In the past year, Gene Hodges, president of Network
Associates, has seen the emphasis for IT security firms change with
the emergence of a set of technologies which have, as he puts it,
"a fairly heavy positive impact on enterprise
security".
The computer security company, whose most famous product is the
McAfee virus protection system, has focused on intrusion prevention
technologies.
"We think that these technologies, which allow us to stop
attacks in real time, are going to be necessary because the speed
of the propagation of the mass attacks has become very, very
rapid," said Hodges.
"Slammer is a good example. It propagated around the internet in
about three minutes on a global scale. This is beyond any realistic
human organisation's ability to react," he said.
"By the time you've woken up and put on your shoes to go into
the office, the network is already down."
Network Associates made two acquisitions in April and May of
this year to support this move. One was the company Entercept,
which is focused on intrusion-prevention technology on host
computer systems, and the other was a company called IntruVert,
which produces intrusion prevention on network systems.
"We are integrating these technologies with our existing product
lines and extending them," said Hodges. "Hopefully, over time, we
can provide a very reliable platform that is automated and can stop
attacks even if they are unknown.
"And we need to do this cheaper, because customers are getting
to a point where the size of the security budget is becoming an
issue."
Hodges explained that security spending has been increasing from
1% of the IT budget for most organisations to between 3% and 5%
over the past couple of years.
"Clearly that can't keep up indefinitely," he said. "So it moves
out of the ‘other’ category and starts to get scrutinised."
Security products are gaining in validity in the eyes of some
business managers, Hodges believed.
"Those in electronic customer-facing industries, such as
financial services, have very definitely had to form opinions about
what works and what doesn't work. It's too important to their
business to just delegate it to IT people," he said.
"At the other end of the spectrum, some industries like consumer
goods are not quite at that state yet.
"It is still the province of specialists - as opposed to being
something that the line-of-business manager would have an opinion
about - answering how much security is enough and what is the best
way to get optimal security," Hodges said.
And then there is the problem of false positives, especially if
these tools clamp down on inappropriate traffic. "The consequences
could be pretty bad," said Hodges. "It's a key focus of the
technology."
He admitted that, just as in anti-virus, the false positives and
false negatives have to be low enough, almost to zero.
"The way people deploy it, they crank back on the sensitivity of
the detection to the point where there are effectively zero false
positives," he said. "Then you see what you can still detect, if
you have any detection capability left.
"You don't just put out strong detection capability and see how
many false positives you can tolerate."
As Hodges explained, most customers become more aggressive in a
few key areas of their network that are very sensitive. "If you see
somebody suspiciously going after core data, you might shoot first
and ask questions later. If you generate a couple of false positive
helpdesk calls, you are willing to live with it."
But for the whole of the network, users cannot afford that kind
of difficulty, Hodges said. "So you crank the sensitivity down and
we still catch 60%-80% of the attacks and block them
automatically.
"It’s not a 100% solution yet, but if you can eliminate
two-thirds of the attacks, it is more fulfilling for a security
manager to say, ‘We were attacked probably 30,000 times last month’
than to have to say, ‘We stopped 20,000 attacks, and there were
10,000 that probably got through, and we're doing deep forensic
analysis on 100 of those that got through that look pretty
serious’."
With customers unlikely to continue to spend increasing amounts
on security over time, the name of the game for Network Associates
is to allow users to stop enough of the attacks so that they can
shift investment to the more sophisticated attacks.
Hodges said, "The attacks by inside users are going to require
very careful forensics to be able to prosecute. So, our objective
is to crank the percentage of attacks we can stop up to 90% or 95%
or 99%.
"It is going to take a couple of years to get it into that
level," he said. "Multiple layers of defence in the 70s gives you
pretty much the same effect."
And, of course, there is intense pressure from rival companies.
"It's a very avid technology race with Cisco, Symantec, Internet
Security Systems and others."
The network intrusion protection system for a medium-sized
company would cost about $250,000 (£155,540), and it would cost
about the same for host protection.
Network Associates claims that these tools will catch between
60% and 80% of critical intrusion activity. "There is not good
statistical evidence yet," Hodges admitted. "It will take us some
time to collect that."
However, he pointed out that using the well-publicised
vulnerabilities and attacks over the last six months, the two
vulnerabilities last week were covered by the technologies.
"Slammer was stopped, time zero, no signature, by Entercept, and it
did fine."
The attacks that are as yet beyond the current state of the art
are quiet, stealthy inside attacks.
Consolidation is key to future for Network
Associates>>
Matt Hamblen and Rob Mitchell write for ComputerWorld