|
|
|
|
|
|
 
|
|
ISP-Planet Survey: Managed
Security Service Providers
(Back to Article) Intrusion Detection / Intrusion Prevention Systems Chart |
|
Provider
|
Platform(s) |
Traffic Inspection
|
Intrusion Detection
|
Analysis & Response
|
Response Methods
|
Additional Comments
|
|
Altoria
|
CPE-based Cisco, ISS |
Out-of-Band
Inspects:
|
Detects Anomalies, Floods, Signatures, Unusual Behavior. |
Provider analyzes & manually responds to alerts. NOC monitors events 24/7, investigates alarms to pinpoint issue, contacts customer to recommend actions. |
Manual Automated
|
Multiple configurations of Network Sensors & Server Sensors reporting to Central Consoles. Enhanced Sensor configuration provides customizable auto response & intervention. Real-time access to security incident reports, detailed event data, auto response reports, & incident trend reports. |
|
AT&T |
NW-based AT&T Proprietary Platform |
Out-of-Band
[No further details supplied] |
Detects Anomalies, Floods, Unusual Behavior. |
Provider analyzes & responds manually or automatically. Customer alerted via page, phone, email; details via portal. Customer can opt to auto-mitigate DDoS or consult first. |
Automated mitigation of DDoS attacks. DDoS attacks are identified & addressed in provider's network—no CPE required. |
Automated notification of Internet threats & vendor vulnerabilities. Portal provides threat description & suggested protection/mitigation strategies. DDoS attacks are diverted in provider's network; only valid traffic is forwarded to customer. |
|
AT&T |
CPE-based [No platforms enumerated] |
Out-of-Band [No further details supplied] |
Detects Signatures, Unusual Behavior. |
Provider monitors, analyzes, responds manually. Customer chooses passive notification or active threat mgt. Tuning period used to establish patterns & correlation to eliminate false positives. |
Manual &
Automated |
CPE hosted by customer or MSSP. Main service is notification of actionable items. Can be configured to auto-shun IP addresses outside the security policy. |
|
AT&T |
CPE-based [No platforms enumerated] |
Out-of-Band [No further details supplied] |
Detects Unusual Behavior |
Provider responds manually or automatically. Can reset, block, or quarantine intruders. |
Manual &
Automated |
Honeynet used to lure & identify intruders by source IP, then reset, block, or quarantine those addresses. |
|
Provider
|
Platform(s) |
Traffic Inspection
|
Intrusion Detection
|
Analysis & Response
|
Response Methods
|
Additional Comments
|
|
FiberLink |
Host-based Fiberlink Extend360 |
In-line Inspects:
|
Detects Signatures, Unusual Behavior. |
Provider monitors & notifies customer. Host intrusion activity reported via portal, including personal firewall attacks. |
Automated
|
Service requires customer to install Extend360 software on each end user's device. Central intrusion monitoring is provided via web portal. Personal firewall is automatically restarted in the event of unwanted shutdown. |
|
Getronics
|
CPE-based Snort, Cisco, McAfee, Enterasys, ISS, AirDefense |
Out-of-Band
Inspects:
|
Detects Anomalies, Floods, Signatures, Unusual Behavior. |
Provider monitors, analyzes, responds manually or automatically. Certainty & severity determines auto-action. Highly volatile incidents researched & handled per SLA - in many cases, to contain/halt attack. |
Manual &
Automated |
Works in multi-sourcing environments where 3rd party is responsible for endpoints. Customer may designate on-site response agent. Nature of attack & monitoring product determines incident response strategy. Customers are encouraged to conduct a full analysis & design an incident response plan; MSSP consulting services available. |
|
IBM
ISS |
CPE-based ISS Proventia, ISS RealSecure Network |
Out-of-Band
Inspects:
|
Detects Anomalies, Floods, Signatures, Unusual Behavior, Vulnerabilities. |
