Security Evolution: Towards Multi-Function Appliances –Analysing Internet Security Systems’Proventia™ M Series
By Jose Lopez,
Senior Security Industry Analyst, Frost & Sullivan
November 2003
Security Evolution: Towards Multi-Function Appliances –Analysing Internet Security Systems’Proventia™ M Series
By Jose Lopez,
Senior Security Industry Analyst, Frost & Sullivan
November 2003
THE IT SECURITY INDUSTRY
The reality of the IT security industry is that it is complex and highly fragmented. There aremultiple products, solutions and services available to organisations and most of them addressa different security need. Firewalls, virtual private networks (VPNs), intrusiondetection/prevention systems (IDS/IPS), anti-virus software, authentication mechanisms,content filtering solutions and many others add to the confusion of organisations looking toprotect their systems and data.
In addition, whilst traditionally enterprise security solutions have been software based, marketdemand has shifted towards appliance-based solutions due to easier deployment andincreased performance. This trend has pushed software vendors to forge strategic partnershipswith hardware equipment manufacturers or alternatively come up with their own hardwareoffering.
While each security vendor has strong claims for the efficacy of their products, the deploymentof single technologies is insufficient. They must complement other technologies to guaranteean adequate level of protection against cyber-attacks. At the same time, budgets are usuallylimited and organisations often lack the internal resources to have dedicated teams to runefficiently all of the required elements for total protection. In practice, this means that manyorganisations adopt incomplete security strategies.
Figure 1 Multi-vendor management platform environment
Source: Frost & Sullivan
IDS/IPS Management Platform
Fire
wal
l/V
PN
Man
agem
ent
Pla
tfo
rm Anti-virus M
anagem
ent Platfo
rm
Content Management Platform
VPNIDS/IPS
Anti-Virus
Firewall E-mailFiltering
WebFiltering
Vendor B
Vendor C
Vendor D
Vendor A
Page 1
Figure 1 shows the scenario of an organisation with a comprehensive approach to networkperimeter security including solutions from several vendors and each of them managed by theirown management consoles. As the figure shows, many enterprises and public organisationsface increased complexity when dealing with their network perimeter security. A security systembased on point solutions and multiple management environments are complex to manage andusually very expensive to acquire and maintain. This is due to the multi-licensing agreementsthat the organisation has to engage with the different vendors and the cost of employingdedicated personnel to manage these products. In most cases, these security technologiescannot communicate with each other and therefore operate with reduced efficiency. In addition,different teams, which may not share information with each other, often manage these products.This lack of centralised management of security events can lead to failure in dealing with anumber of cyber-attacks.
UNIFIED SECURITY SOLUTIONS
Our experience has shown that many organisations believe that because they have a firewalland an anti-virus product in place they are fully protected from external and internal attacks.While these are core elements of any security strategy they are not enough to guaranteeprotection. In the wake of the virus attacks seen in August 2003 such as SoBig and Blaster,organisations and vendors are starting to realise that traditional point solutions are ineffectiveto stop hybrid attacks. Signature based anti-virus products can stop known viruses butbehavioural analysis capabilities are needed to be able to stop unknown worms and viruses.While traditional intrusion detection products could detect the anomalies in the network, theycan do little to stop them from attacking the affected networks. The solution is the deploymentof a single unified security product to achieve the necessary level of protection.
It is clear to both vendors and end users alike that the new breed of security solutions need todeliver simplified deployment, management and maintenance as well as increased functionality.However, there has been little agreement amongst vendors about how to deliver on theserequirements. Many vendors appear to be resolute in their determination to remain pointsolution providers. Other vendors, through either a lack of internal resources, or simply a lackof vision, have teamed up with some of their competitors in order to bring joint solutions to themarket. However, some vendors are bringing multi-function solutions of their own to the market.These vendors are often market leaders who understand that integrated security isprogressively becoming a norm in the industry.
Frost & Sullivan has long stated that the logical evolution of the IT security market is to integratean increasing amount of functionality into a single device (for example see our 2003 Global Antia Virus Market report (B248-74) and 2003 World Intrusion Detection and Prevention Markets(7425-74)). This trend has manifested itself with the combination of VPN and firewall technologyin a single appliance. With the movement to inline IDS sensors, the IDS system can provide real-time denial of malicious traffic. The logical progression then, is the integration of this technologywith the firewall, since both technologies are providing similar functions. The addition of contentsecurity products such as anti-virus and content filtering solutions to these appliances makesfor a more complete security solution and provides real defence in depth.
Page 2
Figure 2 shows a scenario where several elements necessary for network perimeter protectionare integrated and managed from a single management platform.
