Intrusion Detection and Prevention (IDP) Systems can prevent malicious intruders from hacking into your corporate network and stealing your sensitive data. They can also be used on internal segments of the network to block internal users from accessing sensitive data. Implement Intrusion Detection and Prevention to avoid becoming a headline.
Use this Solution Set to:
•Develop an IDP strategy.
•Make the business case for IDP.
•Compare and select IDP vendors.
Ensure that you make the correct IDP decisions for your enterprise needs; from strategy to selection to implementation.
Select an Intrusion Detection and Prevention System
Introduction This research is designed for… This research will help you… <ul><li>Understand how IDPS works and what kind of deployment your organization requires. </li></ul><ul><li>Shortlist IDPS vendors and put together an RFP. </li></ul><ul><li>Tune your IDPS to achieve maximum block rates, and ensure you see value out of your investment. </li></ul><ul><li>CIOs and IT managers who have decided to deploy IDPS but are unfamiliar with the space. </li></ul><ul><li>Organizations looking to increase the security profile of their network. </li></ul><ul><li>Organizations looking for resolutions to internal data breach problems. </li></ul>Use this research to help you understand and strategize your IDPS deployment , and select the right solution given your budgetary constraints and needs . Info-Tech Research Group Security is a big deal. Regardless of whether or not the business houses sensitive data, malicious intruders on your corporate network disrupt business continuity and that costs money. Deploying an Intrusion Detection and Prevention System (IDPS) is the organization’s internal patrol, working with other security tools, such as Firewalls and Anti-Malware, to keep malicious traffic out of your network.
Executive Summary Info-Tech Research Group <ul><li>In the past, Info-Tech recommended organizations deploy an Intrusion Detection System to monitor traffic on the corporate network – this has changed, Intrusion Prevention technology has come a long way and is now ready for primetime. </li></ul><ul><li>Network intrusion is costly – sensitive data being stolen is a problem for the enterprise and, more importantly, for you and your job security as the IT person responsible for security. </li></ul><ul><li>Developing an IDPS strategy involves a number of decision points: understand the appliance options available, how to manage them, and how and where to position them on your network to provide the best coverage. </li></ul><ul><li>Every vendor in the IDPS space offers the same basic Table Stakes – if baseline IDPS functionality is all you require, focus on price, if specific features are driving the need, look to the Vendor Landscape tool and scenario slides. </li></ul><ul><li>The Composite Performance Index (CPI) is a measure of value per dollar, displaying what each vendor offers in terms of features, usability, viability, strategy and support per raw point awarded in the affordability category. This is, essentially, a bang for your buck metric. </li></ul><ul><li>Monitoring daily is a critical aspect of implementing an IDPS, do it to get an idea of what is being logged regularly and adjust thresholds accordingly to ensure you only log and analyze potential threats. </li></ul><ul><li>Tuning the box is the most significant contributor to lessening the manpower associated with running it – a tuned box captures and blocks 19% more threats than an untuned box, meaning you’re analyzing 19% less of the threats that hit it. </li></ul>
Evaluate Implement & Operate Strategize Select <ul><li>Though firewalls are supposed to block illicit inbound traffic, they don’t always succeed; an IDPS catches the threats the firewall misses. </li></ul><ul><li>Intrusion Detection was declared dead in 2004; the proclamation was early, but Intrusion Prevention has progressed to the point that it is now the standard. </li></ul><ul><li>An IDPS strategy involves several components, a core one of which is the decision between dedicated and consolidated solutions. </li></ul>Roadmap <ul><ul><li>Decide between intrusion detection & intrusion prevention </li></ul></ul>I
Network intrusion is costly – if your organization has data-stealing intruders, your job may be at stake Implement security technology such as an IDPS to protect yourself from what could happen if you’re unprotected – nobody wants to be a headline. TJX, a large American retailer, was hit with a $118 million charge against 2 nd quarter earnings in 2007 due to the theft of 45.9 million credit cards via a breach of their wireless network. 1 Implementing an IDPS is an effective way of preventing malicious content from compromising the network and causing this kind of disaster. <ul><li>Sources: </li></ul><ul><li>USA Today, “TJX, Visa reach $40.9M settlement for data breach,” November 2007. </li></ul><ul><li>Info-Tech Research Group, n = 22 </li></ul>86% of Organizations are proactively improving security by implementing IPS before an intrusion wreaks havoc. You never expect your house to burn down, but you buy insurance just in case it does – similarly, you may not expect to get hacked, but you want some form of protection in place for when you are.
Developing an IDP strategy involves answering a number of questions; answer these four questions before proceeding Info-Tech Research Group Understand that everything that passes your firewall, anti-malware tools, and other security is free on your network. A firewall is a bouncer, an IDPS is a guard patrolling the bar for strangers and drunkards. IDPS can be deployed as a dedicated box or a consolidated box. Dedicated boxes offer higher performance and lower entry prices. Consolidated boxes offer a better TCO and streamlined management across multiple tools. Attacks can happen any time, any day. If you can’t afford the security staff to manage and watch the appliance 24/7, managed services can be a more attractive option. Have a large security staff already? Monitor the appliance in-house. For most enterprises, a single sensor at the network perimeter will be sufficient. Internal segments of the network with sensitive data, or firms using multiple ISPs should consider probes at entry points to each network. What does an IDPS do? What are my options? How do I manage it? How many probes do I need?
