49
Select an Intrusion Detection and Prevention System

Select idps

Embed Size (px)

DESCRIPTION

Intrusion Detection and Prevention (IDP) Systems can prevent malicious intruders from hacking into your corporate network and stealing your sensitive data. They can also be used on internal segments of the network to block internal users from accessing sensitive data. Implement Intrusion Detection and Prevention to avoid becoming a headline. Use this Solution Set to: •Develop an IDP strategy. •Make the business case for IDP. •Compare and select IDP vendors. Ensure that you make the correct IDP decisions for your enterprise needs; from strategy to selection to implementation.

Citation preview

Page 1: Select idps

Select an Intrusion Detection and Prevention System

Page 2: Select idps

2

This research is designed for…

This research will help you…

Understand how IDPS works and what kind of deployment your organization requires.

Shortlist IDPS vendors and put together an RFP.

Tune your IDPS to achieve maximum block rates, and ensure you see value out of your investment.

CIOs and IT managers who have decided to deploy IDPS but are unfamiliar with the space.

Organizations looking to increase the security profile of their network.

Organizations looking for resolutions to internal data breach problems.

Use this research to help you understand and strategize your IDPS deployment,

and select the right solution given your budgetary constraints and needs.

Info-Tech Research Group

Security is a big deal. Regardless of whether or not the business houses sensitive data, malicious intruders on your corporate network disrupt business continuity and that costs money. Deploying an Intrusion Detection and Prevention System (IDPS) is the organization’s internal patrol, working with other security tools, such as Firewalls and Anti-Malware, to keep malicious traffic out of your network.

Introduction

Page 3: Select idps

Executive Summary

Info-Tech Research Group 3

• In the past, Info-Tech recommended organizations deploy an Intrusion Detection System to monitor traffic on the corporate network – this has changed, Intrusion Prevention technology has come a long way and is now ready for primetime.

• Network intrusion is costly – sensitive data being stolen is a problem for the enterprise and, more importantly, for you and your job security as the IT person responsible for security.

• Developing an IDPS strategy involves a number of decision points: understand the appliance options available, how to manage them, and how and where to position them on your network to provide the best coverage.

• Every vendor in the IDPS space offers the same basic Table Stakes – if baseline IDPS functionality is all you require, focus on price, if specific features are driving the need, look to the Vendor Landscape tool and scenario slides.

• The Composite Performance Index (CPI) is a measure of value per dollar, displaying what each vendor offers in terms of features, usability, viability, strategy and support per raw point awarded in the affordability category. This is, essentially, a bang for your buck metric.

• Monitoring daily is a critical aspect of implementing an IDPS, do it to get an idea of what is being logged regularly and adjust thresholds accordingly to ensure you only log and analyze potential threats.

• Tuning the box is the most significant contributor to lessening the manpower associated with running it – a tuned box captures and blocks 19% more threats than an untuned box, meaning you’re analyzing 19% less of the threats that hit it.

Page 4: Select idps

Evaluate Implement& Operate

Strategize Select

• Though firewalls are supposed to block illicit inbound traffic, they don’t always succeed; an IDPS catches the threats the firewall misses.

• Intrusion Detection was declared dead in 2004; the proclamation was early, but Intrusion Prevention has progressed to the point that it is now the standard.

• An IDPS strategy involves several components, a core one of which is the decision between dedicated and consolidated solutions.

4

Roadmap

Decide between intrusion detection & intrusion prevention

I

Page 5: Select idps

Network intrusion is costly – if your organization has data-stealing intruders, your job may be at stake

5

Implement security technology such as an IDPS to protect yourself from what could happen if you’re unprotected – nobody wants to be a headline.

TJX, a large American retailer, was hit with a $118 million charge against 2nd quarter earnings in 2007 due to the theft of 45.9 million credit cards via a breach of their wireless network.1 Implementing an IDPS is an effective way of preventing malicious content from compromising the network and causing this kind of disaster.

Sources:1. USA Today, “TJX, Visa reach $40.9M settlement for data breach,”

November 2007.2. Info-Tech Research Group, n = 22

86% of Organizations are proactively improving security by implementing IPS before an intrusion wreaks havoc.

You never expect your house to burn down, but you buy insurance just in case it does – similarly, you may not expect to get hacked, but you want some form of protection in place for when you

are.

Page 6: Select idps

Developing an IDP strategy involves answering a number of questions; answer these four questions before

proceeding

Info-Tech Research Group 6

Understand that everything that passes your firewall, anti-malware tools, and other security is free on your network. A firewall is a bouncer, an IDPS is a guard patrolling the bar for strangers and drunkards.

IDPS can be deployed as a dedicated box or a consolidated box. Dedicated boxes offer higher performance and lower entry prices. Consolidated boxes offer a better TCO and streamlined management across multiple tools.

Attacks can happen any time, any day. If you can’t afford the security staff to manage and watch the appliance 24/7, managed services can be a more attractive option. Have a large security staff already? Monitor the appliance in-house.

For most enterprises, a single sensor at the network perimeter will be sufficient. Internal segments of the network with sensitive data, or firms using multiple ISPs should consider probes at entry points to each network.

What does an IDPS do?

What are my options?

How do Imanage it?

How many probes do I need?

Page 7: Select idps

An IDPS sits at the network perimeter and tracks what comes and goes; without it, your borders may be open to

strangers

Info-Tech Research Group 7

An IDPS sits behind the firewall and the anti-malware protection system, monitoring traffic that has passed through both solutions. In detection mode, an IDPS will alert the network administrator when questionable traffic that has passed the firewall and anti-malware solutions passes through the box. In prevention mode, the box will actually mitigate the threat as soon as it hits the IDPS system.

