The buzz around network intrusion prevention is a lot like that surrounding airport security after Sept. 11: The need is critical, and everyone wants a high-tech solution.

	Damned if you do From intrustion detection to intrusion prevention Ask this of intrusion prevention vendors

"You want to be able to walk from your car, onto the plane, without having to be frisked or questioned," says Greg Hinkel, technology lead for computer security at Oak Ridge National Laboratories, a Department of Energy national laboratory in Oak Ridge, Tenn. "Most people want all the detection to be automated and done while they're walking in."

But the most secure airlines rely far more on people than automation, he says. "The Israeli airlines have people who interview passengers and ask them a lot of questions. By interviewing their customers, they can pick out anomalies in behavior. Well-trained people will ferret out far more breaches than the latest X-ray machines or what have you, and that's also true of network intrusion prevention."

Advertisement:

But keeping skilled people in the thankless job of network security is a tall order, says Steve Crutchley, founder of 4Front Security, an international security consultancy. "The average tenure for a security staffer in the U.S. is just 18 months now," he says, pointing to a statistic many attribute to the lack of awareness and respect for computer security in today's corporate environments.

Damned if you do . . .

The only way to measure prevention success is by a dearth of incidents, something that over time can make security investments seem like overkill, says David Piscitello, president of consultancy Core Competence.

He offers the scenario of a security information officer who works at a large corporation that spends $25 million per year on security. He has used that budget well, implementing security technologies that have buttoned up the enterprise against any attacker. But without incidents to report — look, here's why we need security — he can't justify his budget to the satisfaction of business executives.

"The poor security administrator has to talk for 30 minutes justifying the expense, knowing full well that no one else in the room has a clue about what he's said," Piscitello says. "And at the end, they say, ‘Well that doesn't sound like it's worth $25 million. We're going to cut your budget 30%.' "

When the company is hacked three months later, it soon becomes clear why, he says. "Unfortunately, the guy they hired to replace the $250,000-a-year security information officer that the board fired didn't understand the system and misconfigured it," he says.

Few organizations truly understand the importance of hiring, training and keeping competent security personnel. "They put guys in a security department who really have no skills," Crutchley says. "If you're thrown into a security environment and just told to get on with it, you're going to play, make mistakes and potentially put your organization at risk while you learn on the job. And that's no way to protect a business."

What this means for intrusion prevention, Hinkel says, is backing up the technology with highly trained people who can do the assessment, patches and alarm correlation, decipher the logs and actually deter intrusions. "We need good boxes automating what they can," he says, "but it's only with good people using the tools that you get the best outcomes."