An IDPS sits at the network perimeter and tracks what comes and goes; without it, your borders may be open to strangers Info-Tech Research Group <ul><ul><li>75% of respondents to a recent Info-Tech survey about IDPS stated that their networks had become significantly more secure as a result of their IDPS deployment. </li></ul></ul>Info-Tech Insight An IDPS sits behind the firewall and the anti-malware protection system, monitoring traffic that has passed through both solutions. In detection mode, an IDPS will alert the network administrator when questionable traffic that has passed the firewall and anti-malware solutions passes through the box. In prevention mode, the box will actually mitigate the threat as soon as it hits the IDPS system. Organizations without IDPS are not more susceptible to breaches, but will be unaware of what enters and exits their network. Organizations with IDPS are more capable of monitoring what enters and exits their network and can mitigate the impact of any potential threats. Firewall Anti-Malware IDPS Protected Corporate Network Incoming Traffic Organizations with some security tools in place will catch a portion of malicious traffic as it hits the firewall and anti-malware tools. Make no mistake, some malicious traffic will get past these tools and hit the internal network. Without an IDPS in place, IT will have no record of what threats entered the network, leading to a potential wild goose chase in an effort to track them down. Open Corporate Network Incoming Traffic Firewall Anti-Malware No IDPS
A dedicated IDPS solution is a necessity if you need to monitor internal segments of the network – protect that sensitive data! Info-Tech Research Group <ul><ul><li>Understand that when deciding between a dedicated box and a consolidated box, you’re really looking at deciding between lower initial investment (dedicated) v. lower TCO (consolidated). </li></ul></ul>Info-Tech Insight Consolidated boxes that hold multiple security technologies within a single appliance fit the smaller organization with less of a budget aimed towards IT security. The primary benefit with consolidated boxes is streamlined management tools, but their complexity can make them more expensive than dedicated solutions; if you don’t need all the functionality a UTM offers, they can be cost-and-protection overkill. IDPS is a better fit for organizations with other security technology already in place – throwing out already purchased tools is expensive. If the network currently has security tools, upgrading via a dedicated IDPS box is simpler and more cost effective. Dedicated boxes also contain higher throughput capacity and speed, resulting in less interference on network traffic. An IDPS acts as a dedicated box at the perimeter of your network that works with a firewall and anti-malware solutions to protect the network. A unified threat management (UTM) system is a consolidated box , housing multiple security tools that protect the network. Firewall Anti-Malware IDPS Protected Corporate Network Incoming Traffic Protected Corporate Network Incoming Traffic Firewall Anti-Malware IDPS
If your security team can be staffed on an IDPS 24/7, do it in-house, otherwise go to managed services Info-Tech Research Group In the “good old days” when intrusion prevention was the pre-eminent technology, staffing issues were the 800lb Gorilla. Intrusion detection can generate vast numbers of alerts that must be dealt with, ideally in real time, for its protection capabilities to be realized. Intrusion prevention has mitigated this to a significant degree, to the point that large numbers of dedicated staff may not be required. For optimal protection, 24/7 monitoring of alerts and responses still has value. If you don’t need instant response, you don’t need active monitoring. Let the IDPS do its thing, but make sure to review logs daily, and page for significant threats. The IDPS can only be successful if a process is in place to monitor and maintain the system and reports are reviewed on a regular basis. “ “ - IT Manager, Education What Info-Tech clients are saying… Organizations that need the highest levels of responsiveness, and that have 5 or more security analysts on staff can afford to manage an IDPS on a 24/7 basis in-house at a cost-advantage vs. managed services. Security Analysts 5 Organizations that need high levels of responsiveness, but that do not have 5 or more security analysts on staff, and therefore cannot actively monitor their IDPS 24/7, will benefit from outsourcing to an MSSP. Security Analysts 5
Calculate the number of probes required for your implementation given your current network topology Info-Tech Research Group The number of internal networks with confidential, private, or sensitive data on them determine how many internal IDP appliances the organization needs. Here ratio options exist – multi-segment, multi-Gigabit boxes are available for 1:x deployments but have big price tags and may be overkill. Evaluate internal network speed, and the number of segments to be protected to decide between large 1:x ratio boxes, or smaller “appliance per segment” solutions. The number of pure internet connections coming into the organization drives the number of dedicated or consolidated boxes required at the network perimeter. The ISP:appliance ratio must remain at 1:1 throughout the organization to ensure protection on all inbound links without introducing a single point of failure. The number of ISPs, in turn, is driven by the organization’s need for network redundancy and resiliency (e.g. failover networks). External Probes Internal Probes For consistent protection, the organization must have 1 appliance on each dedicated Internet connection. Use the number of network segments with sensitive data to drive internal probe deployment. Protected Corporate Network IDPS 1/UTM1 IDPS on Segment 1 ISP 1 ISP 2 IDPS 1/UTM1 IDPS 2/UTM2 Protected Corporate Network Segmented Network (e.g. R&D)
Determine whether or not IDPS is appropriate for your organization before moving into vendor selection Info-Tech Research Group The IDP System Appropriateness Assessment Tool will help you: 1 Conduct an IDPS Necessity Assessment. 2 Determine whether you are better served by an IDPS or UTM. 3 Determine whether you should bring IDP in-house or move to managed services. 4 Calculate the number of probes required for your implementation given current network setup. This tool will help you determine whether or not you should be deploying an IDPS and how many probes you require. Use the probe figure in the IDP System TCO Calculator later in this solution set to more accurately project the cost of your specific implementation.
