Internet Security Systems will either sell you IDS products or manage them for you. However you implement the solution, just think of it as a burglar alarm for your network—a really, really big burglar alarm.

by Jeff Goldman [January 30, 2002]

Christopher Klaus is the 27-year-old founder and CTO of the Atlanta-based Internet Security Systems, Inc. Back in high school in the early '90s, he spent a summer at Lawrence Livermore National Laboratories' SuperKids program—and opportunity knocked.

"They were getting hacked into by some German hackers, and they really didn't know how to stop them," Klaus said. "I'd read a book called Neuromancer, which talks about scanning a network, looking for vulnerabilities. I thought, 'I bet this could be applied to the Internet,' and that was the genesis of the idea."

Internet Security Systems 6303 Barfield Road Atlanta, Georgia 30328 Voice: (888) 901-7477

Klaus began working on software to test for vulnerabilities, which he continued to develop as a freshman at Georgia Institute of Technology. In 1993, he released the software for free on the Internet. The solution quickly started getting industry attention—which, he says, didn't mix well with his undergraduate career.

"As I spent more time on it, my grades were going in the opposite direction," Klaus said. "I figured I could either do one or the other well, but not both. So I took a break from school. My grandmother lived here in Atlanta, and I called her up and said, 'I'm going to take a break from school: I'm going to try and set up a company.' And so I set up Internet Security Systems' headquarters in her spare guest room."

From the beginning, Klaus says, the focus of the company has been on understanding the threat. "We have the world's largest vulnerability database in terms of computer threat and network threat," he said. "We built one of the world's first intrusion detection systems, which was based on algorithms that specifically detected someone trying to break in."

Prior intrusion detection systems, he explains, had been based on anomaly, which is much less effective. The problem is simple: add a new computer, and you change the behavior of the network, giving a false positive. "What we would find with those technologies was that you had a lost of false positives, whereas if we know what people do when they break into a network, it gives us an advantage," Klaus said.

Since then, the technology has continued to move forward. "We're getting into behavior-based analysis for specific attacks," Klaus said. "The more advanced we get, the more proactive we can become." And 2001 was a very proactive year. The company's product line is undergoing a lot of changes, fed largely by ISS' acquisition of competitor Network ICE, whose BlackICE technology has been an excellent addition to ISS' solutions.

"It plugs into a high-speed architecture very nicely, so this technology can go into all of our agents to give us extremely high speeds and low processing requirements," Klaus said. "Even for your desktop, it eats up less than one percent of your CPU cycles, so you don't even know you have all this analysis going on."

In the future, the BlackICE products will be marketed as ISS' consumer desktop technology, while RealSecure will be the brand name for the company's enterprise IDS solutions.

The burglar alarm
Put simply, Klaus says, look at RealSecure as your basic burglar alarm. Over time, it's become more and more advanced, moving beyond a simple network-based intrusion detection system to integrate host-based products as well. Connecting all the pieces are RealSecure Manager, which comes out of the box with all RealSecure IDS products, and RealSecure SiteProtector, which offers more advanced control.

"RealSecure Manager was only designed to manage the RealSecure agents," Klaus said. "SiteProtector is basically an über-version of it. It can manage not only that, but also a lot of scanning technology. It helps you be proactive. You can set policies, push out the policies, even schedule the policies—it's pretty unique in that you can set one policy for, say, daytime, and a stronger policy for nighttime."

SiteProtector also lets you correlate data between agents. "If I get alerts about somebody attacking my firewall and somebody attacking my web server, the alerts look the same, so it's up to the operator to analyze them," Klaus said. "We're helping automate the prioritization of those two. This is unique in the industry: very few intrusion detection companies have a scanning technology as well—or have actually linked them." Three network IDS solutions work in concert with SiteProtector: RealSecure Guard, RealSecure Network Sensor, and Real Secure Gigabit Sensor. RealSecure Guard is an active IDS which takes a more proactive role in attack prevention. "We're starting to see more companies looking at this as the next step, where they're not only able to detect they're being attacked, but it actually stops the attack," Klaus said. RealSecure Network Sensor and Gigabit Sensor are passive IDS solutions, the one difference between them being that Gigabit is designed to work at extremely high speeds. "The nice thing about passive IDS is that, because it's just sitting there monitoring the traffic, it has no performance degradation of any type," Klaus said.

Also working at the network level are RealSecure Internet Scanner and Database Scanner, both of which feed back to SiteProtector. What's unique about Database Scanner, Klaus notes, it that it can do a full database audit simply by connecting to the database over the Internet: it doesn't have to be loaded on the database server itself.

At the host level, RealSecure System Scanner actually sits on the system itself: Klaus explains that the best protection is a combination of network-based and host-based solutions. "There's a lot of vulnerabilities that we can find over the network, but there's another whole set of vulnerabilities for which we have to be on the machine itself," he said.

ISS' host-based IDS is called RealSecure Server Sensor, which sits on either Unix or Windows based servers and monitors IP traffic, application logs, event logs, and security logs. "A lot of people are wrapping RealSecure Server protection around applications like a web server, database, even backup," Klaus said.

Basic pricing for the products is as follows:

Bring in the experts
Despite all the strengths of ISS' products, however, Klaus says it's the company's Managed Security Services that make it really stand out. You can buy any ISS product and manage it yourself-or you can leave it all to ISS.

And it isn't just centralized monitoring. "We offer Emergency Response Services, where we'll go onsite," Klaus said. "We have relationships with law authorities: we work with the FBI, we work with a lot of government agencies-we're actually one of the key providers of information to the Homeland Security Team up in D.C."

One service provider that has benefited greatly from ISS' Emergency Response Services is the Atlanta-based web hosting company NationalNet. According to Tony Morgan, NationalNet's President, the company found itself faced with an intrusion that jeopardized a major client—and they couldn't stop it.

"Every time we closed one back door, the hacker had two more available to him," Morgan said. "He knew what he was doing. He was a pro. NationalNet didn't know that this hacker was even on our servers until we received a ransom letter."

The company brought in ISS' Emergency Response Services, which worked around the clock and quickly eliminated the problem. Morgan says the service wasn't cheap, but it was worth every penny.

"The service that I received from ISS cost me about $30,000, but one of my largest clients was in jeopardy," Morgan said. "If that hacker had actually caused trouble, I would have lost that client. I couldn't afford to lose a $40,000 a month account. Even though it seems like the service was very expensive, it was nothing compared to how much I could have lost."

In addition to protecting the ISPs themselves, ISS' Channel Partner program allows a number of leading ISPs to resell Managed Security Services to their customers. "BellSouth resells the service to their customers," Klaus said. "It provides the ability for ISPs to build a recurring revenue off of these products: it's an ongoing service, so they can charge a monthly or quarterly fee."

Currently, about 30 percent of ISS' overall business is in Managed Security Services—and it's growing fast. In the long term, Klaus says, the two worlds are expected to merge. "Within our GUIs, you're going to be able to flip on our protection services," he said. "Let's say you don't have any operators between midnight and 6am: rather than leave yourself exposed at those hours, you could flip that on and it goes to our security operations center. It's just like home security."

— End

Related articles:
	[Jan. 23, 2002]	IDS Profile: Enterasys Networks
	[Jan. 16, 2002]	IDS Profile: Top Layer Networks
	[Dec. 24, 2001]	White Paper: Reducing Network Security Risk