Intrusion Detection Tools Get More Selective

Hoping to provide a respite to security administrators exhausted from

intrusion detection systems (IDSes) that "cry wolf," security vendors

are restructuring the way in which their products identify attacks. In

another emerging trend, scaling IDS solutions so they can be offered as

a managed service is also gaining momentum.

Security and network administrators continue to grapple with earlier

IDS products that are too broad in their searches, thereby sounding off

numerous alerts to potential attacks that often translate into false

positives, according to Eric Hemmindinger, research director for

Information Security at Boston-based Aberdeen Group Inc.

"The [IDS] product ceases to have value to [customers] because they're

overloaded with information. It's a nightmare," Hemmindinger said. "We

see companies trying in a number of different ways to reduce the number

of false positives by learning to filter better and get rid of the

noise."

A new player in the crowded IDS space, Lancope Inc. launched its

company and Stealthwatch plug-in appliance on Tuesday. Stealthwatch

analyzes traffic between multiple IP devices to uncover known or never

before seen attacks, said Jay Chaudry, CEO and founder of Atlanta-based

Lancope. Typically, IDS products rely on signature-based packet

patterns to recognize a potential assault.

"We're focusing on undocumented attacks," Chaudry said. "Since we're

not analyzing tons of packets and comparing them to signatures, we can

handle very fast networks."

At the heart of its IDS technology, Lancope employs counters to

construct a statistical-based "concern index" for every IP device in

the network. This allows companies to set different levels of detection

based on their needs. When combined with designated IP device service

profiles, traffic can be analyzed to determine if it is legitimate or

crafted by an intruder.

Turning its attention to the xSP market, last week Intrusion.com Inc.

introduced SecureNet Provider -- the latest member of its SecureNet IDS

product suite -- built to scale intrusion detection across large

enterprises and MSP (managed service provider) platforms.

Running on Microsoft Windows 2000 Server, Intrusion.com's SecureNet

provider features IDS sensors deployed in the service provider

environment, a central managing console, and a client desktop

application. The MSP-focused solution allows end-users to create

additional IDS tracking signatures for better accuracy, incorporates

string matching, and conducts packet re-assembly to establish attack

patterns, said Ryon Packer, vice president of product management at

Richardson, Texas-based Intrusion.com.

According to Hemmindinger, only managed security service providers are

capable of providing the same level of wide-range IDS deployment and

centralized security device monitoring as Intrusion.com's impending

product.

SecureNet Provider software for the manager and client, available next

week, starts at US$29,995 and is priced on an annual subscription

basis.

Stealthwatch from Lancope is available priced starting at $20,000 per

appliance.

Insider: How the basic tech behind the Internet works
Join the discussion
Be the first to comment on this article. Our Commenting Policies