You know what you need, now its time to figure out what it’s going to cost & how to manage it The IDP System TCO Calculator will help you: 1 Determine capital costs, such as hardware and licensing. 2 Determine operating costs such as support and staffing. 3 Provide you with a TCO for managing IDPS across 4 different scenarios. Use this TCO calculator to get an understanding for the various licensing and management options available to you with an IDPS solution. This tool provides dollar figures to the IDPS setup strategy discussed in section 1. Remember , the Probes Assessment in the Appropriateness Assessment tool, you just completed, should be inputted into the appropriate places in this tool to provide a more accurate recommendation. <ul><ul><li>100% of survey respondents that stated implementing their IDPS system was highly labor intensive also categorized the financial reward as highly significant . </li></ul></ul>Info-Tech Insight
Evaluate Implement & Operate Strategize Select <ul><li>Though all available solutions meet certain Table Stakes capability requirements, differentiating features do exist – match enterprise needs to these enhanced capabilities. </li></ul><ul><li>Feature/functionality is only one measurement of solution/vendor applicability; choosing the best option means understanding all the variables. </li></ul><ul><li>Use Info-Tech’s specific vendor/product evaluations to find the solution that represents the best fit for your enterprise need. </li></ul>Roadmap Look to the Vendor Landscape to determine who can meet your needs II
Every vendor in the game has the basic table stakes, but who goes above and beyond in the areas that matter to you? <ul><ul><li>If Table Stakes are all you need from your IDPS solution, the only true differentiator for the organization is price. Otherwise, dig deeper to find the best price to value for your needs. </li></ul></ul>Info-Tech Insight “ “ The Table Stakes What does this mean? Throughput Hardware Portfolio Signature Scanning Behavior Scanning 24/7 Support Weekly Updates Management and Reporting Probes are capable of supporting at least .2GBPS in throughput capacity. Vendor provides a variety of probes at varying price points for adequate matching with needs. The solution is capable of signature scanning. The solution is capable of behavior scanning. Support is available 24/7 for client issues. Signatures and other scan-related data is updated weekly, at a minimum. The solution comes with a reporting and management dashboard. The products assessed in this Vendor Landscape TM meet, at the very least, the requirements outlined as Table Stakes. Many of the vendors go above and beyond the outlined Table Stakes, some even do so in multiple categories. This section aims to highlight the products capabilities in excess of the criteria listed here. Visibility of the organization is also important. I doubt, in the current environment, that many people are interested in hacking into our small hospital system, however, I will not take a chance with other peoples financial and personal health info, so I will do the right thing. - IT Manager, Healthcare
IDPS Criteria & Weighting Factors g Info-Tech Research Group Vendor Evaluation Vendor is committed to the space and has a future product and portfolio roadmap. Strategy Vendor is profitable, knowledgeable, and will be around for the long-term. Viability Vendor offers implementation and ongoing management support. Support Product Evaluation The five year TCO of the solution is economical. Affordability The solution provides basic and advanced feature/functionality. Features The solution’s dashboard and reporting tools are intuitive and easy to use. Usability
The Info-Tech IDPS Vendor Landscape For a complete description of Info-Tech ’s Vendor Landscape methodology, see the Appendix. Champions receive high scores for most evaluation criteria and offer excellent value. They have a strong market presence and are usually the trend setters for the industry. Competitors strike a strong balance between product and vendor attributes. They have the potential to become future industry leaders if they address the missing links in their offerings. Emerging players are newer vendors who are starting to gain a foothold in the marketplace. They balance product and vendor attributes, though score lower relative to market Champions. Innovators have demonstrated innovative product strengths that act as their competitive advantage in appealing to niche segments of the market. Industry standard vendors are established players with very strong vendor credentials, but with more average product scores.
Every vendor has its strengths & weaknesses; pick the one that works best for you Product Vendor Features Usability Affordability Viability Strategy Support Note: “Harvey Ball” scores are produced by normalizing weighted, raw scores for each category, resulting in relative scores for each category. For example, an empty circle does not indicate a zero score; it indicates the lowest score in that category relative to other products. Likewise, a solid circle does not indicate a perfect score, but rather the highest score in that category relative to the other products. McAfee HP Cisco IBM Juniper Top Layer Sourcefire Radware Check Point
Cisco provides the most value per dollar of spend across the board due to an impressive feature list & low price point On a relative basis, Cisco maintained the highest Info-Tech Composite Performance Score TM (CPS) of the vendor group. Vendors were indexed against Cisco’s performance to provide a complete, relative view of their product offerings. The Composite Performance Score is a measure of a performance across both Vendor and Product categories normalized in relation to cost. 1 This measure does not indicate vendor ranking, instead providing an indexed assessment of each vendor’s product and business strength in relation to the cost of their solution. Vendors that score high offer more features, usability, support, SMB focus, and stability relative to their price point than the average vendor, while the inverse is true for those that score lower. Enterprises looking to achieve optimal “bang for the buck” may wish to give the Composite Performance Score more consideration than those who are more focused on specific vendor/product attributes. What is a Composite Performance Score? <ul><li>Sources: </li></ul><ul><li>To calculate the Composite Performance Score for each vendor, the affordability raw score was backed out, the product scoring reweighted, and the affordability score multiplied by the product of the Vendor and Product scores. </li></ul>
HP TippingPoint’s grip on proprietary signatures research is a differentiator in the industry, cost may be a deterrent <ul><li>For organizations that require less than 0.5GBPS of throughput from their IDPS appliance (typical of perimeter deployments), HP is significantly more expensive than the average vendor. </li></ul><ul><li>DVLabs functionality and proprietary research teams allow HP to combat malicious signatures faster and more effectively than any other vendor in the space. </li></ul><ul><li>Allows bandwidth allocation for non-critical applications. </li></ul><ul><li>vController and VMC allow for management of virtualized infrastructure. </li></ul><ul><li>Acquired by HP in 2010, 3Com’s TippingPoint products add IDPS functionality to HP’s current networking portfolio. </li></ul>Info-Tech Rating Overview Strengths Challenges Champion If the integrity of data on your corporate network requires extremely high level security, HP’s DVLabs suite is the most up-to-date signature database on the market. Info-Tech Recommends Employees: Headquarters: Website: 310,000 (hp wide) Palo Alto, CA HP.com
HP focuses heavily on the enterprise market, hurting its strategy score; there is better value elsewhere based on price HP achieved a slightly above average Composite Performance Index score in all categories except for Strategy, where its score was well below the average. HP’s mediocre scores across most categories are a result of the high price of the solution and its low usability score. Its strategy score is below average because HP is more focused on the enterprise space rather than the small to medium enterprise, as evidenced by the progression in more favorable pricing as appliance throughput moves up stream. Vendor Listing Advanced Features Bonus Support Delivery and Reach DoS Protection Inherent Firewall Reputation Based Scanning Virtual Signatures Virtual Infrastructure Protection Application Specific Scanning Encrypted Traffic Scanning Redundancy User Based Signatures North America APAC EMEA DVLabs Research employs 30+ research professionals and provided the first patch to 14 critical and 47 high risk vulnerabilities in 2010, more than 5x that of competing vendors.