Organizations without IDPS are not more susceptible to breaches, but will be unaware of what enters and exits their network.

Organizations with IDPS are more capable of monitoring what enters and exits their network and can mitigate the impact of any potential threats.

FirewallAnti-

MalwareIDPS

Protected

Corporate

Network

Incoming Traffic

Organizations with some security tools in place will catch a portion of malicious traffic as it hits the firewall and anti-malware tools. Make no mistake, some malicious traffic will get past these tools and hit the internal network. Without an IDPS in place, IT will have no record of what threats entered the network, leading to a potential wild goose chase in an effort to track them down.

OpenCorporat

e Network

Incoming Traffic Firewall

Anti-MalwareNo IDPS

75% of respondents to a recent Info-Tech survey about IDPS stated that their networks had become significantly more secure as a result of their IDPS deployment.

Info-Tech

Insight

Page 8: Select idps

A dedicated IDPS solution is a necessity if you need to monitor internal segments of the network – protect that

sensitive data!

Info-Tech Research Group 8

Consolidated boxes that hold multiple security technologies within a single appliance fit the smaller organization with less of a budget aimed towards IT security. The primary benefit with consolidated boxes is streamlined management tools, but their complexity can make them more expensive than dedicated solutions; if you don’t need all the functionality a UTM offers, they can be cost-and-protection overkill.

IDPS is a better fit for organizations with other security technology already in place – throwing out already purchased tools is expensive. If the network currently has security tools, upgrading via a dedicated IDPS box is simpler and more cost effective. Dedicated boxes also contain higher throughput capacity and speed, resulting in less interference on network traffic.

An IDPS acts as a dedicated box at the perimeter of your network that works with a firewall and anti-malware solutions to protect the network.

A unified threat management (UTM) system is a consolidated box, housing multiple security tools that protect the network.

FirewallAnti-

MalwareIDPS

Protected

Corporate

Network

Incoming Traffic

Protected

Corporate

Network

Incoming Traffic Firewall

Anti-Malware

IDPS

Understand that when deciding between a dedicated box and a consolidated box, you’re really looking at deciding between lower initial investment (dedicated) v. lower TCO (consolidated).

Info-Tech

Insight

Page 9: Select idps

If your security team can be staffed on an IDPS 24/7, do it in-house, otherwise go to managed services

Info-Tech Research Group 9

The IDPS can only be successful if a process is in place to monitor and maintain the system and reports are reviewed on a regular basis.

““

- IT Manager, Education

What Info-Tech clients are saying…

In the “good old days” when intrusion prevention was the pre-eminent technology, staffing issues were the 800lb Gorilla. Intrusion detection can generate vast numbers of alerts that must be dealt with, ideally in real time, for its protection capabilities to be realized. Intrusion prevention has mitigated this to a significant degree, to the point that large numbers of dedicated staff may not be required. For optimal protection, 24/7 monitoring of alerts and responses still has value.

If you don’t need instant response, you don’t need active monitoring. Let the IDPS do its thing, but make sure to review logs daily, and page for

significant threats.

Organizations that need the highest levels of responsiveness, and that have 5 or more security analysts on staff can afford to manage an IDPS on a 24/7 basis in-house at a cost-advantage vs. managed services.

SecurityAnalysts 5

Organizations that need high levels of responsiveness, but that do not have 5 or more security analysts on staff, and therefore cannot actively monitor their IDPS 24/7, will benefit from outsourcing to an MSSP.

SecurityAnalysts 5

Page 10: Select idps

Calculate the number of probes required for your implementation given your current network topology

Info-Tech Research Group 10

The number of internal networks with confidential, private, or sensitive data on them determine how many internal IDP appliances the organization needs. Here ratio options exist – multi-segment, multi-Gigabit boxes are available for 1:x deployments but have big price tags and may be overkill. Evaluate internal network speed, and the number of segments to be protected to decide between large 1:x ratio boxes, or smaller “appliance per segment” solutions.

The number of pure internet connections coming into the organization drives the number of dedicated or consolidated boxes required at the network perimeter. The ISP:appliance ratio must remain at 1:1 throughout the organization to ensure protection on all inbound links without introducing a single point of failure. The number of ISPs, in turn, is driven by the organization’s need for network redundancy and resiliency (e.g. failover networks).

External Probes Internal Probes

For consistent protection, the organization must have 1 appliance on each dedicated Internet connection.

Use the number of network segments with sensitive data to drive internal probe deployment.

ProtectedCorporate Network

IDPS 1/UTM1

IDPS on Segment 1ISP 1

ISP 2

IDPS 1/UTM1

IDPS 2/UTM2

Protected

Corporate

Network

Segmented Network

(e.g. R&D)

Page 11: Select idps

Determine whether or not IDPS is appropriate for your organization before moving into vendor selection

Info-Tech Research Group 11

The IDP System Appropriateness Assessment Tool

will help you:

1 Conduct an IDPS Necessity Assessment.

2 Determine whether you are better served by an IDPS or UTM.

3Determine whether you should bring IDP in-house or move to managed services.

4Calculate the number of probes required for your implementation given current network setup.

This tool will help you determine whether or not you should be deploying an IDPS and how many probes you require. Use the probe figure in the IDP System TCO Calculator later in this solution set to more accurately project the cost of your specific implementation.