Figure 2 Multi-function integrated security approach
Source: Frost & Sullivan
There are clear advantages to multiple services running on single devices, such as lower cost,centralised management, a more intelligent system, and ease of use. However, there havehistorically been two major barriers to the development of these platforms. The first is thatwhilst vendors have offered bundled services on fewer devices they have seldom integratedthem. This means the value to the customer, in terms of lower cost and increased ease of use,has not been realised. The second barrier has been the lack of technological development ofeach individual technology and the lack of product performance.
As such, large enterprise customers have been more concerned with high-performance, best ofbreed technologies, and demanded the development capabilities of separate vendors for eachtechnology. However, with improved processing power and more efficient software, theperformance problem of multiple services on a single platform has been negated to an extent.However, initial customer acceptance has been slower due to the historical mentality ofcustomers demanding best of breed technologies. Frost & Sullivan believes that the market willbecome increasingly aware of the benefits of implementing integrated multi-function securitysolutions and concerns will diminish considerably in the coming months. Cost to manage pointsolutions will attract large organisations to look for alternatives. Easy to deploy, easy to manageenvironments offered at less cost also have to demonstrate superior protection from known andunknown threats.
Fire
wal
l
VP
N
IDS
/IP
S
Vuln
erab
ility
Ass
essm
ent
Ant
i-V
irus
UR
L F
ilter
ing
E-m
ail F
ilter
ing
Ant
i-S
pam
Vendor A
Centralised Management Platform
GatewayServers
Desktops
Page 3
INTERNET SECURITY SYSTEMS’ ANSWER TO CUSTOMER DEMANDS:PROVENTIA M SERIES
Frost & Sullivan believes that Internet Security Systems is a visionary in the security market.While maintaining its core focus on intrusion prevention, the company is currently undergoingan ambitious transformation from a point solution vendor to becoming a multi-function securityplayer with the launch of its Proventia™ M Series. This transition has been a carefully plannedmove and is fruit of Internet Security Systems’ anticipation of the changes in customer demand.To support its vision, Internet Security Systems has progressively built and acquired additionalsecurity capabilities over the past years. This has led to the introduction of several securityappliances of the Proventia family with additional functionality until its culmination in the MSeries. This launch marks a milestone for the company and further validates the direction thatthe security market is taking towards integrated solutions.
Internet Security Systems’ Proventia M Series appliances unify multiple security technologieson a single device. As a multi-function device, Proventia M Series combines firewall and VPN,access control, intrusion detection and prevention, anti-virus protection, content and "spam"filtering to provide defence in depth. The advantages include easier installation, deployment,updating, correlation and maintenance. Figure 3 shows Internet Security Systems’ newProventia M Series appliance architecture.
Figure 3 Unified Protection Architecture
Source: Internet Security Systems
One of the key benefits of the Proventia M Series solution is that it is modular. This means thatinvesting in the solution is not a gamble with future technology. As new modules appear theycan easily be integrated into the Proventia engine.
Although it is not the only security vendor in the integrated security appliances market, there arefour key differentiating factors that position Internet Security Systems ahead of its competitors.
Page 4
1. Centralised Management Platform
Internet Security Systems has designed Proventia M Series’ management console,SiteProtector™, as a centralised management platform that unifies the command and control,event management and analysis and incident response of network, server and desktopprotection systems. Most competing vendors do not achieve the same level of granularity andcohesiveness with their products. In some cases, competing vendors have acquiredcomplementary technologies, which they are finding difficult to integrate under a singlemanagement platform. Others have forged strategic relationships with complementarytechnology vendors in order to cover the holes in their product portfolio. These solutions areinherently weak because vendors lack control over the partner solution.
Internet Security Systems also offers the SiteProtector™ Security Fusion™ Module, which usesadvanced correlation to automatically detect patterns of attacks of misuse. Security Fusionaddresses event correlation issues prevalent in solutions that are not managed as one product.The Security Fusion Module uses advanced correlation to detect automatically patterns ofmisuse. The management console visually indicates security events with a high probability ofsuccess and provides automatic escalation criteria for critical security incidents.
The benefits to organisations include:
• Virtual elimination of false alarms and increased product efficiency
• Less need for in-house security expertise
In other words, Internet Security Systems’ centralised management approach can save timeand resources to organisations while reducing their total cost of ownership.
2. Built-in leading security intelligence
Frost & Sullivan believes that one of the most important factors that differentiates InternetSecurity Systems from its competition is its security intelligence practice, known as the X-Force™ team. X-Force is a group of security experts dedicated to analysing vulnerabilities andpotential threats proactively. The team then publicises these threats.
