Eric Smithson, systems engineer of Birmingham, Ala.-based Colonial Properties Trust, knows first hand the price for lacking intrusion detection. "We got nailed with a very bad virus [Netsky] and it really woke some people up -- the CEO, chief information officer -- [about] how critical our data is and that we need to start being proactive instead of reactive. And so they gave us a little leniency to go out and find a product that was...
what we thought we needed."
An intrusion detection system (IDS) keeps tabs on inbound and outbound network activity, looking for patterns that might indicate an attack. It doesn't come cheap. Still, when your business is on the line due to the current deluge of threats and vulnerabilities, even a small or midsized business IT professional can convince management that an IDS is time and money well spent.
After Smithson got the green light to purchase a commercial IDS, he decided on Lancope's StealthWatch IDS. As a part-time security practitioner, Smithson wanted a reliable, mature product with strong customer service even if it meant spending extra money. Also, Lancope's location -- Alpharetta, Ga. -- eased Smithson's worries about possible problems of working with a long-distance vendor.
Smithson emphasized, "We have local partners that are excellent, too, that we deal with exclusively. We may pay a dollar more, but if we can call them and they'll help us … trust me in the long run it works itself out, because they'll do a lot more for you."
Others saw the need immediately and rather than wait for that first attack to take down their networks, they took the proactive approach.
Tarun Reddy, a network engineer at Boulder, Colo.-based Rally Software Development Corp., which provides lifecycle development application services, understood the business reason for an intrusion detection system. "We're fairly secure in terms [of] constantly doing updates, but it often gives our customers extra secure peace of mind."
Offered Bob Wood, a senior network analyst at Skokie, Ill.-based Rand McNally & Co.: "Management understands the need to protect our data assets and is willing to invest in staying ahead of growing security risks." For him, it was simply a matter of doing the research, testing products and presenting management with its options before he went ahead with his purchase of StealthWatch IDS for Rand McNally's network.
However, an engineer's job is really just getting started after securing the funding to purchase an IDS. For the small shop that has one or two people focused on security, it's a challenge to find enough time to give IDS the care it requires. After all, an IDS requires time to investigate alerts and tune sensors; it's not a technology that can be put on a network and left alone for months at a time.
Because of this time requirement, Snort, a popular open source IDS software, is not an ideal technology to meet the demands of an SMB.
Marty Roesch, creator of Snort and chief technology officer of Columbia, Md.-based Sourcefire, added, "Snort's a really good intrusion detection engine but that's all it is. So, there's an issue with getting started up with it -- as far as how to configure it, scalable data analysis and reporting capabilities -- just basic system administration stuff."
Roesch also acknowledged that some engineers and admins find Snort's method of editing text files by hand daunting, especially if they're used to using a graphical user interface.
Both Wood and Smithson had installed Snort on their networks at one point, but conceded the manual demands of the software were either beyond their skill level or required too much of their time to manually tune and maintain.
"Automation doesn't come cheap, but that's why you go to open source. And Snort is a good product -- it just takes time," admitted Smithson.
Snort seems to be the perfect component within the small or medium-sized security posture since it provides reliable security at a low cost.
Paul Proctor, a vice president of Stamford, Conn.-based Meta Group Inc., supported this opinion. "SMBs usually have one, two or three people who are directed toward doing security as part-time. If they use an IDS, a lot of times they're using things like freeware Snort."
But despite this view, Reddy, Smithson and Wood all ended up choosing a proprietary IDS, mainly because of they saved time analyzing alerts for anomalies that may indicate a threat. Their experience, however, varied when it came to managing them.
Each has since learned how to better manage an intrusion detection system.
"If you're not going to work with it [IDS], I'd save the money and spend it somewhere else. It's really an alerting system, and if you're not going to follow up on the alerts, then there's no value. I would budget in -- when you purchase a product like this -- the time to work with it and to learn it," cautioned Wood.
Smithson stressed the importance of automation and good working partners as the key to his success in managing the IDS on Colonial Properties Trusts' network.
"Automation is key to any small and medium-sized company if you want to get anything done. It's important to partner with people you can communicate with," he said. "Don't waste your time on someone who won't call you back, who won't deal with you."