Page 12: Select idps

You know what you need, now its time to figure out what it’s going to cost & how to manage it

The IDP System TCO Calculator will help you:

1 Determine capital costs, such as hardware and licensing.

2 Determine operating costs such as support and staffing.

3 Provide you with a TCO for managing IDPS across 4 different scenarios.

Use this TCO calculator to get an understanding for the various licensing and management options available to you with an IDPS solution. This tool provides dollar figures to the IDPS setup strategy discussed in section 1. Remember, the Probes Assessment in the Appropriateness Assessment tool, you just completed, should be inputted into the appropriate places in this tool to provide a more accurate recommendation.

100% of survey respondents that stated implementing their IDPS system was highly labor intensive also categorized the financial reward as highly significant.

Info-Tech

Insight

Page 13: Select idps

Evaluate Implement& Operate

Strategize Select

• Though all available solutions meet certain Table Stakes capability requirements, differentiating features do exist – match enterprise needs to these enhanced capabilities.

• Feature/functionality is only one measurement of solution/vendor applicability; choosing the best option means understanding all the variables.

• Use Info-Tech’s specific vendor/product evaluations to find the solution that represents the best fit for your enterprise need.

13

Roadmap

Look to the Vendor Landscape to determine who can meet your needs

II

Page 14: Select idps

Every vendor in the game has the basic table stakes, but who goes above and beyond in the areas that matter to

you?The Table Stakes What does this mean?

If Table Stakes are all you need from your IDPS solution, the only true differentiator for the organization is price. Otherwise, dig deeper to find the best price to value for your needs.

Info-Tech

Insight

“Throughput

Hardware Portfolio

Signature Scanning

Behavior Scanning

24/7 Support

Weekly Updates

Management and

Reporting

Probes are capable of supporting at least .2GBPS in throughput capacity.

Vendor provides a variety of probes at varying price points for adequate matching with needs.

The solution is capable of signature scanning.

The solution is capable of behavior scanning.

Support is available 24/7 for client issues.

Signatures and other scan-related data is updated weekly, at a minimum.

The solution comes with a reporting and management dashboard.

The products assessed in this Vendor LandscapeTM meet, at the very least, the requirements outlined as Table Stakes.

Many of the vendors go above and beyond the outlined Table Stakes, some even do so in multiple categories. This section aims to highlight the products capabilities in excess of the criteria listed here. Visibility of the organization is also

important. I doubt, in the current environment, that many people are interested in hacking into our small hospital system, however, I will not take a chance with other peoples financial and personal health info, so I will do the right thing.

- IT Manager, Healthcare

Page 15: Select idps

IDPS Criteria & Weighting Factors

Info-Tech Research Group 15

Vendor Evaluation

Vendor is committed to the space and has a future product and portfolio roadmap.

Strategy

Vendor is profitable, knowledgeable, and will be around for the long-term.Viability

Vendor offers implementation and ongoing management support.Support

Product Evaluation

The five year TCO of the solution is economical.Affordability

The solution provides basic and advanced feature/functionality.Features

The solution’s dashboard and reporting tools are intuitive and easy to use.Usability

Page 16: Select idps

The Info-Tech IDPS Vendor Landscape

For a complete description of Info-Tech’s Vendor Landscape methodology, see the Appendix.

Champions receive high scores for most evaluation criteria and offer excellent value. They have a strong market presence and are usually the trend setters for the industry.

Competitors strike a strong balance between product and vendor attributes. They have the potential to become future industry leaders if they address the missing links in their offerings.

Emerging players are newer vendors who are starting to gain a foothold in the marketplace. They balance product and vendor attributes, though score lower relative to market Champions.

Innovators have demonstrated innovative product strengths that act as their competitive advantage in appealing to niche segments of the market.

Industry standard vendors are established players with very strong vendor credentials, but with more average product scores.

Page 17: Select idps

Every vendor has its strengths & weaknesses; pick the one that works best for you

Product Vendor

Features Usability Affordability Viability Strategy Support

Note:“Harvey Ball” scores are produced by normalizing weighted, raw scores for each category, resulting in relative scores for each category. For example, an empty circle does not indicate a zero score; it indicates the lowest score in that category relative to other products. Likewise, a solid circle does not indicate a perfect score, but rather the highest score in that category relative to the other products.

McAfee

HP

Cisco

IBM

Juniper

Top Layer

Sourcefire

Radware

Check Point

Page 18: Select idps

Cisco provides the most value per dollar of spend across the board due to an impressive feature list & low price

point

18

On a relative basis, Cisco maintained the highest Info-Tech Composite Performance ScoreTM (CPS) of the vendor group. Vendors were indexed against Cisco’s performance to provide a complete, relative view of their product offerings.

The Composite Performance Score is a measure of a performance across both Vendor and Product categories normalized in relation to cost.1  

This measure does not indicate vendor ranking, instead providing an indexed assessment of each vendor’s product  and business strength in relation to the cost of their solution. Vendors that score high offer more features, usability, support, SMB focus, and stability relative to their price point than the average vendor, while the inverse is true for those that score lower. Enterprises looking to achieve optimal “bang for the buck” may wish to give the Composite Performance Score more consideration than those who are more focused on specific vendor/product attributes. 

What is a Composite Performance Score?

Sources:1. To calculate the Composite Performance Score for each vendor, the

affordability raw score was backed out, the product scoring reweighted, and the affordability score multiplied by the product of the Vendor and Product scores.

Page 19: Select idps

• For organizations that require less than 0.5GBPS of throughput from their IDPS appliance (typical of perimeter deployments), HP is significantly more expensive than the average vendor.

• DVLabs functionality and proprietary research teams allow HP to combat malicious signatures faster and more effectively than any other vendor in the space.

• Allows bandwidth allocation for non-critical applications.

• vController and VMC allow for management of virtualized infrastructure.