The X-Force Team begins this process through Internet Security Systems’ Global ThreatOperations Center (GTOC), which collects security threat information from five different SecurityOperations Centers placed in different locations worldwide. The aim is to analyse the nature andseverity of any threat in real time. This information is transmitted via alerts, advisories, productupdates and professional services.
Advisories are new vulnerabilities discovered by the X-Force team and most are of high risk.While advisories prepared by most other intelligence security teams provide information on lowrisk vulnerabilities or are academic in nature, the X-Force compiles a list of all major advisoryvendors in the IT industry. It then makes decisions as to the specific risk posed by thevulnerability.
Page 5
The team’s main criteria concerning preparing advisories include: - Widespread nature of the vulnerability- Seriousness of the vulnerability such as denial of service (DoS)- Popularity of software and hardware platform such as Apache, Cisco, SunMicrosystems and Microsoft amongst others.
Figure 4 highlights the dominant position of Internet Security Systems’ X-Force team. Thisgroup has been responsible for over half of the total high-risk advisories in the last five years.
Figure 4 High Risk Advisories Worldwide, 1998-2003
Source: Frost & Sullivan, Internet Security Systems, Public Web Sites
As shown in the figure, Internet Security Systems’ security intelligence leadership puts thecompany considerably ahead of its competition. The key difference that affords X-Force thisstrong position is that in most cases other vendors have to wait until a worm is released todetect and prevent it. Internet Security Systems has the in-house capabilities to report of thesevulnerabilities to its customers with first hand information allowing them to react quickly.
Frost & Sullivan believes that Internet Security Systems’ X-Force team adds considerable valueto the company’s offering. The ability to build security intelligence into its product portfoliocoupled with the company’s continual content updates and support services, provides aninvaluable support for the most demanding organisations. They can rely on the company’sexpertise to deal with unknown threats and receive expert advice on how to deal with each ofthem.
Main benefit implications:
• Internet Security Systems’ industry expertise
• Higher level of security at no additional cost
Foundstone 5%Bindview 3%
Entercept/ NAI 1%
16% Core SDI
56% ISS
10%Eeye
9%@Stake
Page 6
3. Single multi-function protection engine
The third key differentiator for ISS is that Proventia M Series uses a common engine for all ofthe security elements it contains known as the Unified Protection Engine (also referred to as theProtocol Analysis Module (PAM)).
The Unified Protection Engine is the common technology through which Internet SecuritySystems’ X Force knowledge is transferred and processed, to provide high level protection atthe network, server and desktop levels. This engine makes use of different techniques such asdeep stateful protocol analysis, application state analysis and behavioural analysis.
Frost & Sullivan believes that this is a unique approach in the security industry. Other vendorshave achieved considerable synergies between their products but we are not aware of anothervendor who achieves such a seamless integration between their product offering. Wheninspecting a packet the process is done only once as opposed to opening the same packetseveral times to perform similar routines. With this, Internet Security Systems is one step aheadof its competitors concerning the integration of its security technologies.
Benefits to customers include:
• Faster security checks
• Improved overall performance of networks
• Maintenance of the desired level of security
4. Automated Virtual Patching
Patching systems is an expensive and lengthy process that is usually highly ineffective due tothe work involved on the client side in applying them and the number of patches issued withina given year. However with Virtual Patch™, Internet Security Systems has replaced the need forthis arduous process. Internet Security Systems has leveraged its investment in relatedtechnologies such as SiteProtector and the X-Force team to offer Virtual Patch to its Proventiacustomers. Virtual Patch protects vulnerable systems even before the vendor affected issues apatch himself.
Figure 5 shows the benefits of Internet Security Systems’ Virtual Patch approach compared tothe traditional process of patching a system.
Page 7
Figure 5 Patch free protection process versus traditional patching process
Source: Internet Security Systems
The benefits to customers include:
• Considerable cost savings
• Ability to free internal resources from intensive patch application processes
• Focus on core competencies
Perhaps just as importantly though, the Virtual Patch affords IT managers additional controlover the patching process because they, rather than the software supplier, can dictate when thepatch is applied.
Figure 6 summarises the features and benefits of Internet Security Systems’ Proventia M Seriessolution.
