As more companies rely on the Internet for both their communications and electronic commerce needs, IT and business executives are becoming increasingly afraid of the threat of hackers.
As a result, they want to know if, when and how often their systems may be under threat and what they are vulnerable to. But even if all their systems were totally secure, which they are not, organisations still also face the possibility of authorised users misusing their privileges.
This has led to more and more companies turning to a new type of technology, intrusion detection systems, which are similar to burglar alarms and which vendors claim can detect unauthorised access or misuse of computer systems.
Should an intruder be detected, the systems sound an alarm and sometimes even take corrective action. Although there are many different types on the market, they generally fall into one of two categories - anomaly detection or misuse detection.
Anomaly detectors look for behaviour that varies from standard system usage, while misuse detectors look for behaviour that matches a known attack scenario.
Intrusion detection software analyses network use over time, computes metrics about the network, and determines whether an intrusion is occurring based on what is known about normal conditions.
These systems run on a range of hardware environments and can monitor various applications, while vulnerability detection software can scan firewalls to find weaknesses in the network.
In a new report, the Yankee Group dubbed the market for intrusion detection software, Adaptive Network Security Management (ANSM), and believes enterprises are so overburdened with identifying and correcting network vulnerabilities that they have no choice but to turn to them.
As a result, the market research firm predicts the ANSM market will grow to $747 million in 2003 from an estimated $45 million in 1997.
It currently ranks Internet Security Systems (ISS) as the leading vendor in this space, with a market share of more than 30 per cent. Axent Technologies comes in second with 19 per cent, followed by Network Associates and Cisco Systems in joint third place, with 11 per cent each.
But the Yankee Group report also indicates that the real value of ANSM products comes from the adaptive components they consist of, which enable network administrators to update, reconfigure and enforce policy around existing network devices such as servers, firewalls, routers and switches.
As the market grows in size, however, the inevitable industry consortia have already started to form.
ICSA, a security planning and industry policy company, announced last year that it had set up the Intrusion Detection Systems Consortium (IDSC) to undertake such work as educating users about the benefits of the software, creating industry standards, trying to introduce product interoperability and maintaining product integrity.
Pete Cafarchio, ICSA?s product development manager, says: "The consortium is a vehicle for vendors to work together to address issues affecting the industry as a whole, while at the same time, advancing their competitive edge. The charter members have the opportunity to set the stage for future initiatives."
The nine charter members of the consortium include Axent Technologies, Centrax, ISS, Network Associates, Memco Software and Security Dynamics.
But Steven Foote, senior vice president at industry research firm, The Hurwitz Group, believes IDSC could have an important role to play in the industry if it can improve corporate security practices through ongoing educational programmes and product certification.
"Unauthorised network intrusions are becoming increasingly common. Intrusion detection gives network managers a chance to see and counter a hacker's invasion of a private network," he says.
Four other network security vendors, Cisco, Lucent, Network Associates and Sun Microsystems also got together earlier this month to form the Security Research Alliance. The aim here is to share and advance security research and collaborate on product development, so they can solve network security problems more quickly.
Terry Benzel, the Alliance?s chairwoman and vice president of the advanced security division at Network Associates, says intrusion detection and response now appears to be high on the list of companies? priorities.
"The group will be doing more indepth research on how to determine if a network has been broken into and how to respond," she explains.
She adds that, while most intrusion detection systems focus on the network or applications, the alliance intends to probe further into how to detect attacks "across an organisation from the lowest IP packet to the highestlevel application."
But while the early adopters of intrusion detection systems built their own unique tools, some of the pioneers are now joining forces to create a library of public domain software.
The Sans Institute, a cooperative research and education organisation that includes more than 62,000 systems and network security administrators among its members, has built the Cooperative Intrusion Detection Evaluation and Response or Cider toolset.
This is intended to automate the process of information gathering and traffic analysis based intrusion detection, but the organisation has also designed a "step by step intrusion detection using tcpdump" system specifically for Unix environments.
The step system can be built using freely available software and existing hardware and all Cider components come with their own source code and tutorials explaining what they do, how to set them up and what the results mean.
While there were only a handful of commercial ANSM offerings on the market three years ago, however, vendors such as Centrax, WebTrends, Axent Technologies, Tripwire Security Systems and ISS have now come out with a wealth of host based monitoring software. This warns users if it detects the misuse of protected files, operating systems (OSs) or Web servers.
Netect, Network Associates, ISS and Security Dynamics Technologies also sell network based scanners, which check for holes in firewalls or servers so that administrators can close them, but users can download shareware such as the Satan scanning tool for free from the Internet.
Network Flight Recorder, Cisco Systems and Network Associates?s offerings protect local area networks by inspecting and analysing packet flows across the network and by detecting patterns of connection that indicate an attack.
But ISS?s latest realtime offering combines host based intrusion detection with network protection. RealSecure includes about 120 new attack signatures, bringing the number of realtime threats it can detect to about 275, including unauthorised access attempts, suspicious activity, denial of service, information probes and protocol decodes.
The product consists of a network engine, which monitors network transmissions for signs of abuse and attack, a system agent, which runs on a Windows NT box and tests for OS level changes, and a console. This binds the agents and engine together under one graphical user interface for management purposes.
Elsewhere, AbirNet's SessionWall-3 network based intrusion detector focuses more on content analysis and enables administrators to eliminate network communications that do not fit corporate policy.
Security Dynamics Technologies' Kane Security Monitor provides a less expensive alternative for companies that mainly want to protect their Windows NT host, but undertakes little network intrusion detection, while Axent's Intruder Alert/NetProwler package, which has just started shipping, provides combined host and network intrusion detection.
Intruder Alert was integrated with Internet Tools to make it easier to update and customise and to provide strong Unix and NetWare agent support.
Facebook told by Brussels-based court to stop tracking non-users and to delete all data held on them
Supply chain and manufacturing experience could give Dyson an important edge
New VR Zone Portal arcades open in London and Tunbridge Wells
Systems-on-a-chip with integrated AI features could make voice and facial recognition