• Acquired by HP in 2010, 3Com’s TippingPoint products add IDPS functionality to HP’s current networking portfolio.

HP TippingPoint’s grip on proprietary signatures research is a differentiator in the industry, cost may be a deterrent

Info-Tech Rating Overview

Strengths

Challenges

Employees:Headquarter

s:Website:

310,000 (hp wide)Palo Alto, CAHP.com

Champion

If the integrity of data on your corporate network requires extremely high level security, HP’s DVLabs suite is the most up-to-date signature database on the market.

Info-Tech Recommend

s

Page 20: Select idps

HP focuses heavily on the enterprise market, hurting its strategy score; there is better value elsewhere based on

priceVendor Listing

Advanced Features

Bonus

Support Delivery and Reach

DoS Protection

Inherent Firewall

Reputation Based Scanning

Virtual Signatures

Virtual Infrastructure Protection

Application Specific Scanning

Encrypted Traffic Scanning

Redundancy

User Based Signatures

North America

APAC

EMEA

DVLabs Research employs 30+ research professionals and provided the first patch to 14 critical and 47 high risk vulnerabilities in 2010, more than 5x that of competing vendors.

HP achieved a slightly above average Composite Performance Index score in all categories except for Strategy, where its score was well below the average. HP’s mediocre scores across most categories are a result of the high price of the solution and its low usability score. Its strategy score is below average because HP is more focused on the enterprise space rather than the small to medium enterprise, as evidenced by the progression in more favorable pricing as appliance throughput moves up stream.

Page 21: Select idps

• Primary focus of the organization’s IDP efforts is on consolidated boxes, meaning organizations that require dedicated boxes may be less of a priority.

• On a price per GB of throughput basis, Cisco offers the best value among vendors with boxes under 0.5 GBPS.

• 700,000 sensors deployed globally form the industry’s largest IDPS reputation network.

• Offers the same management & reporting package at all levels of its IDPS portfolio for consistent management.

• A major player in the enterprise technology space, Cisco’s IPS offering is marketed as the Cisco IPS 4200 series sensors.

Cisco possesses a large deployed sensor network that feeds its impressive reputation engine at a very low price

pointInfo-Tech Rating

If the organization currently uses a lot of Cisco infrastructure, implementing Cisco’s IDPS provides quick reporting/management wins.

Overview

Strengths

Challenges

Employees:Headquarter

s:Website:

70,714San Jose, CACisco.com

Champion

Info-TechRecommend

s

Page 22: Select idps

Cisco achieved the highest Composite Performance Index scores in all categories except for Strategy, where its score was still above the average. Cisco's high across the board scores are the result of its solution having the lowest price of all evaluated products while having above average scores in all other categories. Its strategy score is limited, though still above average, due to its primary focus of consolidated rather than dedicated solutions.

Cisco offers a huge amount of features at the most affordable price point, making it the best value play in the

space

22

Vendor Listing

Advanced Features

Bonus

Support Delivery and Reach

DoS Protection

Inherent Firewall

Reputation Based Scanning

Virtual Signatures

Virtual Infrastructure Protection

Application Specific Scanning

Encrypted Traffic Scanning

Redundancy

User Based Signatures

North America

APAC

EMEA

Maintains 700,000 sensors globally to feed Global Correlation program, boosting efficacy and driving reputation scores that are pushed out to all devices on the network.

Page 23: Select idps

• With the recent acquisition by Intel, there remains some uncertainty in the industry about the direction of McAfee’s product portfolio.

• The solution is priced at a heavy premium in comparison to other players in the market, regardless of its robust feature set.

• Much like HP’s TippingPoint solution, McAfee’s feature set is among the most robust in the industry, providing DDoS protection, virtual machine scanning, encrypted traffic scanning and more.

• McAfee’s emphasis on usability is highlighted with a robust, easy to use management solution.

• Founded in 1987, McAfee is a leading computer security player globally. McAfee and Intel have entered into an agreement whereby McAfee would be acquired by Intel as a wholly owned entity.

McAfee offers an extremely robust feature set & a global support system, but does so at a premium to other

vendorsInfo-Tech Rating

If a robust feature set and highly detailed dashboard and reporting setup are your prime concern, McAfee is a potential solution; otherwise, there are less costly vendors

in the space.

Info-TechRecommend

s

Overview

Strengths

Challenges

Employees:Headquarter

s:Website:

6,100Santa Clara, CAMcAfee.com

Champion

Page 24: Select idps

McAfee offers the most impressive feature list, but is priced at a hefty premium to the market, destroying value

per dollar

24

Vendor Listing

Advanced Features

Bonus

Support Delivery and Reach

DoS Protection

Inherent Firewall

Reputation Based Scanning

Virtual Signatures

Virtual Infrastructure Protection

Application Specific Scanning

Encrypted Traffic Scanning

Redundancy

User Based Signatures

North America

APAC

EMEA

The McAfee IntruShield appliance lineup offers integrated VoIP protection to specifically protect against threats using this increasingly common communications mechanism.

McAfee achieved low Composite Performance Index scores in all categories due to its exceptionally high price point. McAfee’s high price point negatively impacted its composite performance despite the breadth of its features and the strength of the product on the whole. It’s viability score was especially low due to the uncertainty surrounding the IntruShield offering post Intel acquisition.

Page 25: Select idps

• Limited application management functionality as bandwidth cannot be assigned to specific applications, forcing the organization to allow or disallow applications, as opposed to allowing them up to a certain threshold.

• Appliance portfolio is the largest in the industry, ranging from 200MBPS boxes up to 25GBPS boxes.