Cisco possesses a large deployed sensor network that feeds its impressive reputation engine at a very low price point <ul><li>Primary focus of the organization’s IDP efforts is on consolidated boxes, meaning organizations that require dedicated boxes may be less of a priority. </li></ul><ul><li>On a price per GB of throughput basis, Cisco offers the best value among vendors with boxes under 0.5 GBPS. </li></ul><ul><li>700,000 sensors deployed globally form the industry’s largest IDPS reputation network. </li></ul><ul><li>Offers the same management & reporting package at all levels of its IDPS portfolio for consistent management. </li></ul><ul><li>A major player in the enterprise technology space, Cisco’s IPS offering is marketed as the Cisco IPS 4200 series sensors. </li></ul>Info-Tech Rating If the organization currently uses a lot of Cisco infrastructure, implementing Cisco’s IDPS provides quick reporting/management wins. Overview Strengths Challenges Champion Info-Tech Recommends Employees: Headquarters: Website: 70,714 San Jose, CA Cisco.com
Cisco offers a huge amount of features at the most affordable price point, making it the best value play in the space Cisco achieved the highest Composite Performance Index scores in all categories except for Strategy, where its score was still above the average. Cisco's high across the board scores are the result of its solution having the lowest price of all evaluated products while having above average scores in all other categories. Its strategy score is limited, though still above average, due to its primary focus of consolidated rather than dedicated solutions. Vendor Listing Advanced Features Bonus Support Delivery and Reach DoS Protection Inherent Firewall Reputation Based Scanning Virtual Signatures Virtual Infrastructure Protection Application Specific Scanning Encrypted Traffic Scanning Redundancy User Based Signatures North America APAC EMEA Maintains 700,000 sensors globally to feed Global Correlation program, boosting efficacy and driving reputation scores that are pushed out to all devices on the network.
McAfee offers an extremely robust feature set & a global support system, but does so at a premium to other vendors <ul><li>With the recent acquisition by Intel, there remains some uncertainty in the industry about the direction of McAfee’s product portfolio. </li></ul><ul><li>The solution is priced at a heavy premium in comparison to other players in the market, regardless of its robust feature set. </li></ul><ul><li>Much like HP’s TippingPoint solution, McAfee’s feature set is among the most robust in the industry, providing DDoS protection, virtual machine scanning, encrypted traffic scanning and more. </li></ul><ul><li>McAfee’s emphasis on usability is highlighted with a robust, easy to use management solution. </li></ul><ul><li>Founded in 1987, McAfee is a leading computer security player globally. McAfee and Intel have entered into an agreement whereby McAfee would be acquired by Intel as a wholly owned entity. </li></ul>Info-Tech Rating If a robust feature set and highly detailed dashboard and reporting setup are your prime concern, McAfee is a potential solution; otherwise, there are less costly vendors in the space. Info-Tech Recommends Overview Strengths Challenges Champion Employees: Headquarters: Website: 6,100 Santa Clara, CA McAfee.com
McAfee offers the most impressive feature list, but is priced at a hefty premium to the market, destroying value per dollar McAfee achieved low Composite Performance Index scores in all categories due to its exceptionally high price point. McAfee’s high price point negatively impacted its composite performance despite the breadth of its features and the strength of the product on the whole. It’s viability score was especially low due to the uncertainty surrounding the IntruShield offering post Intel acquisition. Vendor Listing Advanced Features Bonus Support Delivery and Reach DoS Protection Inherent Firewall Reputation Based Scanning Virtual Signatures Virtual Infrastructure Protection Application Specific Scanning Encrypted Traffic Scanning Redundancy User Based Signatures North America APAC EMEA The McAfee IntruShield appliance lineup offers integrated VoIP protection to specifically protect against threats using this increasingly common communications mechanism.
If you already have IBM infrastructure, or require extremely high throughput, consider IBM <ul><li>Limited application management functionality as bandwidth cannot be assigned to specific applications, forcing the organization to allow or disallow applications, as opposed to allowing them up to a certain threshold. </li></ul><ul><li>Appliance portfolio is the largest in the industry, ranging from 200MBPS boxes up to 25GBPS boxes. </li></ul><ul><li>Reporting system is clean, and easy to use. </li></ul><ul><li>Protocol Analysis Module is a leader in the industry and is capable of identifying threats based on logical assumptions from previous signatures. </li></ul><ul><li>A global player in networking and security, IBM’s IDPS offering saw double-digit growth in 2010. </li></ul><ul><li>The product portfolio is extensive and is leaning towards further increasing already high throughput capacity. </li></ul>Info-Tech Rating If your organization has a suite of IBM products already, or is looking for IDPS boxes with extremely large throughput capacity, consider IBM as a potential solution. Overview Strengths Challenges Industry Standard Info-Tech Recommends Employees: Headquarters: Website: 399,409 Armonk, NY IBM.com
IBM offers average functionality but is backed by a strong corporate brand & large support network IBM achieved a slightly above average overall Composite Performance Index score with good specific results in support and viability, but poor results in strategy and usability. As the largest and most stable vendor in this survey, IBM’s high viability score is to be expected. The company’s usability score was negatively impacted by a complex management system, while it’s strategy was impacted heavily by to the firm’s focus on the enterprise market. Vendor Listing Advanced Features Bonus Support Delivery and Reach DoS Protection Inherent Firewall Reputation Based Scanning Virtual Signatures Virtual Infrastructure Protection Application Specific Scanning Encrypted Traffic Scanning Redundancy User Based Signatures North America APAC EMEA As Data Leakage Protection becomes an ever more prevalent technology, it is finding its way into many other security solutions; IBM is the first to integrate DLP capability into its IDPS sensors.
