Axents Rob Clyde: Why You
Need Intrusion Detection
Anne C. Lear
I
nternet-based e-business
makes networks highly
vulnerable to attack, as
Web giants Yahoo and
eBay learned painfully in
February. Analysts estimate the
distributed denial of
service attacks that
brought down these
Web sites cost those
companies several
million dollars.
The cost of those
attacks and lingering
security concerns
have boosted intru-
sion detection on
the radar screens
of many network
administrators.
Once viewed as
a niche technol-
ogy for military
and other ul-
en
Photo
by Lea
h Hogst Effective intrusion
detection can help
you reap e-business
rewards and avoid the
sting of hack attacks.
trasensitive networks, intrusion
detection is increasingly seen as
essential for commercial net-
works. IDC expects the market
for intrusion detection and vul-
nerability assessment solutions to
grow nearly 40 percent yearly
through 2003.
To find out more about what
intrusion detection systems do
and how they can help you keep
hackers at bay, IT Professional
spoke with Rob Clyde, an expe-
80 IT Pro July August 2000
rienced security professional and 1980s, to be a hacker, you
vice president of security man- needed time, a motive, and a lot
agement at Axent Technologies. of knowledge. Sometimes hack-
ers were out to steal informa-
DETECTING THE THREAT tion, but often they broke into a
IT Pro: Although intrusion Continued on page 76
detection technology has been
around for almost two decades, Security Expert
people are just now beginning
to see it as a necessary compo-
and Optimist, Too
nent of enterprise network
Rob Clyde is vice presi-
security. Whats driving this
dent of security manage-
increased visibility?
ment at Axent Technologies,
which develops security prod-
Clyde: Most organizations had
ucts for e-business environ-
little use for intrusion detection.
ments. He created Axents
Not only did few conduct busi-
Information Security SWAT
ness over the Internet, many
Team, a group of security
actually had a policy of not con-
professionals that tracks
necting.This was a major theme
and develops solutions to
at security conferences in the
enterprise security threats
early 1990s. Most presenta-
such as hacking and denial
tionsmine among them
of service attacks.
advised, Dont connect, the
Clyde has more than 25
Internets too dangerous, its
years of experience in the
filled with problems.
security field and is a fre-
The amazing thing is that in
just a few years we have come
quent speaker on intrusion
detection and other secu-
full circlenow you have to
rity issues. In 1984, he wrote
connect to the Internet if you
want to stay competitive.
and published the Audit
software product, which
many consider to be a pio-
IT Pro: And this introduces
neering commercial intru-
new vulnerabilities into corpo-
sion detection system.
rate networks?
Clydes first commercial
venture, Clyde Digital Sys-
Clyde: Yes, because the original
tems, a security software
reasons we said dont connect
company, grew into a $5
still hold true. When you con-
million business before it
nect, suddenly the innermost
merged with Raxco Soft-
reaches of your network are
ware in 1991. In 1994, Clyde
open to anybody who can find a
cofounded Axent, which
way in through the Internet.
went public in 1996 and re-
Another scary thingalso a
ported sales of more than
direct result of the Internetis
$112 million in 1999.
what I call the democratization
of hacking. In the 1970s and
 PROFILE
Continued from page 80
network just to see if they could do it.
In the 1970s, when I was a systems
administrator, hacking was kind of a
game. People would send me a note
to say, Hey, look what I did, you
probably want to fix this, and I would
reply, Thanks for telling me; Ill get
right on it.
Hacking isnt a game, though, when
critical business assets are at stake.
And in the last few years, an individ-
ual hackers knowledge and ability has
become less important because hack-
ing information is widely available.
Axents SWAT team has found
more than 30,000 hacker-oriented
Web sites that make hacking as easy
as point and clickyou dont need to
know much, you just need time and a
motive. There are some sophisticated
tools out there, many with a nice
graphical interface and pull-down
menus. For instance, with a tool called
l0phtcrack, you just point and click
and out comes a list of passwords for
the NT servers youre trying to crack.
Other hacker sites offer specific
instructions like, here is how you
break into this version of Unix, heres
how you get into that version of
Windows NT. Oh, you hit a main-
frame? Here's what to do. They walk
you through the specific steps to
exploit the systems.
IT Pro: Are IT organizations becom-
ing more aware of these hacker sites
and the possibilities they create for
systematic, wide-scale attacks?
Clyde: Yes, awareness is definitely
growing. Four or five years ago, most
companies told us that until they have
a security problem, they didnt see the
need for intrusion detection or other
extra protection.
Today, no major corporation would
say such a thing, and most are trying
to address vulnerabilities in their net-
works. Most have had firewalls for a
while but now realize thats not
enough.
IT Pro: Why isnt a firewall enough to
protect a companys networks?
76 IT Pro July August 2000
Clyde: Attacks can still occur for the
simple reason that firewalls are per-
meablethey have to permit access.
You cant block absolutely everything
because you wouldnt be able to do
any e-commerce.
Photo by Leah Hogsten
Many in
IT now realize a
firewall isnt enough
to protect their
systems.
Most companies today say, I have
my firewall, but what am I going to do
for intrusion detection? Intrusion
detection is becoming a standard part
of security as opposed to some add-
on extra that maybe you will do if you
have the money. People view it almost
in the same class as a firewall.
KEEPING INTRUDERS AT BAY
IT Pro: How do intrusion detection
systems (IDSs) pick up on suspicious
network activity and decide whether
or not it constitutes an attack?
Clyde: An IDS might use several dif-
ferent approaches to detect attacks,
which may come from outsiders who
have no authorized access to your net-
work. Or problems can arise from
misuse by someone on the inside try-
ing to gain more access than theyre
authorized for.
Systems that use statistical-anom-
aly detection build a profile of valid,
normal use and monitor audit logs
for anomalous behavior, which could
indicate an attack and therefore trig-
gers an alert. In some military envi-
ronments, administrators willingly put
up with the resultsgenerally a lot of