• Reporting system is clean, and easy to use.• Protocol Analysis Module is a leader in the

industry and is capable of identifying threats based on logical assumptions from previous signatures.

• A global player in networking and security, IBM’s IDPS offering saw double-digit growth in 2010.

• The product portfolio is extensive and is leaning towards further increasing already high throughput capacity.

If you already have IBM infrastructure, or require extremely

high throughput, consider IBMInfo-Tech Rating

If your organization has a suite of IBM products already, or is looking for IDPS boxes with extremely large throughput capacity, consider IBM as a potential solution.

Overview

Strengths

Challenges

Employees:Headquarter

s:Website:

399,409Armonk, NYIBM.com

Industry Standard

Info-TechRecommend

s

Page 26: Select idps

IBM offers average functionality but is backed by a strong corporate brand & large support network

26

Vendor Listing

Advanced Features

Bonus

Support Delivery and Reach

DoS Protection

Inherent Firewall

Reputation Based Scanning

Virtual Signatures

Virtual Infrastructure Protection

Application Specific Scanning

Encrypted Traffic Scanning

Redundancy

User Based Signatures

North America

APAC

EMEA

As Data Leakage Protection becomes an ever more prevalent technology, it is finding its way into many other security solutions; IBM is the first to integrate DLP capability into its IDPS sensors.

IBM achieved a slightly above average overall Composite Performance Index score with good specific results in support and viability, but poor results in strategy and usability. As the largest and most stable vendor in this survey, IBM’s high viability score is to be expected. The company’s usability score was negatively impacted by a complex management system, while it’s strategy was impacted heavily by to the firm’s focus on the enterprise market.

Page 27: Select idps

• Less delineation in the product portfolio than other vendors in the space as Juniper has only a 1GBPS and 10GBPS box available to consumers that require more than 300MBPS throughput. Those looking at Juniper for internal deployments may be underserved by this strategy.

• Price point for boxes above and below the 0.5GBPS threshold are among the best in the industry, and well below average cost for each category.

• Juniper runs the same IDP engine across its IDP and SRX series, resulting in ease of management across systems.

• Founded in 1996, Juniper began as a supplier of high-performance routers and now carries IDPS technology and a host of other networking-related products.

Juniper offers a low cost solution compared to the average vendor, but also offers less throughput options on

appliancesInfo-Tech Rating

If cost is the major concern for your organization and the appliance throughput is available from Juniper, consider it a strong solution for the money.

Overview

Strengths

Challenges

Employees:Headquarter

s:Website:

8,000Sunnyvale, CAJuniper.net

Innovator

Info-TechRecommend

s

Page 28: Select idps

Juniper is the only vendor in the landscape offering ‘honeypot’ capabilities, and is priced well relative to its

peers

28

Vendor Listing

Advanced Features

Bonus

Support Delivery and Reach

DoS Protection

Inherent Firewall

Reputation Based Scanning

Virtual Signatures

Virtual Infrastructure Protection

Application Specific Scanning

Encrypted Traffic Scanning

Redundancy

User Based Signatures

North America

APAC

EMEA

Juniper’s IDP series of appliances uniquely offers ‘honeypot’ capabilities to track and confound illicit reconnaissance efforts.

Juniper achieved a high Composite Performance Index score in all categories except for Strategy, where its score was below average. Juniper's high across-the-board scores are the result of its solution having one of the lowest price points in the group, while providing more features than other, similarly priced vendors. It’s strategy score is below average due to its focus on the enterprise space with its IDPS solution – the firm carries a UTM solution geared much better towards the SME.

Page 29: Select idps

• Sourcefire has somewhat limited protection capabilities in comparison with other vendors, lacking extra features such as firewall, and reputation scanning.

• Robust portfolio of appliances allows Sourcefire to service organizations that require anywhere from 5MBPS to 20GBPS (through sensor clustering) of throughput.

• Incorporates real-time network, application and user intelligence to provide "contextual awareness" for automated impact assessment, IPS tuning, application monitoring, and user identification. 

• Founded in 2001, Sourcefire is the commercialized version of the Open Source IDS, Snort.

• Sourcefire maintains ties to the open source community and is actively involved with developing both products.

Sourcefire offers a leading IDPS product & maintains a robust appliance portfolio, but lacks full DDoS protection

capabilityInfo-Tech Rating

If your organization anticipates quickly scaling up hardware over a short period of time, Sourcefire’s hardware portfolio extends from the very small to the very large, providing

some continuity.

Overview

Strengths

Challenges

Employees:Headquarter

s:Website:

393Columbia, MDSourcefire.com

Competitor

Info-TechRecommend

s

Page 30: Select idps

Sourcefire recorded one of the higher Composite Performance Index scores due to the combination of generally positive criteria scores and overall attractive pricing. Sourcefire was regarded as having the highest CPI score for strategy as a result of its IDP only focus and attractiveness to the SME space. As with the other smaller vendors in the study, viability is impacted when compared with multi hundred billion dollar companies.

Sourcefire focuses heavily on IDP & benefits from the large open-source community behind Snort

30

Vendor Listing

Advanced Features

Bonus

Support Delivery and Reach

DoS Protection

Inherent Firewall

Reputation Based Scanning

Virtual Signatures

Virtual Infrastructure Protection

Application Specific Scanning

Encrypted Traffic Scanning

Redundancy

User Based Signatures

North America

APAC

EMEA

As the commercial offering from the developers of Snort, the world’s most commonly deployed IDP solution, Sourcefire can draw on that massive community user base for signature development.

Page 31: Select idps

• Check Point lacks the rich feature sets present in other vendors, including DDoS protection, encrypted traffic scanning, and virtual machine scanning.