Juniper offers a low cost solution compared to the average vendor, but also offers less throughput options on appliances <ul><li>Less delineation in the product portfolio than other vendors in the space as Juniper has only a 1GBPS and 10GBPS box available to consumers that require more than 300MBPS throughput. Those looking at Juniper for internal deployments may be underserved by this strategy. </li></ul><ul><li>Price point for boxes above and below the 0.5GBPS threshold are among the best in the industry, and well below average cost for each category. </li></ul><ul><li>Juniper runs the same IDP engine across its IDP and SRX series, resulting in ease of management across systems. </li></ul><ul><li>Founded in 1996, Juniper began as a supplier of high-performance routers and now carries IDPS technology and a host of other networking-related products. </li></ul>Info-Tech Rating If cost is the major concern for your organization and the appliance throughput is available from Juniper, consider it a strong solution for the money. Overview Strengths Challenges Innovator Info-Tech Recommends Employees: Headquarters: Website: 8,000 Sunnyvale, CA Juniper.net
Juniper is the only vendor in the landscape offering ‘honeypot’ capabilities, and is priced well relative to its peers Juniper achieved a high Composite Performance Index score in all categories except for Strategy, where its score was below average. Juniper's high across-the-board scores are the result of its solution having one of the lowest price points in the group, while providing more features than other, similarly priced vendors. It’s strategy score is below average due to its focus on the enterprise space with its IDPS solution – the firm carries a UTM solution geared much better towards the SME. Vendor Listing Advanced Features Bonus Support Delivery and Reach DoS Protection Inherent Firewall Reputation Based Scanning Virtual Signatures Virtual Infrastructure Protection Application Specific Scanning Encrypted Traffic Scanning Redundancy User Based Signatures North America APAC EMEA Juniper’s IDP series of appliances uniquely offers ‘honeypot’ capabilities to track and confound illicit reconnaissance efforts.
Sourcefire offers a leading IDPS product & maintains a robust appliance portfolio, but lacks full DDoS protection capability <ul><li>Sourcefire has somewhat limited protection capabilities in comparison with other vendors, lacking extra features such as firewall, and reputation scanning. </li></ul><ul><li>Robust portfolio of appliances allows Sourcefire to service organizations that require anywhere from 5MBPS to 20GBPS (through sensor clustering) of throughput. </li></ul><ul><li>Incorporates real-time network, application and user intelligence to provide "contextual awareness" for automated impact assessment, IPS tuning, application monitoring, and user identification. </li></ul><ul><li>Founded in 2001, Sourcefire is the commercialized version of the Open Source IDS, Snort. </li></ul><ul><li>Sourcefire maintains ties to the open source community and is actively involved with developing both products. </li></ul>Info-Tech Rating If your organization anticipates quickly scaling up hardware over a short period of time, Sourcefire’s hardware portfolio extends from the very small to the very large, providing some continuity. Overview Strengths Challenges Competitor Info-Tech Recommends Employees: Headquarters: Website: 393 Columbia, MD Sourcefire.com
Sourcefire focuses heavily on IDP & benefits from the large open-source community behind Snort Sourcefire recorded one of the higher Composite Performance Index scores due to the combination of generally positive criteria scores and overall attractive pricing. Sourcefire was regarded as having the highest CPI score for strategy as a result of its IDP only focus and attractiveness to the SME space. As with the other smaller vendors in the study, viability is impacted when compared with multi hundred billion dollar companies. Vendor Listing Advanced Features Bonus Support Delivery and Reach DoS Protection Inherent Firewall Reputation Based Scanning Virtual Signatures Virtual Infrastructure Protection Application Specific Scanning Encrypted Traffic Scanning Redundancy User Based Signatures North America APAC EMEA As the commercial offering from the developers of Snort, the world’s most commonly deployed IDP solution, Sourcefire can draw on that massive community user base for signature development.
Check Point is an expensive solution with a minimal feature set; other vendors offer more functionality at a lower price point <ul><li>Check Point lacks the rich feature sets present in other vendors, including DDoS protection, encrypted traffic scanning, and virtual machine scanning. </li></ul><ul><li>Like McAfee, Check Point is priced at the high end of the scale, but does not currently offer the feature set to support the lofty price point. </li></ul><ul><li>From a strategy perspective, Check Point is more focused than larger players on the SMB space, meaning small firms considering an IDPS long-term may see some specific benefits from the vendor. </li></ul><ul><li>Support options are on par with other vendors in the space, with international offerings and 24/7 availability. </li></ul><ul><li>Established in 1993, Check Point’s focus has been entirely on IT security. </li></ul><ul><li>Acquired a division of Nokia’s security appliance business in April of 2009. </li></ul>Info-Tech Rating If advanced functionality and security are a minimal concern, then Check Point may be a viable option, but there are better, less expensive solutions on the market. Overview Strengths Challenges Industry Standard Info-Tech Recommends Employees: Headquarters: Website: 2,200 Redwood City, CA Checkpoint.com
Check Point performs poorly on a CPI basis due to a lofty price point & minimal functionality, resulting in poor value Check Point achieved a low Composite Performance Index as a result of the second highest price in this study, compared against generally modest results in most categories. Check Point achieved its best results in usability (due to a very clean management interface) and strategy (due to its focus). It’s advanced feature set was deemed one of the weakest in the comparison, resulting in the low CPI for that criteria. Vendor Listing Advanced Features Bonus Support Delivery and Reach DoS Protection Inherent Firewall Reputation Based Scanning Virtual Signatures Virtual Infrastructure Protection Application Specific Scanning Encrypted Traffic Scanning Redundancy User Based Signatures North America APAC EMEA Though not a metric in this evaluation, Check Point has recently been reviewed favorably on performance and throughput capabilities by NSS Labs, an independent testing house.
