Project No 5
Project Summary
Technology: Systems that watch for and block unusual network or server activity that could indicate a security threat
Goals: Protect critical information systems proactively; reduce risk that a single event could halt the network
Average planned spending in 2005: $6.3 million
Sometimes, security projects get the go-ahead a little too late. for some companies, nothing
makes the case for an intrusion detection and prevention system as forcefully as a direct hit from a debilitating, Internet-borne worm.
In August 2003, Rockford Health System’s e-mail systems and Web site were knocked out for about an hour by the Blaster worm, a self-propagating program that attacked Microsoft’s Internet servers with a flood of bogus traffic from thousands of infected computers around the world.
“It shut us down,” says Joe Granneman, manager of networking and data security at the company, which operates two hospitals in Rockford, Ill., and has 3,400 employees.
The worm had wriggled onto the computer of a single Rockford employee working from home, who was connected to the corporate network via a secure connection. From there, the Blaster worm quickly spread to several dozen other machines before Granneman and his team could shut it down.
In the month leading up to the Blaster outbreak, Granneman had been thinking about deploying an intrusion prevention system, which is designed to identify and block any unusual and potentially harmful activity on a data network. (Intrusion detection systems, by contrast, monitor networks and can sound alarms, but will not stop an attack.)
He finally got the OK for the project from senior management, including his CEO, after the Blaster worm hit. “They don’t believe you until it really happens,” he says.
Early last year, the company bought two intrusion prevention switches from Top Layer Networks for less than $50,000. “It wasn’t budgeted,” Granneman says. “But the incident showed everyone just how devastating attacks can be.”
Organizations clearly intend to invest more money in proactive intrusion detection and prevention systems to intercept rapidly spreading threats before they can do any damage. Unlike a network firewall, which targets widely known vulnerabilities, intrusion detection and prevention products defend against undocumented types of attacks by identifying suspicious network activity. IDC expects worldwide spending on these technologies to double in five years, from $588 million in 2003 to $1.26 billion in 2008.
