Gene Hodges, president of Network Associates Inc. in Santa Clara, Calif., talked about new intrusion-prevention technologies with Computerworld's Matt Hamblen and Rob Mitchell.
Q: What is your current security technology emphasis at Network Associates?
In the last year or so, a new set of technologies have emerged which will have a fairly heavy positive impact on enterprise security. Loosely, the technologies are known as intrusion prevention. We think that these technologies, which allow us to stop attacks in real time, are going to be necessary because the speed of the propagation of the mass attacks has gotten very, very rapid. Slammer is a good example. It propagated around the Internet in about three minutes on a global scale. This is beyond any realistic human organization's ability to react.
By the time you've woken up and put on your shoes to go into the office, the network's already down.
So Network Associates invested in two acquisitions in April and May. One is focused on intrusion-prevention technology on host computer systems, and this was through the company Entercept. The second is focused on intrusion prevention on network systems, and this company was called IntruVert. We're integrating these technologies with our existing product lines and extending them so that, hopefully, over time, we can provide a very reliable platform that's automated, that can stop attacks even if they are unknown and do this cheaper. Because customers are getting to a point where the size of the security budget is becoming an issue.
Security spending has been increasing quite nicely for the past couple of years, but clearly that can't keep up indefinitely. Most security spends are getting into 3 percent to 5 percent of the IT budget, up from perhaps 1 percent. So it moves out of the "other" category and starts to get scrutinized.
Q: Do businesses really buy the validity of security products?
The business managers in electronic customer-facing industries like financial services have very definitely had to form opinions about what works and what doesn't work. It's too important to their business to just delegate it to IT people. On the other end of the spectrum, some industries like consumer goods aren't quite at that state yet. ... It's still the province of specialists, as opposed to being something that the line-of-business manager would have an opinion about, answering how much security is enough and what's the best way to get optimal security. Towards the leading edge is the federal government on this.
Q: What makes Network Associates different from other vendors?
These new technologies are still fairly rare, and we've made some smart acquisitions in technologies that work in production environments in a couple of handfuls of large companies, including a couple of financial institutions and high-tech companies. It's still leading edge, but we're doing real-time blocking of attacks successfully. We have it on the network side, and there's one major competitor on the host intrusion-detection side, and that's Cisco, with their Okena product line. Last week, it worked with the Cisco IOS (Internetworking Operating System) vulnerability and another Microsoft Web server vulnerability.
On the Microsoft vulnerability, if you had installed the host intrusion prevention, it would automatically stop, and you didn't have to update or do anything to prevent attacks going after that vulnerability because it was looking at a class of bad things that might happen on a Web server. That's Entercept on the host site and IntruShield on the network side.
On the network side, the IntruShield product was able to block attacks that would go after that exploit. We didn't see any, by the way. The Microsoft RPC (remote procedure call) exploit did have people who started using it within about 72 hours after it was reported. On the Cisco IOS, we didn't see any.
If the bad guys had moved fairly quickly with that exploit, it would have been automatically blocked. What does that mean for somebody who bought the stuff? It means that instead of scrambling to take down the router structure to have to patch it, that they can do this is in a controlled environment and have some quality around the change-control process.
Q: What about the false positives problem, with the risks being so high for companies if these tools clamp down on inappropriate traffic?
Yes, the consequences could be pretty bad. It's a key focus of the technology. Just as in antivirus, you have to get the false positives and false negatives low enough, almost to zero. The way people deploy it, they crank back on the sensitivity of the detection to the point where there are effectively zero false positives and then you see what you can still detect, if you still have any detection capability left. You don't just put out strong detection capability and see how many false positives you can tolerate. There's still quite a significant detection capability left, and what most customers do is they become more aggressive in a few key areas of their network that are very sensitive.
In parts of your network, if you see somebody suspiciously going after core data, you might shoot first and ask questions later. And there, if you generate a couple of false positive help desk calls, you are willing to live with it. In the broad reach of your network, though, you can't afford that kind of difficulty, so you crank the sensitivity down, and we still catch 60 percent to 80 percent of the attacks and block them automatically. So, it's not a 100 percent solution yet, but if you can eliminate two-thirds of the attacks, it's fundamentally more fulfilling for a security manager (to say), "We were attacked probably 30,000 times last month," (than) to be able to say, "We stopped 20,000 attacks, and there were 10,000 that probably got through, and we're doing deep forensic analysis on 100 of those that got through that look pretty serious."
We think that customers aren't going to be spending huge increasing amounts on security over time. The name of the game is to allow them to stop enough of the attacks so that they can shift the investment to the more sophisticated attacks, the attacks by inside users which are going to require very careful forensics to be able to prosecute. So, our objective is to crank the percentage of attacks we can stop up to 90 or 95 or 99 (percent).
Q: When will that happen?
We don't know yet. I think it is going to take a couple of years to get it into the 90s (percent). Multiple layers of defense in the 70s gives you pretty much the same.
Q: Is there a race with Cisco and others?
Yes, it's a very avid technology race with Cisco, Symantec, ISS (Internet Security Systems Inc.) and others.
Q: How many developers moved over from IntruVert and Entercept?
About 60 in each.
Q: So how many are actually developing and doing research and development for Network Associates?
About 900 people out of 3,700 in the entire company.
Q: Is that the right amount of R&D to meet your needs?
It's probably a little high. It's at 20 percent of revenue in our last quarter, and it spikes up with acquisitions.
Q: What does it cost a customer to buy these new products?
For a medium-sized company, the network protection would be a quarter-million dollars, and the host protection would be probably be about the same.
Q: How much of the critical intrusion activity are you actually able to catch with these tools?
Our percentages of critical activity caught are higher than 60 to 80 (percent), but there's not good statistical evidence yet. It will take us some time to collect that. Using the well-publicized vulnerabilities and attacks over the last six months, the two vulnerabilities last week were covered by the technologies. Slammer was stopped, time zero, no signature, by Entercept, and it did fine. So, here's the most publicized attack that probably caused the most damage.
The attacks that are beyond the current state of the art are quiet, stealthy inside attacks.