Attacks AvertedAttacks Averted

When the Slammer worm invaded the Internet on Jan. 25, it flooded corporate networks and servers with messages, shut down E-commerce sites, disabled some ATMs, and slowed traffic on parts of the Web to a crawl. But Slammer didn't worry Eric Chamberlain, an Active Directory architect for the University of California, Berkeley, even though the school's computer systems were running software that was vulnerable to the worm.

Last summer, Chamberlain installed intrusion-prevention software from Okena Inc., which he says has stopped several attacks against the university's servers and desktop computers. When Slammer hit, the Okena security software prevented the worm from infecting unpatched systems in the university's network. "It worked again," he says.

Chamberlain is one of a growing number of business-technology professionals impressed with intrusion-prevention tools that watch for "bad behavior"-buffer overflows or unusual port scans, for example-and then address it. Unlike intrusion-detection tools and antivirus products that scan for known virus and worm code to identify potential attacks, server- and PC-based intrusion-prevention tools learn how applications and operating systems are supposed to act, then incorporate behavioral policies based on that knowledge, which lets them stop new attacks. Administrators can create the rules of behavior for some applications or let the software log application activity to build its own understanding of appropriate behavior. The market for these products, which are sold mostly by startup vendors such as Entercept, Harris, Okena, and Sana Security, has been small. But it's expected to grow quickly, from $62 million last year to $520 million by 2007, according to analyst firm the Yankee Group.

Cisco Systems' well-timed entry into the intrusion-prevention market should help fuel that growth. The day before Slammer hit, the leader in networking, firewall, and intrusion-detection hardware systems said it would pay $154 million in stock to buy Okena, which analysts estimate had less than $10 million in revenue last year. Cisco officials won't discuss plans for integrating the technology into the company's products or whether they'll sell it as a standalone product. But the acquisition is already raising the technology's profile. "I probably wouldn't have known about intrusion prevention except that Cisco has the power to bring it in front of me," says Larry Peterson, VP of corporate technology services at Gelco Information Network, a provider of outsourced E-business services to the consumer-goods industry.

Other major security vendors see opportunity, too. Check Point, NetScreen, Network Associates, Symantec, and Trend Micro are expected to bolster their security apps with intrusion-prevention capabilities, either through acquisitions or in-house development. Internet Security Systems Inc. last month enhanced its software's ability to correlate a company's software vulnerabilities with real-time information to better stop attacks.

Having realized that antivirus software and firewalls don't stop all attacks, companies are eager for several lines of defense in the battle against threats. Attacks more sophisticated than Slammer "could be devastating," President Bush's cybersecurity adviser, Richard Clarke, told colleagues last week in an E-mail confirming his resignation plans, according to published reports.

Radianz, a network-services provider for the financial-services industry, had security systems in place that prevented Slammer from infecting its computers, but chief information security officer Lloyd Hession says he's glad he'd installed ISS's software for added protection. "It's a belt-and-suspenders approach," he says.

Another factor that makes intrusion-prevention technology appealing is that it promises to help security pros get better control of the costly and time-consuming process of installing software patches to plug vulnerabilities in operating systems and applications and to fend off known viruses and worms. A patch was issued last summer to fix the vulnerability in Microsoft's SQL Server software that Slammer used to infect systems. But the success of Slammer shows that many systems and networks weren't patched.

It's easy to see how slipups can occur. Security experts keep finding new software vulnerabilities-nearly 50 a week-and vendors keep trying to fix the problems with software patches. IT managers spend two hours per server to test and deploy a patch, which leads research firm Gartner to estimate that it can cost a company with 1,000 servers about $300,000 for each patch. Though other tools that manage and automate the deployment of server and desktop patches can cut the time and cost involved, Hession says that patching is "a problem that's reached ridiculous proportions." Microsoft, whose nearly ubiquitous software is the target of the majority of attacks, says its forthcoming Windows 2003 Server operating system will make patching easier with an automatic update feature. But some business-technology managers are leery. "You're always going to have to test these patches before rolling them out," and that's still time consuming, says James Pu, director of technology services with the Los Angeles County Employees Retirement Association.

Intrusion-prevention systems can reduce the urgency to patch. "Before, when a patch came out, we had to rush around and get all of these patches in place," UC Berkeley's Chamberlain says. "Now, I can read a Microsoft alert and nine times out of 10, Okena already is blocking it." The university will extend Okena's software to about 100 servers and 100 desktops this year.

Entercept's software has helped make patching more manageable for Bill Stevenson, New Century Mortgage Corp.'s information security officer. He installed Entercept 2.0 about a year ago. "If a new buffer overflow attack comes out, we know we're going to stop it even before we apply patches," Stevenson says.

Intrusion-prevention systems aren't perfected. Getting them to recognize proper and improper behavior can be difficult. Some security experts complain that the software goes into action during completely legitimate operations, such as when applications are changed on production servers, and that limits the software's use on networks. Chad Harrington, Entercept's security-products director, promises the tools will become simpler to manage over the next two years, and eventually "intrusion-prevention applications will require no user interaction."

If intrusion-prevention systems reach that level of sophistication, they'll put information-security pros more at ease when the next big worm attacks, like Stevenson was with Slammer. While many security managers worked around the clock to rid systems of Slammer, he spent the weekend at home with friends. Says Stevenson, "I didn't lose any sleep." -with Martin J. Garvey