Managed Security Services

MSSP Survey Part 2: Managed Firewall and Intrusion Detection Services — continued

by Lisa Phifer VP Core Competence, Inc. [December 28, 2004]

Managed Intrusion Detection/Prevention Services
In this year's survey, we were surprised to find that most participating MSSPs offer not just one Managed Intrusion Detection service, but several detection and prevention services (see chart).

The managed IDS market has been driven, in part, by regulator emphasis on security monitoring and reporting. This emerging trend was already clear in our previous surveys and continued apace in 2004, as illustrated by this graph of surveyed providers who offer IDS/IPS services: However, growth in IPS is tougher to define and explain. Intrusion prevention is often considered an evolutionary step up from IDS—attack or anomaly detection, followed by immediate, automated action to stop the incident in progress before it does (any/more) damage. Firewalls are, of course, well positioned to inspect and block network traffic. So, is your firewall already an IPS device? Should it be?

You will find widely varied opinions regarding the relationship between firewall, IDS, and IPS, and these differences are nicely illustrated by the diversity in Managed IDS and IPS offerings encountered in this year's survey. Nearly half of out MSSPs (43 percent) offer one combined IDS/IPS service, where automated response is essentially a configurable option, based on the customer's defined incident response policy. One third (36 percent) sell separate IDS and IPS services, where IPS is sometimes (but certainly not always) an extension to the IDS offering. The remainder have not yet entered the IPS market—at least not explicitly, based on survey responses and web site service description.

Further, we observe that one provider (SecurePipe) includes IPS in its basic Managed Firewall service (see Firewalls chart). Another provider (VigilantMinds) offers an IPS service (BufferXone) that we might have classified as a network-based firewall with IPS capabilities. Many other providers sell IDS/IPS services either in standalone mode, or as a firewall add-on.

If your company needs firewall and IDS/IPS services, do you really care whether your MSSP bundles these as one, two, or three services? We recommend not getting stuck on this distinction—instead, look at the total price for the suite of security services that your business requires. If you don't want IPS initially, do you have an easy upgrade path? Also consider the network topology proposed by your MSSP, considering likely impacts on addressing, reliability, and security.

Which brings us to automated analysis and response. Most IDS services include security event monitoring, analysis, and defined response/escalation procedures. But inspection method, depth, and degree of human review and intervention continue to differ. Some customers prefer a passive IDS that detects and reports intrusions, but may defer remedial action until after SOC and/or customer review. Others prefer an in-line IDS or IPS that effectively stands between intruders and your network, with the ability to automatically reset TCP connections, block future connections by source/destination IP, and/or stop worms and trojans in real-time by closing the ports they use.

IPS is like a very sharp scalpel—use it skillfully and it's incredibly useful; use it wantonly or carelessly and you may cause more harm than good. This is where your MSSP's trained security engineers can add real value. Here again, a survey can only offer a glimpse at each MSSP's overall approach and methods for incident response. When selecting a Managed IDS or IPS service, talk to each MSSP to fully understand how they'll respond on your behalf, and your options for dictating or influencing that response.

Of course, prevention is ultimately limited by detection—if you can't spot attack signatures or protocol anomalies or atypical behavior, you probably can't stop the underlying attack. This year, providers emphasized multiple detection methods and deep/stateful inspection, in many cases using several platforms with varied capabilities. In general, providers must strike a good balance between completeness and performance, so review available options with your MSSP to select products and set policies that work well for your business.

Finally, it's interesting to note that several participants offer more than network IDS/IPS. As we observed last year, some MSSPs also offer host or server IDS/IPS, using agents that run on monitored systems to detect and stop attacks at their source. For example, see ISS's Managed Protection Service (MPS) and Server Agent (MPA); this service is guaranteed to stop attacks that appear on the provider's X-Force Certified Attack List. Some providers can also monitor other (non-managed) security devices within the customer's network or beyond (e.g., VeriSign, VigilantMinds). And this year's survey includes one wireless LAN IDS service: AirXone. We expect to see this trends towards comprehensive IDS/IPS coverage continue in next year's survey.

Stay tuned for next week, when we'll dig into Managed Site to Site and Remote Access VPN Services.