Top Layer Security provides the appliance for free with three year maintenance contracts, drastically reducing TCO <ul><li>As a smaller vendor in the IDPS space, Top Layer cannot guarantee the stability and viability that larger vendors enjoy. </li></ul><ul><li>“ Free IPS Appliance” program provides hardware for free with purchase of 3 years of maintenance and threat update service, reducing 3 year TCO by 50%. </li></ul><ul><li>Network Security Analyzer is included with the purchase of any IPS solution. </li></ul><ul><li>Acquired in 2011 by Corero, Top Layer forms the foundation of Corero’s network security platform. </li></ul><ul><li>Major verticals include: Healthcare, Higher Education and Small Financials. </li></ul>Info-Tech Rating If all you require is intrusion prevention functionality at an extremely low cost, Top Layer Security may be the right solution for your organization. Overview Strengths Challenges Emerging Player Info-Tech Recommends Employees: Headquarters: Website: 70 Hudson, MA Toplayer.com
Top Layer offers an IPS-only, SME focused product with a free appliance option, but its recent takeover hurts viability Top Layer offers a reasonably competitive product, at a slightly above average price, resulting in a lower overall Composite Performance Index result. This may be mitigated however with Top Layer’s innovative free appliance approach. Top Layer’s focus on the IDP market, and the SME client, earns it solid Strategy marks; however, its just announced acquisition by UK based Corero as the flagship of that company’s new (and still being defined) security division significantly impacts viability scores. Vendor Listing Advanced Features Bonus Support Delivery and Reach DoS Protection Inherent Firewall Reputation Based Scanning Virtual Signatures Virtual Infrastructure Protection Application Specific Scanning Encrypted Traffic Scanning Redundancy User Based Signatures North America APAC EMEA Top Layer’s TopMSS managed services offering allows enterprises to invest in technology and the management of that technology from a single provider.
Radware’s scalable buying concept will aid high-growth or cash-strapped organizations with IDPS expansion <ul><li>Radware’s reputation engine is not as strong as other players in the space, but the product portfolio and strategic roadmap are heading in the right direction. </li></ul><ul><li>Scalable buying allows consumers to scale their IDPS hardware as necessary, meaning the organization can buy a 1GBPS box now, and a 2GBPS license upgrade later, paying only the difference in price. </li></ul><ul><li>Reporting and analytics system with the product is extremely robust and easy to use. </li></ul><ul><li>Founded in 1997, Radware focuses solely on application delivery and network security. </li></ul>Info-Tech Rating If a major investment in IDPS is not a primary initiative for the organization, or you are in a high-growth environment, consider Radware’s scalable buying as a way to ease into IDPS. Overview Strengths Challenges Emerging Player Info-Tech Recommends Employees: Headquarters: Website: 700+ Tel Aviv, Israel Radware.com
Radware carries a high initial investment cost on its appliances & involves using an extremely complex management interface Radware’ s overall Composite Performance Index score was radically impacted by the high initial costs of it appliances compared against mostly mediocre scores in all categories. Radware’s best results came in strategy due to its strict focus on the IDPS space. It’s worst results, usability and viability, are attributable first to a complex and confusing interface, and second to being a very small company in the presence of much larger competition. Vendor Listing Advanced Features Bonus Support Delivery and Reach DoS Protection Inherent Firewall Reputation Based Scanning Virtual Signatures Virtual Infrastructure Protection Application Specific Scanning Encrypted Traffic Scanning Redundancy User Based Signatures North America APAC EMEA The ERT provides instantaneous, expert security assistance in order to restore network and service operational status when a client is under DDoS attack or malware outbreak.