Alerts analyzed by AI & reviewed by SOC. If warranted, sends customer email w/ suggested actions. Select & Premium Service Levels also receive 24/7 human analysis with priority-based escalation. Auto-response when using IPS or firewall. |
Manual &
Automated Leverages each IPS platform to max, taking reliability into consideration. |
CPE hosted by customer or MSSP. Includes monthly vulnerability scan. MSSP uses own IPS platform & Guarantees that network segments, critical servers, & desktops are protected from 800+ attacks on X-Force list. In the event of compromise, MSSP will refund mo. fee or issue cash payment. |
|
IBM
ISS
|
CPE-based ISS Proventia, ISS RealSecure Network, Cisco, Juniper, TippingPoint, McAfee |
Same as above. |
Same as above. |
Same as above. |
Same as above. |
CPE hosted by customer or MSSP. Includes monthly vulnerability scan. Uses MSSP & industry leading platforms to provide features similar to "Managed Protection" but w/o Guarantee or aggressive SLAs. |
|
MegaPath |
Hosted CPE or NW-based Fortinet |
In-Line Inspects:
|
Detects Anomalies, Floods, Signatures, Unusual Behavior. |
Service responds automatically. Events inspected for criticality, direction, & severity. If threshold met, ticket initiates customer email & MSSP review. Ticket escalated if not resolved after 4 hrs. |
Manual Automated
|
When attack is detected & signature exists to block attack, access control lists are created to prevent spread until signature can be put in place on delivery platform. 72 hr SLA on signature update for new attacks. |
|
Provider
|
Platform(s) |
Traffic Inspection
|
Intrusion Detection
|
Analysis & Response
|
Response Methods
|
Additional Comments
|
|
Perimeter |
CPE-based or NW-based Fortinet, Checkpoint, SonicWALL |
Out-of-Band
Inspects:
|
Detects
Anomalies, Floods, Signatures, Unusual Behavior.
|
Customer or Provider monitors, analyzes, responds. All Alerts & Logs supplied via portal. |
Automated
In-line discard, IP quarantine. |
CPE hosted by customer or MSSP. Customer can choose to monitor portal & take own action, have MSSP proactively perform actions, or have MSSP review suggested actions before they are taken. |
|
Secure
Designs
|
CPE-based
SonicWALL |
In-Line plus Wi-Fi Sensors Inspects:
|
Detects
Anomalies, Floods, Signatures, Unusual Behavior.
|
Service responds automatically. Alerts reviewed by SOC based on category. Depending on level, SOC works to isolate & remedy. |
Automated
|
Must be purchased with firewall. Auto-responses sent as alerts to MSSP support staff for review & take further action as needed. If notification is required, support staff work with Customer's technical personnel to isolate & resolve. |
|
SecureWorks
|
CPE-based iSensor, Cisco, Snort, Juniper, ISS |
Out-of-Band
Inspects:
|
Detects Anomalies, Floods, Signatures, Unusual Behavior. |
Service responds automatically. For IPS, platform blocks malicious traffic. After correlating alerts, analyst may call customer to discuss or take action. For urgent events, new measures deployed immediately. |
Automated
3 service
tiers: |
Based on NSS-Certified iSensor. Extensive automation ensures that analysts are only used when human intervention is desirable & that clients are notified automatically, but only when event warrants. In rare case of compromise, defined escalation matrix is immediately executed while contact is initiated & potential damage is contained. |
|
Solutionary
|
CPE-based Snort, Juniper, Cisco, ISS, TippingPoint, Sourcefire, McAfee, Symantec, AirDefense, AirMagnet |
Out-of-Band
Inspects:
|
Detects Anomalies, Floods, Signatures, Unusual Behavior. Analysis uses custom rules, time thresholds, & volume anomalies correlated w/ other device info. |
Provider analyzes & responds manually. Security events & IPS device actions are escalated to SOC staff for review, possible customer notification, & countermeasure implementation. |
Manual &
Automated |
Actions that can be taken in response to intrusions depend on customer configuration of customer environment. Strategies include firewall or IPS rule implementation to block suspicious traffic, changes to customer environment to remove vulnerabilities, or IDS/IPS tuning. |