• Like McAfee, Check Point is priced at the high end of the scale, but does not currently offer the feature set to support the lofty price point.

• From a strategy perspective, Check Point is more focused than larger players on the SMB space, meaning small firms considering an IDPS long-term may see some specific benefits from the vendor.

• Support options are on par with other vendors in the space, with international offerings and 24/7 availability.

• Established in 1993, Check Point’s focus has been entirely on IT security.

• Acquired a division of Nokia’s security appliance business in April of 2009.

Check Point is an expensive solution with a minimal feature set; other vendors offer more functionality at a

lower price pointInfo-Tech Rating

If advanced functionality and security are a minimal concern, then Check Point may be a viable option, but there are better, less expensive solutions on the market.

Overview

Strengths

Challenges

Employees:Headquarter

s:Website:

2,200Redwood City, CACheckpoint.com

Industry Standard

Info-TechRecommend

s

Page 32: Select idps

Check Point achieved a low Composite Performance Index as a result of the second highest price in this study, compared against generally modest results in most categories. Check Point achieved its best results in usability (due to a very clean management interface) and strategy (due to its focus). It’s advanced feature set was deemed one of the weakest in the comparison, resulting in the low CPI for that criteria.

Check Point performs poorly on a CPI basis due to a lofty price point & minimal functionality, resulting in poor value

32

Vendor Listing

Advanced Features

Bonus

Support Delivery and Reach

DoS Protection

Inherent Firewall

Reputation Based Scanning

Virtual Signatures

Virtual Infrastructure Protection

Application Specific Scanning

Encrypted Traffic Scanning

Redundancy

User Based Signatures

North America

APAC

EMEA

Though not a metric in this evaluation, Check Point has recently been reviewed favorably on performance and throughput capabilities by NSS Labs, an independent testing house.

Page 33: Select idps

• As a smaller vendor in the IDPS space, Top Layer cannot guarantee the stability and viability that larger vendors enjoy.

• “Free IPS Appliance” program provides hardware for free with purchase of 3 years of maintenance and threat update service, reducing 3 year TCO by 50%.

• Network Security Analyzer is included with the purchase of any IPS solution.

• Acquired in 2011 by Corero, Top Layer forms the foundation of Corero’s network security platform.

• Major verticals include: Healthcare, Higher Education and Small Financials.

Top Layer Security provides the appliance for free with three year maintenance contracts, drastically reducing

TCOInfo-Tech Rating

If all you require is intrusion prevention functionality at an extremely low cost, Top Layer Security may be the right solution for your organization.

Overview

Strengths

Challenges

Employees:Headquarter

s:Website:

70Hudson, MAToplayer.com

Emerging Player

Info-TechRecommend

s

Page 34: Select idps

Top Layer offers a reasonably competitive product, at a slightly above average price, resulting in a lower overall Composite Performance Index result. This may be mitigated however with Top Layer’s innovative free appliance approach. Top Layer’s focus on the IDP market, and the SME client, earns it solid Strategy marks; however, its just announced acquisition by UK based Corero as the flagship of that company’s new (and still being defined) security division significantly impacts viability scores.

Top Layer offers an IPS-only, SME focused product with a free appliance option, but its recent takeover hurts

viability

34

Vendor Listing

Advanced Features

Bonus

Support Delivery and Reach

DoS Protection

Inherent Firewall

Reputation Based Scanning

Virtual Signatures

Virtual Infrastructure Protection

Application Specific Scanning

Encrypted Traffic Scanning

Redundancy

User Based Signatures

North America

APAC

EMEA

Top Layer’s TopMSS managed services offering allows enterprises to invest in technology and the management of that technology from a single provider.

Page 35: Select idps

• Radware’s reputation engine is not as strong as other players in the space, but the product portfolio and strategic roadmap are heading in the right direction.

• Scalable buying allows consumers to scale their IDPS hardware as necessary, meaning the organization can buy a 1GBPS box now, and a 2GBPS license upgrade later, paying only the difference in price.

• Reporting and analytics system with the product is extremely robust and easy to use.

• Founded in 1997, Radware focuses solely on application delivery and network security.

Radware’s scalable buying concept will aid high-growth or

cash-strapped organizations with IDPS expansionInfo-Tech Rating

If a major investment in IDPS is not a primary initiative for the organization, or you are in a high-growth environment, consider Radware’s scalable buying as a way to ease

into IDPS.

Overview

Strengths

Challenges

Employees:Headquarter

s:Website:

700+Tel Aviv, IsraelRadware.com

Emerging Player

Info-TechRecommend

s

Page 36: Select idps

Radware’ s overall Composite Performance Index score was radically impacted by the high initial costs of it appliances compared against mostly mediocre scores in all categories. Radware’s best results came in strategy due to its strict focus on the IDPS space. It’s worst results, usability and viability, are attributable first to a complex and confusing interface, and second to being a very small company in the presence of much larger competition.

Radware carries a high initial investment cost on its appliances & involves using an extremely complex

management interface

36

Vendor Listing

Advanced Features

Bonus

Support Delivery and Reach

DoS Protection

Inherent Firewall

Reputation Based Scanning

Virtual Signatures

Virtual Infrastructure Protection

Application Specific Scanning

Encrypted Traffic Scanning

Redundancy

User Based Signatures

North America

APAC

EMEA

The ERT provides instantaneous, expert security assistance in order to restore network and service operational status when a client is under DDoS attack or malware outbreak.