Figure 6 Features and benefits of Proventia M Series
Feature
SiteProtector
Security Fusion
X-Force
Protocol
Analysis Module
(PAM)
Virtual Patch
Function
Centralised Management Platform
Central Command, control and event correlation for network,desktop, server and assessment agents
Distributed scanning for internal, external and dispersed networks
Built-in Leading Security IntelligenceOriginal research and development on security threats
Heavy involvement with industry security standards
Offers first hand information and support to customers
Single Multi-Function Protection Engine
Advanced detection, prevention and response technology
Advanced scanning technology
Patch Free Protection
Proactive protection of systems without the need of applying patchesissued by affected vendors
Implications
Elimination of false alarms
Increase effectiveness and efficiencyof other security components
Improved management anddecreased complexity
Comprehensive, current securitycontent
Expert Services and Support
Direct support for the M Series
Reduce redundancies
Efficient product and signatureupdates
Improved product synergies
Enables application of virtual patch
Prioritisation of vulnerabilityremediation
No dedicated personnel to patchingsystems
Zero day protection
Benefits
• Reduction in total cost of ownership
• Reduction in operating expense
• Increased manageability
• Stronger all round protection
Internet Security SystemsTM ProventiaTM M Series
New VulerabilityFound
Day 0 Day 14
Manual Protection
Completed Dynamic Protection
Apply Network Virtual Patch (< 1 day)
Vendor Patch Availability (2 wks-6 mo) Apply Patch (500 man days)
XPU Apply Host Virtual Patch
Source: Frost & Sullivan
Page 8
The key benefit we believe deserves additional commentary is that of reduced total cost ofownership. Frost & Sullivan research has shown that the key cost drivers for security productsare the management of the solution, updates and patch applications, the needlessredundancies caused by overlapping functionality of competing security solutions and theincreasing incidents of false alarms.
Proventia addresses all of these cost drivers by eliminating much of the manual managementof the solution through virtual patching, reducing the redundancies caused by overlappingsolutions through the Unified Protection Engine and eliminating false alarms through itscentralised management platform.
ADDITIONAL COMPETITIVE FACTORS
As well as these four differentiating factors there are a number of other reasons why InternetSecurity Systems is a leader in the security market:
• Internet Security Systems has successfully operated its managed security business since 1999. The company’s managed security offering includes its core IDS competencies but also encompasses managed firewall and VPN services and vulnerability management services as well as its X-Force Threat Analysis Service.
• The company is financially very stable. With no debt and over $200 million in the bank the company is a safe bet for the future.
• Finally, as figure 7 shows, Internet Security Systems is the undisputed leader of the intrusion detection/prevention market with 34 percent of the market. Indeed, Internet Security Systems has continued to lead the market since the company pioneered it in the late 1990’s.
Figure 7 Internet Security Systems Global IDS/IPS Market share 2002
Source: Frost & Sullivan
Cisco 24%Entercept
7%
Enterasys6%
Symantec5%
Tripwire5%
Others19% Internet Security Systems
34%
Page 9
The company has been developing its capabilities in the RealSecure® product line for severalyears, lending an enviable level of maturity to these products.
• The acquisition of NetworkICE allowed ISS to strengthen its host sensor offering, as well as adding a desktop protection product to the portfolio. The availability of desktop security agents as well as server host agents has proven to be a powerful competitive advantage, as the company is able to leverage this breadth of product offering to win deals against competitors.
• Finally, Internet Security Systems’ track record as a leader in the security industry is a key differentiator. An example of which is the protection afforded to customers with blocking capabilities. These customers were able to defend themselves from the hybrid attacks that have caused problems for thousands of companies' networks worldwide.
CONCLUSION
Despite its fragmented nature, the IT security industry is moving towards convergence inresponse to market demands. Point solutions are generally difficult to manage, especially whenthey are deployed in multi-vendor, multi-platform environments.
However, the convergence of security technologies is broached in different ways by vendors.While some vendors are doing a good job integrating their technologies together, others are justbundling their products into a single offering but lacking real integration. The merging of thesetechnologies should increase efficiencies and decrease redundancies.
Internet Security Systems is a visionary who understands this message. Leveraging its positionas a market leader in intrusion prevention the company is now offering a multi-functionappliance from the Proventia family, called Proventia M Series. This solution is a truly integratedmulti-function solution. The Proventia M Series appliance is unique in the industry due to acombination of factors. These include centralised management platform, built-in securityintelligence, single multi-function engine and elimination of traditional patching. As a result,Proventia M Series offers considerable benefits to organisations including simplifiedmanagement and maintenance, better protection and best use of internal resources whilereducing the total cost of ownership of the solution.
Finally, Frost & Sullivan believes that Proventia M Series proves that the company is one stepahead of its competitors when it comes to offering truly multi-function integrated security. TheProventia M Series is a highly compelling solution for any organisation that is looking to simplifyits security processes whilst ensuring the best possible protection for their systems and data.
Page 10
Frost & SullivanSullivan House4 Grosvenor GardensLondon SW1W 0DHUnited Kingdom
