that detection has been binary before - yes, this is an attack; no, it's not an attack," says Andrew Yee, CEO and president of intrusion management vendor NFR Security. "There needs to be qualitative assessments of each detection. So the first change you'll see in intrusion management is the inclusion of vulnerability management and other discovery tools falling under a category of what I call enterprise security intelligence."
Leading the charge in better security information are the intrusion-prevention system (IPS) vendors, which use a variety of proprietary network and traffic analysis engines to reduce reliance on signatures and avoid the same false-positive mistakes their IDS forefathers made. IPS sits in-line at the network perimeter, scanning incoming traffic for signs of malicious code. Unlike IDS, it can drop suspect traffic automatically or alert network security staff, who will handle it manually.
IPS vendors project that their tools ultimately will replace IDS altogether. Infonetics projects a jump from US$132.3 million to US$425.5 million in sales for inline IDS between 2004 and 2007. Gartner, too, sees IPS sales surpassing IDS sales by the end of next year, says Craig Young, a Gartner analyst. "Most vendors have already made the switchover from pure IDS to IPS with some sort of mitigation," he says.
"The average intrusion-detection system has about 6,000 signatures. But our clients are only running intrusion prevention's blocking mode on about 25 to 50 signatures. The rest are still run in detection mode," says Paul Proctor, vice president of the security and risk strategies practice at Meta Group.
For example, Boni's team at Motorola is looking into using IPS as a means to dramatically reduce IDS alerts by blocking the most commonly known viruses, worms and attacks at the network edge. "If we can calibrate the IPS sensors and they block 900 of 1,000 attacks, then that leaves only 100 events hitting our IDS," he says.
But all of this extra monitoring capability will be costly. According to Snyder, replacing a traditional $10 LAN switch with IPS-capable LAN equipment costs hundreds to thousands of dollars per port sensor. That doesn't include the cost of human management and maintenance costs of the IPSs on those ports.
Product choices will be complicated, too, because additional monitoring technologies are sold separately as adjunct modules to signature-based IDS/IPS. Those monitoring technologies come in so many flavors: anomaly detection, heuristics, traffic pattern analysis, application analysis, payload analysis, passive vs. active listening, and so on (see graphic, right).
IPS vendor Reflex Security eliminates false positives through seven different detection modules including anti-virus, signatures, three anomalous behavior modules (looking for formation of packets, time and completion of the two-way handshake), and a permission module similar to a firewall. NFR sells an operating system fingerprinting module, a technique that uses a proprietary sniffer to listen to device chatter and determine what applications are running on the network. Still others, including TippingPoint Technologies, SolidCore Systems and Mirage Networks, market their flavors of heuristics to determine if an attack is relevant. Mirage is taking it a step further and dropping malicious traffic into a honeypot device for analysis and forensics.
"The market is very enamored with anything that provides value because people are tired of the care and feeding of traditional, signature-based intrusion-detection technologies," Proctor says. "But it's an arms race out there. And that's creating a lot of confusion."
To simplify matters, Proctor recommends focusing on what source of data you want to look at and how it fits your architectures.
Rand McNally wanted to monitor just the inbound traffic to its most lucrative e-commerce sites, including custom maps and K-12 educational materials. So the publisher put Lancope Inc.'s StealthWatch on Internet-facing routers to monitor inbound traffic for atypical behavior.
StealthWatch creates a baseline of common traffic patterns, then correlates anomalous traffic reports with pattern recognition and attack signature libraries to give Rand McNally a top 10 threat rating for use in prioritizing response.
"You see you're being scanned every second of every day," says Bob Wood, senior network security analyst at Rand McNally. "We can see what type of packets, the amount of packets and what ports they're going against. If it looks like someone's doing a specific attack on an FTP port, we know it's bad."
Despite more reliable information, Wood has not turned on StealthWatch's in-line IPS capability for fear it would block legitimate customer traffic from, say, a large trucking client logging on to the IntelliRoute site in need of a route map for a driver in a hurry.
"In a dream intrusion-prevention environment, you'd have something monitoring all of your traffic and stopping the bad guys wherever they're at. But that isn't the reality and never will be," Wood says. "IPS will get better, but you still have that chance of blocking the wrong thing."
The signature quagmire
False positives stem from IPS' reliance on signatures, says Daniel Hay, network security engineer at Drexel University in Philadelphia.
"Considering how fast malware is updated and changed just enough to bypass IDS/IPS signatures, you try to create signatures that are less stringent," he says. "Unfortunately this creates false positives and, in an IPS, would cause legitimate traffic to be blocked. That's not acceptable in a production environment like ours."
Drexel uses a SIM/event management console by Tenable Network Security called Lightning Console that correlates Drexel's network flow data and other network traffic information with Tenable's scanners, Nessus and NeVo. Nessus scans devices for open ports and other unpatched vulnerabilities, while NeVo passively sits like a sniffer on the network and runs continuously.
"NeVo will pick up if a port is open and traffic has gone through it at 10 a.m. Say I did a Nessus scan at 9 a.m. and saw that port was not open at the time. It might be something I want to look into," Hay says.
In addition to other forms of security monitoring, Drexel still uses signature analysis, which is built into the NeVo scanner. But some companies, such as QuadraMed, are all too happy to rid themselves of their signature-based systems altogether.
"Every time we got a report off an IDS, it was pulse-raising. There'd be two $100,000-a-year Cisco Certified Network Engineers plowing through event logs trying to figure out what's going on," says Chris Van Waters, senior director of IT for QuadraMed, a healthcare technology company with 1,000 employees. "Meanwhile, we've still got the network degraded, traffic's going through the roof, and we don't know where it's coming from."
In February, QuadraMed replaced its two Cisco Systems IDSs with Securify's SecureVantage security policy monitoring suite, which uses heuristics technology called Network Behavior Engine to monitor for conformance to enterprise security policies.
The problem with IDS and IPS systems, says Van Waters, is that they assume everything is good until proven bad. Policy monitoring defines what is acceptable and anything outside of that is assumed bad.
"As soon as we plugged Securify in, we had visibility to everything and were finally able to define what traffic was normal and what wasn't and tweak our policies accordingly," he says. "This will give us the ability to see and respond to zero-day exploits because we can see what's happening and where."
Policy monitoring technologies like this could lead to the demise of IDS/IPS in five or so years, especially when partnered with endpoint policy enforcement, says Mike Wanklyn, a communications security expert for the U.S. Army. What's still needed is kernel-level enforcement to make sure policies can't be tampered with, which he believes is five or more years away.
"If the kernel on every device is locked down, viruses aren't allowed to execute and can't proliferate. An attack on a device would be stopped because that's not an action that would be recognized as legitimate," Wanklyn says.
Fundamentally, we'll have to get away from signatures and move monitoring lower down the ISO stack to the application layer if we're going to effectively control malicious code events without an unreasonable time gap between discovery and repair, adds Winn Schwartau, president of the Internet Awareness Co.
"Intrusion-detection companies got locked in to the virus mode because it's easiest, and it allows them to make constant updates and have an annuity fee," Schwartau says. "We need to look back to a patent from 1999 from the University of Idaho that shows how to do low-level malicious code detection before it affects the network or the application. The technology exists and (Defense Advanced Research Projects Agency) is using it."
In the near future, IDS will take a back-seat role mainly as a forensics and event analysis tool, Snyder says.
"If I were going to rebut the Gartner report, I'd say I don't see IDS as dead. I see IDS technology being built into other products and ultimately being used for forensics purposes," Snyder says. "What's dead is the sales pitch that IDS will protect the network. It never did that in the first place."