false alarmsbecause the informa-
tion on their networks is so sensitive
that they are willing to sift through the
alerts to trace what happened.
Commercial users have much less
interest in a purely heuristic kind of
intrusion detectionnot only are the
false alarms annoying, management
often wants to know why there was an
alert or a user was blocked. In other
words, they need a deterministic sys-
tem that lets them trace the alert back
to a distinct cause. A rules-based sys-
tem encodes this kind of cause and
effect by searching for event
sequences that match known attack
or misuse profiles.
Most of todays systems use a com-
bination approach. For example, most
IT people would agree that if someone
tries to log in and fumbles their pass-
word more than three times, its prob-
ably not the user making mistakes, it is
somebody trying to guess the pass-
word. So an intrusion detection prod-
uct could have a rule based on
thresholds that alerts IT when some-
one has more than three failed log-ins.
IT Pro: Does a typical IDS incorpo-
rate a basic set of rules for defining
and detecting misuse or attacks?
Clyde: The military wanted to write
their own rules, so we the vendors sup-
plied them with good software to do
that. But the commercial sector essen-
tially wants shrink-wrap rules, and
most IDSs today have rule sets to
describe what constitutes a possible
intrusion. These should be general
enough that you dont miss new vari-
ants on old attacks, but fine-grained
enough not to cause a lot of false
alarms.
Also, users often want to add a few
of their own rules.This means vendors
need to offer comprehensive rule sets
but also build in extensibility.
IT Pro: Why is extensibility impor-
tant?
Clyde: Certainly you want an IDS
that, out of the box, can detect all
known security vulnerabilities. But
security is a very dynamic problem,
which means you need a system that
will allow you to update it quickly.
Also, there are typical methods that
hackers use to break into networks.
So you can add rules to your IDS to
scan for those electronic calling cards
or fingerprints typical of an attack. For
example, scanning or probing a net-
work almost always precedes an
attack. Once hackers find and identify
a system, they try to guess passwords
or grab password files. They might
delete their audit trailsin fact, one
of the most valuable rules you can
have is to detect when the audit trails
are modified or deleted.
For example, when hackers planted
the zombies that ultimately carried
out recent distributed denial of service
attacks, one step would generally be
to cover their tracks after installing the
zombie code, which requires altering
the audit trail. If you have intrusion
detection software that is monitoring
the audit trails status, youll know
when somebody has broken into your
system.
IT Pro: How do users acquire and
deploy new rules to cover these new
types of attacks?
Clyde: Our SWAT team writes and
distributes new rules for our IDS
products via the Web when they find
new attack patterns, and users can
write their own rules as well. The key
is to be able to quickly deploy them. If
the IDSand some work like this
requires you to install a new version
to update the rules, you have a big
problem on your hands, particularly
if you have a host-based system run-
ning on thousands of machines.
An extensible IDS lets you deploy
these new rules without having to
reinstall the softwarea lot like
adding new signatures to virus detec-
tion software. It means we can
respond faster and you have better
protection for your networks.
Photo by Leah Hogsten
Security is
a dynamic problem,
which requires
systems we can
update easily.
IT Pro: Do todays intrusion detection
systems also provide more detailed
information, such as what specific kind
of attack might be happening or what
steps to take to stop it?
Clyde: In some cases, the system can
describe what kind of attack is prob-
ably happening, the network vulner-
ability that allowed it in, how to fix it,
and what next steps to take.With cen-
tralized reporting, its easier to see the
larger picture so you dont have to
send each of your administrators off
chasing one little piece.
Current systems, however, tend to
report information focused on specific
types of attack. If you are not careful,
an administrator might say,Oh, I had
some log-in failures so Im going to
take these steps, and while he is
working on that, the hackers are busy
attacking from another angle.
What you really need is someone
savvy enough to spot a concerted
attack and who knows when to notify
management, local law enforcement,
the FBI, or the National Infrastructure
Protection Center.
IT Pro: Does this mean IT depart-
ments need trained security experts
who know how to interpret and act on
the information the tools give them?
Clyde: Definitely. The nice thing
about better tools, though, is that not
every single administrator has to be
fully trained in security. It is so hard
to hire security professionals these
days. An IDS that provides central-
ized console management and some
level of interpretation can be critical.
We are working to improve our sys-
tems ability to aggregate and act on
information.Today, we can do a pretty
decent job of aggregating information
from all parts of the network to give
network administrators a good view
of what is happening.We can take spe-
cific actions against specific types of
attacks, but we are not at the point
where the program can automatically
interpret all available information and
initiate a complete response. We still
need human interventionsomeone
to make decisions like, who do we call?
Do we get law enforcement involved?
Did we track down the right things?
IT Pro: Intrusion detection systems
once had a reputation for being diffi-
cult to manage. Do some of the newer
systems address this concern?
Clyde: Todays IDSs can consolidate
the alerts to a central console. This
simplifies management and has other
benefits as well. For instance, if youre
under attack, you might not detect
that just from a long list of problems
in various places.You need a consoli-
dated view of the whole network to
see that youre getting log-in failures
all over the place, outsiders are scan-
ning your network, or youre getting
spoof packetswhatever.
A broader, centralized view lets you
see whether youre under concerted
attack better than one systems admin-
istrator saying he had a log-in failure
in his part of the system.
You need this for two reasons. One,
you want to know what is happening
on an enterprise level. And twothis
July August 2000 IT Pro 77
 PROFILE