Page 37: Select idps

Not all vendors are created equal; pick the right one for your case

37

I want… Info-Tech Recommends

The best value for my dollar. Cisco, Juniper

The greatest feature set. HP, McAfee

The most up-to-date signatures at all times. HP, IBM

A vendor that is focused on the small enterprise.

Radware, Sourcefire, Top Layer, Check Point

The ability to scale up cheaply as I grow. Radware

Full redundancy. HP, Top Layer

Inherent firewall. Radware, McAfee, Top Layer

Effectiveness is highly vendor dependent.

The Composite Performance Index is a measure of value for dollar, but certain, specific select criteria may be driving your needs.

The table below provides some insight into what vendors Info-Tech recommends, based on specific needs.

Page 38: Select idps

Evaluate Implement& Operate

Strategize Select

• Identify the right potential solution providers with a Vendor Shortlist

• Focus requirements with an RFP Template

• Rate vendor responses with an RFP Response Tool

Roadmap

Align vendor offerings with your needs.

III

Page 39: Select idps

Identify leading solution candidates with a Vendor Shortlist

Info-Tech Research Group 39

The Info-Tech IDP System Vendor Shortlist Tool is designed to generate a customized shortlist of vendors based on key priorities.

The Info-Tech IDP System Vendor Shortlist Tool offers the ability to modify:• Overall Vendor vs. Product

weightings• Vendor criteria weightings (e.g.

vendor viability, support, strategic orientation)

• Product criteria weightings (e.g. features, usability, affordability)

Use this tool at an early stage of analysis to identify vendors that will best meet business requirements.

Page 40: Select idps

Focus solution requirements with an RFP Template

Info-Tech Research Group 40

An RFP implies stable requirements and an intent to buy – use this tool to help select a supplier, not to develop a shortlist.

Info-Tech

Insight

Issuing RFPs is a critical step in your vendor selection process.

The Info-Tech IDP System RFP Template comes populated with important elements you don’t want to forget, which include:• Statement of Work• Proposal Preparation

Instructions• Scope of Work• Specification &

Requirements• Vendor Qualifications &

References• Budget & Estimated Pricing• Vendor Certification

Page 41: Select idps

Put hard numbers behind vendor claims &keep evaluations objective by scoring RFP responses

Info-Tech Research Group 41

A standard and transparent process for scoring individual vendor RFP responses will help ensure that internal team biases are minimized.

Pricing information distracts reviewers from evaluating business and technology requirements. Consider withholding it until after evaluation of functional criteria.

Info-Tech

Insight

Adjust the individual category weightings to customize this tool to business

priorities.

The Info-Tech IDP System Evaluation & RFP Response Tool comes pre-built with important scoring criteria for vendor RFP responses.

This tool includes modifiable criteria across the following categories:• Features (e.g. real-time

integration)• Operational Requirements (e.g.

debugging, exception reporting)

• Architecture (e.g. hosted deployment, connector volume)

• Support

Page 42: Select idps

Evaluate Implement& Operate

Strategize Select

• Understand the difference between nearline and inline, and the impact on network throughput.

• Tune your appliance to get the most value out of it.

• Get a handle on best practices for handling incidents.

Roadmap

You can’t leave your network unprotected. Understand how IDPS can help.

IV

Page 43: Select idps

Start with nearline monitoring, but move to inline blocking as probe performance is optimized

43

Getting the throughput specifications right for the appliance should be a prime focus point. A small box becomes a network bottleneck, a large box requires significantly

more capital.

Info-TechInsight

A nearline deployment provides IT with a chance to monitor the default rules setup of the appliance and assess throughput capacity without materially impacting the network. Start with a nearline deployment and only move to inline when you are sure the appliance will not become a bottleneck on the network.

In terms of tuning the rules of the box, trial and error is the generally used method. Start by turning on the baseline rules, and tweak both rules and thresholds until the appliance performs at an acceptable rate.

Once the appliance is performing satisfactorily, move it inline and implement blocking.

43%

98%

31%

92%

Page 44: Select idps

Use a pilot group & monitor actively during the initial tuning phase; IPS requires constant attention to be

effective

Understand that IPS is not an idle technology – monitoring reports and logs is the only way to configure an IPS solution to optimal block rates. The goal with monitoring is to develop an idea for what baseline figures and activities look like, making it easier to spot anomalies in the future.

After a few days of running the solution, open up the event logs and begin to understand what is happening. Check that the applications you expect to be running are running, resolve early false positives, and ensure the processes and services are correct.

Tuning accurately is a major differentiator between an adequate solution and a great one. At this stage in the game, focus on finding the right thresholds. Increase the risk threshold for processes being logged that shouldn’t be, and do the inverse for those that should.

Reducing noise in the management console is the quickest way to reduce the time spent reviewing logs daily. Create exceptions for commonly logged but non-threatening actions, such as running sanctioned scripts so you can focus on logging and analyzing potential threats.

The final step in tuning the appliance is to configure dashboards and reporting to display the most pertinent information. Make displaying trends, query results, and issues the priority, and schedule reports to be sent automatically to the responsible individuals for mitigation.

Monitor Daily Review Logs Begin Tuning Create Exceptions Configure Reporting

1 2 3 4 5

The initial configuration of an IDPS appliance is extremely important to the optimal functioning of the solution, but the effort must be maintained throughout the system’s

lifetime to remain effective.

Info-TechInsight

Page 45: Select idps

Develop an incident response team and teach them to identify incident precursors & indications to beef up

protection

45

Sources:1. Computer Security Incident Handling Guide, Section 3.1.02. Ibid, Section 3.1.23. Overall Severity/Effect Score = Round (Current Effect Rating * 2.5) + (Projected Effect Rating * 2.5) + (System

Criticality Rating * 5), Computer Security Incident Handling Guide, Section 3.2.6

Who should be on the team?

