Network Associates sets up intrusion prevention framework

In the past year, Gene Hodges, president of Network Associates, has seen the emphasis for Network Associates change with the...

In the past year, Gene Hodges, president of Network Associates, has seen the emphasis for IT security firms change with the emergence of a set of technologies which have, as he puts it, "a fairly heavy positive impact on enterprise security".

The computer security company, whose most famous product is the McAfee virus protection system, has focused on intrusion prevention technologies.

"We think that these technologies, which allow us to stop attacks in real time, are going to be necessary because the speed of the propagation of the mass attacks has become very, very rapid," said Hodges.

"Slammer is a good example. It propagated around the internet in about three minutes on a global scale. This is beyond any realistic human organisation's ability to react," he said.

"By the time you've woken up and put on your shoes to go into the office, the network is already down."

Network Associates made two acquisitions in April and May of this year to support this move. One was the company Entercept, which is focused on intrusion-prevention technology on host computer systems, and the other was a company called IntruVert, which produces intrusion prevention on network systems.

"We are integrating these technologies with our existing product lines and extending them," said Hodges. "Hopefully, over time, we can provide a very reliable platform that is automated and can stop attacks even if they are unknown.

"And we need to do this cheaper, because customers are getting to a point where the size of the security budget is becoming an issue."

Hodges explained that security spending has been increasing from 1% of the IT budget for most organisations to between 3% and 5% over the past couple of years.

"Clearly that can't keep up indefinitely," he said. "So it moves out of the ‘other’ category and starts to get scrutinised."

Security products are gaining in validity in the eyes of some business managers, Hodges believed.

"Those in electronic customer-facing industries, such as financial services, have very definitely had to form opinions about what works and what doesn't work. It's too important to their business to just delegate it to IT people," he said.

"At the other end of the spectrum, some industries like consumer goods are not quite at that state yet.

"It is still the province of specialists - as opposed to being something that the line-of-business manager would have an opinion about - answering how much security is enough and what is the best way to get optimal security," Hodges said.

And then there is the problem of false positives, especially if these tools clamp down on inappropriate traffic. "The consequences could be pretty bad," said Hodges. "It's a key focus of the technology."

He admitted that, just as in anti-virus, the false positives and false negatives have to be low enough, almost to zero.

"The way people deploy it, they crank back on the sensitivity of the detection to the point where there are effectively zero false positives," he said. "Then you see what you can still detect, if you have any detection capability left.

"You don't just put out strong detection capability and see how many false positives you can tolerate."

As Hodges explained, most customers become more aggressive in a few key areas of their network that are very sensitive. "If you see somebody suspiciously going after core data, you might shoot first and ask questions later. If you generate a couple of false positive helpdesk calls, you are willing to live with it."

But for the whole of the network, users cannot afford that kind of difficulty, Hodges said. "So you crank the sensitivity down and we still catch 60%-80% of the attacks and block them automatically.

"It’s not a 100% solution yet, but if you can eliminate two-thirds of the attacks, it is more fulfilling for a security manager to say, ‘We were attacked probably 30,000 times last month’ than to have to say, ‘We stopped 20,000 attacks, and there were 10,000 that probably got through, and we're doing deep forensic analysis on 100 of those that got through that look pretty serious’."

With customers unlikely to continue to spend increasing amounts on security over time, the name of the game for Network Associates is to allow users to stop enough of the attacks so that they can shift investment to the more sophisticated attacks.

Hodges said, "The attacks by inside users are going to require very careful forensics to be able to prosecute. So, our objective is to crank the percentage of attacks we can stop up to 90% or 95% or 99%.

"It is going to take a couple of years to get it into that level," he said. "Multiple layers of defence in the 70s gives you pretty much the same effect."

And, of course, there is intense pressure from rival companies. "It's a very avid technology race with Cisco, Symantec, Internet Security Systems and others."

The network intrusion protection system for a medium-sized company would cost about $250,000 (£155,540), and it would cost about the same for host protection.

Network Associates claims that these tools will catch between 60% and 80% of critical intrusion activity. "There is not good statistical evidence yet," Hodges admitted. "It will take us some time to collect that."

However, he pointed out that using the well-publicised vulnerabilities and attacks over the last six months, the two vulnerabilities last week were covered by the technologies. "Slammer was stopped, time zero, no signature, by Entercept, and it did fine."

The attacks that are as yet beyond the current state of the art are quiet, stealthy inside attacks.

Consolidation is key to future for Network Associates>>

Matt Hamblen and Rob Mitchell write for ComputerWorld

Read more on IT strategy