is more subtle but extremely impor-
tantyou have to assume that when a
particular device or system is success-
fully attacked,everything on it could be
destroyed, including the record of all
the events your IDS so carefully col-
lected. Its critical to get that data off
those systems onto more tightly con-
trolled manager systems that arent
easy to get to,have no applications run-
ning on them, and can be accessed by
just one or two high-level IT people.
The hackers think they destroyed
your system and all the audit trails, so
they think they are getting off scot-
free because there is no record left.
Recording security events on your
manager systems gives you a lot more
resilience in tracking down what hap-
pened and doing something about it.
IT Pro: What actions might an IT
manager take when an intruder is
detected?
Clyde: Responses can be passive, such
as logging activity or alerting a man-
ager or even law enforcement.That is
by far the most common action and,
in most cases, it is initially the only
action taken.
Active responses might include ter-
minating the network session or
adjusting the firewall to block the IP
address from which the suspicious
traffic originates. If the suspicious user
is logged in to the system, you might
knock him off the system and disable
the account he used to get in.
The danger, of course, is that you
could accidentally take action against
someone who wasnt doing anything
wrong.
NEW TOOLS FOR NEW NEEDS
IT Pro: Will intrusion detection sys-
tems continue to be sold as separate
products, or will these features even-
tually be folded into broader security
systems?
Clyde: We are seeing a lot of integra-
tion, and as intrusion detection
technology becomes mainstream, cus-
tomers ask us to integrate it into fire-
walls and other security products. Our
Raptor firewall, for instance, detects
when outsiders try to send a Ping of
Death. This goes beyond classic fire-
wall stuff. In fact, we have a pretty
good list of well-known attacks and
defenses built into our firewall.
This doesnt mean you dont need
an IDSmost customers want to
know what exactly is banging up
against their firewall.This goes beyond
the scope of the firewall because intru-
sion detection means not just detect-
ing the attacks but also consolidating
the event and audit trail information
from around the network.
I think well see separate intrusion
detection products for some time, and
well start seeing some areas of spe-
cialization. Most of todays intrusion
detection products are geared to
infrastructure protectionprotecting
the network and servers. However,
the really critical assets are data and
applications, and application-level
instrusion detection will become
importantfor example, for database
or Web applications.
IT Pro: Ive recently read that some
companies are outsourcing intrusion
detection. Do you see this as a signif-
icant trend?
Clyde: Definitely. Companies are
starting to outsource parts or all of
their security programs, including
intrusion detection. Setting up the sys-
tem, developing the rules and policies,
monitoring the console, deciding how
to respond to alertsmany compa-
nies are looking into outsourcing
because it requires expertise, and get-
ting even a handful of security experts
can be difficult.
Outsourcing security is not for
everybodyit is a choice each com-
pany has to make based on resources,
priorities, and so on. Many companies
want that core competency in-house.
For example, most banks have done a
decent job building up their IT secu-
rity expertise and see it as core to their
business. Others just cant get momen-
tum in that area, and thats where out-
sourcing makes a lot of sense.

