Managed Security Services

2006 MSSP Survey, Part 3:
Managed Intrusion Detection and Prevention Services

ISP-Planet's biennial survey of MSSPs finds that intrusion prevention and detection services are augmented by new devices to deliver unified threat management in several different forms.

by Lisa Phifer VP Core Competence, Inc. [December 21, 2006]

As network security improves, attackers have sharpened their focus. Today's internet threats have grown increasingly targeted, using malicious code and crafted application messages to compromise specific server and client vulnerabilities. During the first six months of 2006, Symantec estimates that 80 percent of 2,249 new-found vulnerabilities were easily exploitable, with an average enterprise exposure of 28 days before patches were available and applied. Aggressive, rigorous patch management can help, but one of the most effective and efficient steps you can take to defend those vulnerable hosts is to prevent intrusions from reaching them in the first place.

Network Intrusion Detection Systems (IDS) are designed to observe and analyze traffic, spot potential attacks, and notify network operators by sending intrusion alerts. Network Intrusion Prevention Systems (IPS) go a step further, taking steps in real-time to impede the flow of suspicious traffic and therefore limit potential asset damage or data theft. IDS is generally deployed a passive countermeasure—an insurance policy against intruders that might otherwise sneak past firewalls. IPS is (at least to some degree) proactive and automated, jumping in whenever perceived risk exceeds a pre-defined tolerance level.

A managed IDS / IPS service starts with the installation and provisioning of in-line or out-of-band traffic sensors and an intrusion analysis engine, accompanied by ongoing policy refinement, intrusion signature and software updates, and 24/7/365 monitoring by the MSSP's SOC. Included response can range from customer notification to provider implementation of recommended countermeasures. All but one participant in this year's Managed Security Service Provider (MSSP) survey offer this type of service, detailed by the chart shown at right (click to view full size).

The exception is Globix, which declined to include IDS in its survey response but describes a managed IDS service on its website. In fact, we believe that IDS / IPS has become a core managed security service offering. As shown in the following chart (below), IDS / IPS offerings have grown from fewer than half the MSSPs surveyed in 1999 to effectively all of the MSSPs surveyed this year.

This trend tracks the evolution of network security threats, technologies, and best practices. Many firewalls and unified threat management appliances now incorporate some IDS / IPS capabilities. Today's network firewalls are simply expected to detect basic TCP/IP attacks, like TCP SYN floods and Ping of Death attacks. Deeper, broader application-layer intrusion detection and prevention often involves additional software modules, licensed feature activation, and in some cases, additional hardware sensors.

The line between managed firewall and managed IDS / IPS services reflects this layering. Two of our surveyed managed firewall services included IDS / IPS features, while ten offered these capabilities as options. Furthermore, all 15 providers described separately-branded managed IDS / IPS services. Three MSSPs (AT&T, IBM ISS, and Verizon) even offer more than one IDS / IPS service.

For example, AT&T offers three separate services: a network-based IDS, a CPE-based IDS, and a CPE-based IPS. As illustrated in this pie chart (below), this year's field was evenly split between IDS and IPS offerings. Seven services provide intrusion detection, monitoring, and customer notification—incident response, if any, is manual. Another seven provide automated intrusion analysis and policy-based response for well-defined threats—customers are notified of intrusions and stop-loss actions taken on their behalf. The remainder encompass both models within a single named service, letting service parameters determine the desired response model.

In fact, we continue to find it difficult to compare intrusion monitoring and response in a tabular survey. This year, we tried asking providers to check one of four alternatives:

• Customer monitors own intrusion alerts.
• Provider passively monitors intrusion alerts and notifies customer.
• Provider analyzes and manually responds to alerts.
• Service responds automatically to intrusions.

Most checked several answers, noting that this depends on customer preference, incident severity, and identification reliability. If an event is clearly identified and poses significant risk, automated analysis and real-time countermeasures may be warranted. Potential intrusions that are less clear-cut may deserve human review by SOC experts and consultation with the customer regarding steps to block the offender or eliminate vulnerabilities. Fortunately, even an IPS can usually start in detect-only mode, refining prevention rules as you become more comfortable with the service's accuracy. In short, don't expect easy answers or simple comparison when it comes to intrusion response. Make sure your MSSP has the experience, infrastructure, and resources to accurately recognize and keep pace with new threats, a well-defined process for communicating them to you, and a response strategy that fits with your own corporate policy.

To identify intrusions, every IDS / IPS service must capture traffic. This year, 13 of 18 surveyed services use passive/out-of-band platforms, which are typically situated at key points throughout your network. Of those, 5 support distributed sensors and 4 support Wi-Fi sensors. These options are used to create additional observation points that can report back to a central server. Alternatively, 14 services use active/in-line platforms that observe the traffic flowing through them. Not surprisingly, many providers support both passive and active deployment models, reflecting this year's mix of detection/prevention services.

IDS/IPS platforms have grown more diverse since our last survey, dominated by IBM ISS and Cisco, followed by a noteworthy mix of Juniper, TippingPoint, McAfee, Snort, and Sourcefire. The capabilities of these platforms have a direct impact on traffic inspection, detection, and response methods. For intrusion detection, most surveyed services still employ some combination of behavior analysis, signature detection, and traffic anomaly detection. But application layer header and content inspection are now supported by just over half of the surveyed services. As for response methods, in-line packet discard, IP quarantine, and TCP reset are still very common, whether initiated manually or automatically. But this year, five services also had Wi-Fi Deauthenticate capability, supported by Wireless IPS platforms from Cisco, AirDefense, and AirMagnet.

In the end, a managed IDS / IPS service comes down to effective risk management. Many businesses that deploy their own IDS sensors or IPS-capable UTM appliances do not use those technologies to their full potential. Without proper tuning, an IDS can overwhelm you with inconsequential alerts—or overlook serious intrusions because an annoyed administrator disabled those alerts.

Outsourcing this burden to well-trained MSSP staff should reduce false positives and focus your attention on alerts that matter. Because they monitor intrusion alerts occurring in many customer networks, your MSSP's SOC should have the broad perspective needed to quickly recognize fast-breaking "zero day" attacks. When intrusions do occur, your MSSP should have the sophisticated event management and correlation tools required to assess impact and recommend effective countermeasures. For each of these tasks, experience and competence really counts, so look beyond feature checklists to choose the best managed IDS / IPS service for your business.

—End