|
Provider
|
Platform(s) |
Traffic Inspection
|
Intrusion Detection
|
Analysis & Response
|
Response Methods
|
Additional Comments
|
|
Symantec
|
CPE-based Juniper, Cisco, ISS, McAfee, TippingPoint, Sourcefire, Enterasys, Snort |
Out-of-Band Inspects:
|
Detects Anomalies, Floods, Signatures, Unusual Behavior. |
Customer or Provider monitors, analyzes, responds. MSSP takes action or notifies customer based on customer's procedures, in accordance with incident ID & escalation SLAs. |
Manual and/or Automated In-line discard, IP quarantine, TCP reset. |
Managed IPS service is an add-on to Security Monitoring services that provide real-time monitoring, analysis & incident escalation based on security log data from a wide variety of sources. IPS devices can be configured in variety of protection modes, including customized in-line blocking with SLA guarantees. |
|
Unisys
|
CPE-based Cisco, Fortinet, ISS, McAfee, Sourcefire |
Out-of-Band Inspects:
|
Detects Anomalies, Floods, Signatures, Unusual Behavior. |
Provider analyzes & manually responds. Central mgmt platform events are integrated via ArcSight ESM, & correlated against other system events. High risk threats are reviewed by analyst. If needed, customer is notified & given recommendations. |
Manual Wi-Fi deauth. Automated In-line discard, IP quarantine, TCP reset. IPS blocks well-defined attacks. For ambiguous attacks, ESM continues analysis. |
CPE hosted by customer or MSSP. Significant analysis is conducted by ESM to correlate events & reduce false positives. If warranted, analyst instructs customer on remediation actions or changes managed device controls. MSSP highly recommends customer also purchase managed vulnerability scanning service to reduce spurious events & augment IDS/IPS correlation effectiveness. |
|
Verizon
Business
|
CPE-based Cisco, Enterasys, ISS, NAI, Juniper, TippingPoint |
Out-of-Band Inspects:
|
Detects Anomalies, Floods, Signatures, Unusual Behavior. |
Provider analyzes & manually responds. SOC analyzes & prioritizes events, based on customers' traffic, other devices, general population. Customers notified via portal. |
Automated In-line discard, IP quarantine, TCP reset. |
Response strategy is customer specific, based on customer's security policy, corporate policy, & capability of IDS/IPS platform. For critical/emergency events, action is reviewed with by phone & performed by customer or SOC. |
|
Verizon
Business |
Same as above. |
Same as above. |
Same as above. |
Same as above. |
Same as above. |
Offers proactive protection by utilizing an intrusion prevention device configured specifically to a customer's business needs. |
|
Virtela |
CPE-based, NW-based TippingPoint, Juniper, Cisco |
Out-of-Band
Inspects:
|
Detects Anomalies, Floods, Signatures, Unusual Behavior, using most features available within supported platforms. |
Customer or Provider monitors, analyzes, responds. SIM reviews IPS & other device alerts, reflecting customer policies, IPS config, & best practices. High severity alerts follow escalation procedure to deliver summary & recommended action via selected contact method. |
Manual & Automated In-line discard, IP quarantine, TCP reset. Customer may choose to apply recommended action or work with MSSP to determine alternate solution. |
CPE hosted by customer or MSSP. Significant tuning required for appropriate IPS rule application. By default, well-qualified events are blocked; manual response used for more subtle events. MSSP recommends all events that can comfortably use auto-response be deployed in that mode. Customers may choose monitoring only or fully managed service—this choice determines who configures & administers IPS rules. |
|
Provider
|
Platform(s) |
Traffic Inspection
|
Intrusion Detection
|
Analysis & Response
|
Response Methods
|
Additional Comments
|