IT Pro: Do you see outsourcing as a

Circulation: IT Professional (ISSN 1520-9202) is published bimonthly by the IEEE Computer threat or an opportunity?
Society. IEEE Headquarters, Three Park Avenue, 17th Floor, New York, NY 10016-5997; IEEE
Computer Society Publications Office, 10662 Los Vaqueros Circle, PO Box 3014, Los Alamitos, Clyde: We view it as an opportunity
CA 90720-1314; voice +714 821 8380; fax +714 821 4010; IEEE Computer Society Headquarters,
1730 Massachusetts Ave. NW, Washington, DC 20036-1903. Annual subscription: $35 in addition and work with several managed-ser-
to any IEEE Computer Society dues. Nonmember rates are available on request. Back issues: vice vendors, providing our expertise,
$10 for members, $20 for nonmembers. This magazine is also available on microfiche.
products, and methodologies. Xerox
Postmaster: Send address changes and undelivered copies to IT Professional, IEEE Service Europe recently contracted with
Center, 445 Hoes Lane, Piscataway, NJ 08855. Periodicals Postage Paid at New York, N.Y., and at
additional mailing offices. Canadian GST #125634188. Canada Post Publications Mail (Canadian Axent to provide security products
Distribution) Agreement Number 1445669. Printed in USA. and services for its mobile workforce
Editorial: Unless otherwise stated, bylined articles, as well as product and service descriptions, and new e-business projects. Many
reflect the authors or firms opinion. Inclusion in IT Professional does not necessarily constitute providers and customers are inter-
endorsement by the IEEE or the Computer Society. All submissions are subject to editing for
style, clarity, and space. ested in not just product but method-
ologyhow to set up and fine-tune an
IDS or other security product, for
example.
Also, a growing number of man-

78 IT Pro July August 2000

aged-service providers provide intru-
sion detection along with other ser-

Join the
vices.This is important for companies
that, for instance, outsource their Web
functions and want to know if their
Web applications are under attack.
Intrusion detection becomes very
important for all kinds of hosting ser-
vices, and those service providers will
look to the IDS vendors for products
and technical support.
IEEE
WHATS NEXT?
IT Pro: How will intrusion detection
technology evolve in the near future?
Computer Society
Clyde: Well definitely see improved
performancewe need to get to giga-
bit speeds, and also need to come
closer to the antivirus software model
online at
regarding ease of use and stream-

computer.org/join/
lined, regular updates.
We must also deal with new twists on
old attacks by collecting data from all
over the network via collectors embed-
ded in hubs, routers, and applications.
Deploying good rules will help deter-
mine when and from where an attack
Complete the online application
is happeningtracebacks will be really
important, but we have years to go
and
before thats consistently possible.
Hackers dont often realize that an Get immediate online access
IDS doesnt have to detect everything
they are doing to catch them.A system to Computer
just has to find one thing out of the
ordinary, latch onto it, and start track-
ing. If a hacker makes one mistake, Sign up for a FREE e-mail alias
does one thing that triggers the alarm,
youve got him.Youre essentially turn- you@computer.org
ing the tables on the attackers,and with
all the hackers and hacking resources
out there, thats very powerful.
Access the CS Digital Library
for only $50*
And thats just part of . . .
The Worlds Computer Society
*Regular price $99. Offer expires 15 August 2000
Anne C. Lear is a freelance technol-
ogy writer based in southern Califor-
nia. Contact her at stannabelle@yahoo.
com.

July August 2000 IT Pro 79