Not all vendors are created equal; pick the right one for your case Effectiveness is highly vendor dependent. The Composite Performance Index is a measure of value for dollar, but certain, specific select criteria may be driving your needs. The table below provides some insight into what vendors Info-Tech recommends, based on specific needs. I want… Info-Tech Recommends The best value for my dollar. Cisco, Juniper The greatest feature set. HP, McAfee The most up-to-date signatures at all times. HP, IBM A vendor that is focused on the small enterprise. Radware, Sourcefire, Top Layer, Check Point The ability to scale up cheaply as I grow. Radware Full redundancy. HP, Top Layer Inherent firewall. Radware, McAfee, Top Layer
Evaluate Implement & Operate Strategize Select <ul><li>Identify the right potential solution providers with a Vendor Shortlist </li></ul><ul><li>Focus requirements with an RFP Template </li></ul><ul><li>Rate vendor responses with an RFP Response Tool </li></ul>Roadmap <ul><ul><li>Align vendor offerings with your needs. </li></ul></ul>III
Identify leading solution candidates with a Vendor Shortlist Info-Tech Research Group <ul><ul><li>The Info-Tech IDP System Vendor Shortlist Tool is designed to </li></ul></ul><ul><ul><li>generate a customized shortlist of vendors based on key priorities. </li></ul></ul><ul><ul><li>The Info-Tech IDP System Vendor Shortlist Tool offers the ability to modify: </li></ul></ul><ul><ul><ul><ul><li>Overall Vendor vs. Product weightings </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Vendor criteria weightings (e.g. vendor viability, support, strategic orientation) </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Product criteria weightings (e.g. features, usability, affordability) </li></ul></ul></ul></ul><ul><ul><li>Use this tool at an early stage of analysis to identify vendors that will best meet business requirements. </li></ul></ul>
Focus solution requirements with an RFP Template Info-Tech Research Group <ul><ul><li>An RFP implies stable requirements and an intent to buy – </li></ul></ul><ul><ul><li>use this tool to help select a supplier, not to develop a shortlist. </li></ul></ul>Info-Tech Insight <ul><ul><li>Issuing RFPs is a critical step in your vendor selection process. </li></ul></ul><ul><ul><li>The Info-Tech IDP System RFP Template comes populated with important elements you don’t want to forget, which include: </li></ul></ul><ul><ul><ul><li>Statement of Work </li></ul></ul></ul><ul><ul><ul><li>Proposal Preparation Instructions </li></ul></ul></ul><ul><ul><ul><li>Scope of Work </li></ul></ul></ul><ul><ul><ul><li>Specification & Requirements </li></ul></ul></ul><ul><ul><ul><li>Vendor Qualifications & References </li></ul></ul></ul><ul><ul><ul><li>Budget & Estimated Pricing </li></ul></ul></ul><ul><li>Vendor Certification </li></ul>
Put hard numbers behind vendor claims & keep evaluations objective by scoring RFP responses Info-Tech Research Group <ul><ul><li>A standard and transparent process for scoring individual vendor </li></ul></ul><ul><ul><li>RFP responses will help ensure that internal team biases are minimized. </li></ul></ul><ul><ul><li>Adjust the individual category weightings to customize this tool to business priorities. </li></ul></ul><ul><ul><li>The Info-Tech IDP System Evaluation & RFP Response Tool comes pre-built with important scoring criteria for vendor RFP responses. </li></ul></ul><ul><ul><li>This tool includes modifiable criteria across the following categories: </li></ul></ul><ul><ul><ul><li>Features (e.g. real-time integration) </li></ul></ul></ul><ul><ul><ul><li>Operational Requirements (e.g. debugging, exception reporting) </li></ul></ul></ul><ul><ul><ul><li>Architecture (e.g. hosted deployment, connector volume) </li></ul></ul></ul><ul><ul><ul><li>Support </li></ul></ul></ul><ul><ul><li>Pricing information distracts reviewers from evaluating business and technology requirements. Consider withholding it until after evaluation of functional criteria. </li></ul></ul>Info-Tech Insight
Evaluate Implement & Operate Strategize Select <ul><li>Understand the difference between nearline and inline, and the impact on network throughput. </li></ul><ul><li>Tune your appliance to get the most value out of it. </li></ul><ul><li>Get a handle on best practices for handling incidents. </li></ul>Roadmap <ul><ul><li>You can’t leave your network unprotected. Understand how IDPS can help. </li></ul></ul>IV
Start with nearline monitoring, but move to inline blocking as probe performance is optimized Getting the throughput specifications right for the appliance should be a prime focus point. A small box becomes a network bottleneck, a large box requires significantly more capital. Info-Tech Insight A nearline deployment provides IT with a chance to monitor the default rules setup of the appliance and assess throughput capacity without materially impacting the network. Start with a nearline deployment and only move to inline when you are sure the appliance will not become a bottleneck on the network. In terms of tuning the rules of the box, trial and error is the generally used method. Start by turning on the baseline rules, and tweak both rules and thresholds until the appliance performs at an acceptable rate. Once the appliance is performing satisfactorily, move it inline and implement blocking. 43% 98% 31% 92%
Use a pilot group & monitor actively during the initial tuning phase; IPS requires constant attention to be effective The initial configuration of an IDPS appliance is extremely important to the optimal functioning of the solution, but the effort must be maintained throughout the system’s lifetime to remain effective. Info-Tech Insight Understand that IPS is not an idle technology – monitoring reports and logs is the only way to configure an IPS solution to optimal block rates. The goal with monitoring is to develop an idea for what baseline figures and activities look like, making it easier to spot anomalies in the future. After a few days of running the solution, open up the event logs and begin to understand what is happening. Check that the applications you expect to be running are running, resolve early false positives, and ensure the processes and services are correct. Tuning accurately is a major differentiator between an adequate solution and a great one. At this stage in the game, focus on finding the right thresholds. Increase the risk threshold for processes being logged that shouldn’t be, and do the inverse for those that should. Reducing noise in the management console is the quickest way to reduce the time spent reviewing logs daily. Create exceptions for commonly logged but non-threatening actions, such as running sanctioned scripts so you can focus on logging and analyzing potential threats. The final step in tuning the appliance is to configure dashboards and reporting to display the most pertinent information. Make displaying trends, query results, and issues the priority, and schedule reports to be sent automatically to the responsible individuals for mitigation. Monitor Daily Review Logs Begin Tuning Create Exceptions Configure Reporting 1 2 3 4 5
Develop an incident response team and teach them to identify incident precursors & indications to beef up protection <ul><li>Sources: </li></ul><ul><li>Computer Security Incident Handling Guide, Section 3.1.0 </li></ul><ul><li>Ibid, Section 3.1.2 </li></ul><ul><li>Overall Severity/Effect Score = Round (Current Effect Rating * 2.5) + (Projected Effect Rating * 2.5) + (System Criticality Rating * 5), Computer Security Incident Handling Guide, Section 3.2.6 </li></ul>Who should be on the team? Preparation Detection & Analysis <ul><li>Create an incident response team. </li></ul><ul><li>Have the team put together a jump kit to enable team members to quickly begin diagnosing threats in the field. </li></ul><ul><li>Configure the network perimeter to deny all activity that is not expressly permitted; only permit activity necessary for the organization to function. 1 </li></ul><ul><ul><li>Precursors and indications are both signs of incidents, look for both. </li></ul></ul><ul><ul><li>Have the incident response team quickly analyze and validate each incident, documenting each step. </li></ul></ul><ul><ul><li>Determine the overall severity/effect score of the threat 3 and notify the required parties (e.g. CIO & Head of Information Security). </li></ul></ul>What’s in a jump kit? The incident response team should consist of people from across IT -- developers and security and networking pros. Threats can hit anywhere, an IT-wide view is critical to an effective defense. Key items in a jump kit include: laptop with packet sniffers & computer forensics, backup devices, blank media, basic networking cables and OS and application media and patches. 2 What’s a precursor? What’s an indication? A precursor is a sign that an incident may occur in the future, such as unusual port scan activity targeted at a group of hosts before a DoS attack against the same hosts. An indication is a sign that an attack is occurring or has just happened, such as an antivirus software alert when a worm is detected.