Preparation Detection & Analysis

• Create an incident response team.• Have the team put

together a jump kit to enable team members to quickly begin diagnosing threats in the field. • Configure the

network perimeter to deny all activity that is not expressly permitted; only permit activity necessary for the organization to function.1

• Precursors and indications are both signs of incidents, look for both.• Have the incident

response team quickly analyze and validate each incident, documenting each step.• Determine the

overall severity/effect score of the threat3 and notify the required parties (e.g. CIO & Head of Information Security).

What’s in a jump kit?

The incident response team should consist of people from across IT -- developers and security and networking pros. Threats can hit anywhere, an IT-wide view is critical to an effective defense.

Key items in a jump kit include: laptop with packet sniffers & computer forensics, backup devices, blank media, basic networking cables and OS and application media and patches.2

What’s a precursor?

What’s an indication?

A precursor is a sign that an incident may occur in the future, such as unusual port scan activity targeted at a group of hosts before a DoS attack against the same hosts.

An indication is a sign that an attack is occurring or has just happened, such as an antivirus software alert when a worm is detected.

Page 46: Select idps

Create a containment framework & hold lessons-learned meetings to make the response team more efficient

Info-Tech Research Group 46

• Most incidents require containment; decide early if system shutdown, disconnection, or function disabling is the right course of action.• Gather identifying

information such as location, serial numbers, and IP addresses in case the need for admissible evidence arises.• Implement

recovery via file and system restores from clean backups, password changes and tightening of perimeter security.

How do I contain a threat?

Containment is highly related to threat type. Generally, criteria for containment include:•Potential damage/theft of resources•Need for evidence preservation•Service availability•Time/resources required•Effectiveness of containment strategy•Duration of containment

Use sections 4 through 8 of the NIST “Computer Security Incident Handling Guide” to develop a framework around containment.

What metrics do I use?

Coming up with a series of metrics to assess an incident response team is tough, but the following are industry standards that highlight effectiveness:•Number of Incidents Handled•Time Per Incident•Total Labor per Incident

The goal with such metrics is to determine the cost of the team and, moving forward, reduce response times, resulting in greater cost-benefits to the organization.

Containment/Recovery

Post Incident Activity

• The most important part of incident response is learning and improving.• Hold a ‘lessons

learned’ meeting with all involved parties after a major incident.• Use the meeting as

an opportunity to update incident response policies and procedures.• Aim to accurately

quantify total hours of involvement spent on the incident for costing and performance metrics for the team.

Page 47: Select idps

Summary

Info-Tech Research Group 47

• Intrusion Prevention tools have come a long way since their introduction into the market place and are now ready to supersede their detection-only counterparts as the primary security tool behind the firewall.

• The cost associated with not having some form of IDPS on your corporate network are significant – highly sensitive data on the network can be accessed by the wrong people, and you can easily lose your job.

• Take the time to understand the decision points of deploying an IDPS – they are interconnected pieces of an overarching strategy – skimping here means more time and money poured into an implementation that is already time consuming.

• Table Stakes are offered by every vendor in the space – decide if you need more and act accordingly.

• If you’re interested in where you can get the most “bang for your buck,” refer to the Composite Performance Index scores – they focus solely on affordability.

• If you don’t monitor, you wont get anywhere. Monitoring and reviewing the daily logs an IDPS produces are critical to understanding where thresholds need to be tweaked.

• Tuning the box should be your highest priority. A tuned box catches 19% more threats than an untuned one – if you’re short on manpower, this is the quickest and most effective way of reducing the burden on your team.

Page 48: Select idps

Appendix

Info-Tech Research Group 48

Page 49: Select idps

Vendor Landscape Methodology

Info-Tech Research Group 49

Info-Tech Research Group Vendor Landscape market evaluations are a part of a larger product selection solution set, referred to as a Select Set.

The Vendor Landscape evaluation process starts with a customer survey. Customers tell us which vendors and products they’ve heard of and which ones they use, plan to use, or are investigating.

From the survey results, and the domain experience of our analysts, a vendor/product shortlist is established. Product briefings are requested from each of these vendors, asking for information on the company, products, technology, customers, partners, sales models, and pricing.

Our analysts then score each vendor and product across a variety of categories. These scores are then weighted according to weighting factors that our analysts believe represent the weight that an average client should apply to each criteria. The weighted scores are then averaged for each of two high level categories: vendor score and product score. A plot of these two resulting scores is generated to place vendors in one of five categories: Champion, Competitor, Emerging Player, Innovator, and Industry Standard.

Analysts take the individual scores for each vendor/product in each evaluation category and normalize them to a scale of zero to four. This produces a relative scoring, where a low score value indicates low performance in that category relative to the performance of the other products in that category and vice versa for a high score. These normalized scores are represented with Harvey Balls, ranging from an open circle for a score of zero and a filled-in circle for a score of four. Harvey Ball scores do not represent absolute scores, only relative scores.

Individual scorecards are then sent to the vendors for factual review, and to ensure no information is under embargo. We will make corrections where factual errors exist (e.g. pricing, features, technical specifications). We will consider suggestions concerning benefits, functional quality, value, etc; however, these suggestions must be validated by feedback from our customers. We do not accept changes that are not corroborated by actual client experience or wording changes that are purely part of a vendor’s market messaging or positioning. Any resulting changes to final scores are then made as needed, before publishing the results to Info-Tech clients.

Vendor Landscapes are refreshed every 12 to 24 months, depending upon the dynamics of each individual market.