InformationWeek

False alarms such as this unfortunately are all too common for intrusion-detection technology. Companies can't rely on the software alone to determine whether, for instance, Internet Message Control Protocol traffic hitting a router is carrying legitimate messages to the device or instead is being used as a vehicle for a denial-of-service attack. So the choice is either to have your own security technicians on duty around-the-clock or go with an outsourcing company.

"You really need human interaction to sort and analyze whether an alarm event is significant," says Vincent Giordano, president and CEO of DefendNet.

Intrusion-detection services come with around-the-clock outside experts who collate and sift through all the information, superfluous or not, generated by intrusion-detection sensors sitting on a network. These services manage all the hardware and software tools, too. Companies typically pay a monthly fee for such services.

Most security providers package intrusion detection as part of a suite of managed-security offerings that also include firewalls, vulnerability assessment, and, in some cases, secure virtual private networks (VPN). Companies such as DefendNet, IBM Global Services, Internet Security Systems (ISS), Pilot Network Services, and RIPTech already offer intrusion-detection services. Other security companies, including Axent Technologies Inc., plan to roll them out soon. The market for managed-security services is expected to reach more than $2 billion worldwide by 2003, up from $512 million in 1998, according to research firm International Data Corp.

Still, intrusion detection is in its infancy. It wasn't long ago that intrusion detection meant paying so-called "white hat" hackers to simulate break-ins to a company's network and search for clues of any real attempts. Companies now are under pressure to place full-time monitoring tools at the hot spots in their networks to continuously sniff out and deter intruders.

An intrusion-detection tool works much like an antivirus package. Sensors look for known "signatures," or potential hacker tools and footprints, and notify the main intrusion-detection server if it finds any. The server then sends out an alarm. Depending on the security tool or service, the sensor records all these events locally in a log, which can be plucked by the server into a relational database to track trends and generate reports. ISS's ePatrol Managed Intrusion Detection service, for instance, stores information on events in a Microsoft Access and SQL relational database. A tool or service can also be customized to automatically shut down a particularly sensitive port if it receives unauthorized traffic.

With more hackers, crackers, and script kiddies attempting to punch holes in firewalls and plant nefarious codes in the pores of operating systems, it's no longer enough to plop down a firewall at the edge of a network. There are four times as many hacker attacks a day in North America as there were just one year ago, according to ICSA, a security consulting firm.

And the attacks are getting more high-profile and widespread: The distributed denial-of-service attacks on sites such as Amazon.com, CNN, and Yahoo in February boosted awareness-and business-for intrusion-detection technology, which basically acts as a burglar alarm on the network.

Security experts predict that the next round of hacker attacks will be more deadly, potentially taking down significant chunks of the Internet by exploiting domain name system servers and Hypertext Markup Language and JavaScript codes to do their dirty deeds.