Create a containment framework & hold lessons-learned meetings to make the response team more efficient Info-Tech Research Group <ul><li>Most incidents require containment; decide early if system shutdown, disconnection, or function disabling is the right course of action. </li></ul><ul><li>Gather identifying information such as location, serial numbers, and IP addresses in case the need for admissible evidence arises. </li></ul><ul><li>Implement recovery via file and system restores from clean backups, password changes and tightening of perimeter security. </li></ul>How do I contain a threat? <ul><li>Containment is highly related to threat type. Generally, criteria for containment include: </li></ul><ul><li>Potential damage/theft of resources </li></ul><ul><li>Need for evidence preservation </li></ul><ul><li>Service availability </li></ul><ul><li>Time/resources required </li></ul><ul><li>Effectiveness of containment strategy </li></ul><ul><li>Duration of containment </li></ul><ul><li>Use sections 4 through 8 of the NIST “ Computer Security Incident Handling Guide ” to develop a framework around containment. </li></ul>What metrics do I use? <ul><li>Coming up with a series of metrics to assess an incident response team is tough, but the following are industry standards that highlight effectiveness: </li></ul><ul><li>Number of Incidents Handled </li></ul><ul><li>Time Per Incident </li></ul><ul><li>Total Labor per Incident </li></ul><ul><li>The goal with such metrics is to determine the cost of the team and, moving forward, reduce response times, resulting in greater cost-benefits to the organization. </li></ul>Containment/Recovery Post Incident Activity <ul><li>The most important part of incident response is learning and improving. </li></ul><ul><li>Hold a ‘lessons learned’ meeting with all involved parties after a major incident. </li></ul><ul><li>Use the meeting as an opportunity to update incident response policies and procedures. </li></ul><ul><li>Aim to accurately quantify total hours of involvement spent on the incident for costing and performance metrics for the team. </li></ul>
Summary Info-Tech Research Group <ul><li>Intrusion Prevention tools have come a long way since their introduction into the market place and are now ready to supersede their detection-only counterparts as the primary security tool behind the firewall. </li></ul><ul><li>The cost associated with not having some form of IDPS on your corporate network are significant – highly sensitive data on the network can be accessed by the wrong people, and you can easily lose your job. </li></ul><ul><li>Take the time to understand the decision points of deploying an IDPS – they are interconnected pieces of an overarching strategy – skimping here means more time and money poured into an implementation that is already time consuming. </li></ul><ul><li>Table Stakes are offered by every vendor in the space – decide if you need more and act accordingly. </li></ul><ul><li>If you’re interested in where you can get the most “bang for your buck,” refer to the Composite Performance Index scores – they focus solely on affordability. </li></ul><ul><li>If you don’t monitor, you wont get anywhere. Monitoring and reviewing the daily logs an IDPS produces are critical to understanding where thresholds need to be tweaked. </li></ul><ul><li>Tuning the box should be your highest priority. A tuned box catches 19% more threats than an untuned one – if you’re short on manpower, this is the quickest and most effective way of reducing the burden on your team. </li></ul>
Vendor Landscape Methodology Info-Tech Research Group Info-Tech Research Group Vendor Landscape market evaluations are a part of a larger product selection solution set, referred to as a Select Set. The Vendor Landscape evaluation process starts with a customer survey. Customers tell us which vendors and products they ’ve heard of and which ones they use, plan to use, or are investigating. From the survey results, and the domain experience of our analysts, a vendor/product shortlist is established. Product briefings are requested from each of these vendors, asking for information on the company, products, technology, customers, partners, sales models, and pricing. Our analysts then score each vendor and product across a variety of categories. These scores are then weighted according to weighting factors that our analysts believe represent the weight that an average client should apply to each criteria. The weighted scores are then averaged for each of two high level categories: vendor score and product score. A plot of these two resulting scores is generated to place vendors in one of five categories: Champion, Competitor, Emerging Player, Innovator, and Industry Standard. Analysts take the individual scores for each vendor/product in each evaluation category and normalize them to a scale of zero to four . This produces a relative scoring, where a low score value indicates low performance in that category relative to the performance of the other products in that category and vice versa for a high score . These normalized scores are represented with Harvey Balls , ranging from an open circle for a score of zero and a filled-in circle for a score of four . Harvey Ball scores do not represent absolute scores , only relative scores. Individual scorecards are then sent to the vendors for factual review, and to ensure no information is under embargo. We will make corrections where factual errors exist (e.g. pricing, features, technical specifications). We will consider suggestions concerning benefits, functional quality, value, etc; however, these suggestions must be validated by feedback from our customers. We do not accept changes that are not corroborated by actual client experience or wording changes that are purely part of a vendor ’s market messaging or positioning. Any resulting changes to final scores are then made as needed, before publishing the results to Info-Tech clients. Vendor Landscapes are refreshed every 12 to 24 months, depending upon the dynamics of each individual market.