The document provides guidance on selecting an intrusion detection and prevention system (IDPS). It discusses understanding how IDPS works and deployment options, shortlisting vendors and creating a request for proposal. It also covers tuning the IDPS to maximize effectiveness and ensuring value from the investment. The document is intended to help CIOs, IT managers and organizations looking to improve security and address data breach issues strategically select an IDPS solution that fits their needs and budget.

1. Select an Intrusion Detection and Prevention System

6. Developing an IDP strategy involves answering a number of questions; answer these four questions before proceeding Info-Tech Research Group Understand that everything that passes your firewall, anti-malware tools, and other security is free on your network. A firewall is a bouncer, an IDPS is a guard patrolling the bar for strangers and drunkards. IDPS can be deployed as a dedicated box or a consolidated box. Dedicated boxes offer higher performance and lower entry prices. Consolidated boxes offer a better TCO and streamlined management across multiple tools. Attacks can happen any time, any day. If you can’t afford the security staff to manage and watch the appliance 24/7, managed services can be a more attractive option. Have a large security staff already? Monitor the appliance in-house. For most enterprises, a single sensor at the network perimeter will be sufficient. Internal segments of the network with sensitive data, or firms using multiple ISPs should consider probes at entry points to each network. What does an IDPS do? What are my options? How do I manage it? How many probes do I need?

9. If your security team can be staffed on an IDPS 24/7, do it in-house, otherwise go to managed services Info-Tech Research Group In the “good old days” when intrusion prevention was the pre-eminent technology, staffing issues were the 800lb Gorilla. Intrusion detection can generate vast numbers of alerts that must be dealt with, ideally in real time, for its protection capabilities to be realized. Intrusion prevention has mitigated this to a significant degree, to the point that large numbers of dedicated staff may not be required. For optimal protection, 24/7 monitoring of alerts and responses still has value. If you don’t need instant response, you don’t need active monitoring. Let the IDPS do its thing, but make sure to review logs daily, and page for significant threats. The IDPS can only be successful if a process is in place to monitor and maintain the system and reports are reviewed on a regular basis. “ “ - IT Manager, Education What Info-Tech clients are saying… Organizations that need the highest levels of responsiveness, and that have 5 or more security analysts on staff can afford to manage an IDPS on a 24/7 basis in-house at a cost-advantage vs. managed services. Security Analysts 5 Organizations that need high levels of responsiveness, but that do not have 5 or more security analysts on staff, and therefore cannot actively monitor their IDPS 24/7, will benefit from outsourcing to an MSSP. Security Analysts 5

10. Calculate the number of probes required for your implementation given your current network topology Info-Tech Research Group The number of internal networks with confidential, private, or sensitive data on them determine how many internal IDP appliances the organization needs. Here ratio options exist – multi-segment, multi-Gigabit boxes are available for 1:x deployments but have big price tags and may be overkill. Evaluate internal network speed, and the number of segments to be protected to decide between large 1:x ratio boxes, or smaller “appliance per segment” solutions. The number of pure internet connections coming into the organization drives the number of dedicated or consolidated boxes required at the network perimeter. The ISP:appliance ratio must remain at 1:1 throughout the organization to ensure protection on all inbound links without introducing a single point of failure. The number of ISPs, in turn, is driven by the organization’s need for network redundancy and resiliency (e.g. failover networks). External Probes Internal Probes For consistent protection, the organization must have 1 appliance on each dedicated Internet connection. Use the number of network segments with sensitive data to drive internal probe deployment. Protected Corporate Network IDPS 1/UTM1 IDPS on Segment 1 ISP 1 ISP 2 IDPS 1/UTM1 IDPS 2/UTM2 Protected Corporate Network Segmented Network (e.g. R&D)

11. Determine whether or not IDPS is appropriate for your organization before moving into vendor selection Info-Tech Research Group The IDP System Appropriateness Assessment Tool will help you: 1 Conduct an IDPS Necessity Assessment. 2 Determine whether you are better served by an IDPS or UTM. 3 Determine whether you should bring IDP in-house or move to managed services. 4 Calculate the number of probes required for your implementation given current network setup. This tool will help you determine whether or not you should be deploying an IDPS and how many probes you require. Use the probe figure in the IDP System TCO Calculator later in this solution set to more accurately project the cost of your specific implementation.

15. IDPS Criteria & Weighting Factors g Info-Tech Research Group Vendor Evaluation Vendor is committed to the space and has a future product and portfolio roadmap. Strategy Vendor is profitable, knowledgeable, and will be around for the long-term. Viability Vendor offers implementation and ongoing management support. Support Product Evaluation The five year TCO of the solution is economical. Affordability The solution provides basic and advanced feature/functionality. Features The solution’s dashboard and reporting tools are intuitive and easy to use. Usability

16. The Info-Tech IDPS Vendor Landscape For a complete description of Info-Tech ’s Vendor Landscape methodology, see the Appendix. Champions receive high scores for most evaluation criteria and offer excellent value. They have a strong market presence and are usually the trend setters for the industry. Competitors strike a strong balance between product and vendor attributes. They have the potential to become future industry leaders if they address the missing links in their offerings. Emerging players are newer vendors who are starting to gain a foothold in the marketplace. They balance product and vendor attributes, though score lower relative to market Champions. Innovators have demonstrated innovative product strengths that act as their competitive advantage in appealing to niche segments of the market. Industry standard vendors are established players with very strong vendor credentials, but with more average product scores.

17. Every vendor has its strengths & weaknesses; pick the one that works best for you Product Vendor Features Usability Affordability Viability Strategy Support Note: “Harvey Ball” scores are produced by normalizing weighted, raw scores for each category, resulting in relative scores for each category. For example, an empty circle does not indicate a zero score; it indicates the lowest score in that category relative to other products. Likewise, a solid circle does not indicate a perfect score, but rather the highest score in that category relative to the other products. McAfee HP Cisco IBM Juniper Top Layer Sourcefire Radware Check Point

20. HP focuses heavily on the enterprise market, hurting its strategy score; there is better value elsewhere based on price HP achieved a slightly above average Composite Performance Index score in all categories except for Strategy, where its score was well below the average. HP’s mediocre scores across most categories are a result of the high price of the solution and its low usability score. Its strategy score is below average because HP is more focused on the enterprise space rather than the small to medium enterprise, as evidenced by the progression in more favorable pricing as appliance throughput moves up stream. Vendor Listing Advanced Features Bonus Support Delivery and Reach DoS Protection Inherent Firewall Reputation Based Scanning Virtual Signatures Virtual Infrastructure Protection Application Specific Scanning Encrypted Traffic Scanning Redundancy User Based Signatures North America APAC EMEA DVLabs Research employs 30+ research professionals and provided the first patch to 14 critical and 47 high risk vulnerabilities in 2010, more than 5x that of competing vendors.

22. Cisco offers a huge amount of features at the most affordable price point, making it the best value play in the space Cisco achieved the highest Composite Performance Index scores in all categories except for Strategy, where its score was still above the average. Cisco's high across the board scores are the result of its solution having the lowest price of all evaluated products while having above average scores in all other categories. Its strategy score is limited, though still above average, due to its primary focus of consolidated rather than dedicated solutions. Vendor Listing Advanced Features Bonus Support Delivery and Reach DoS Protection Inherent Firewall Reputation Based Scanning Virtual Signatures Virtual Infrastructure Protection Application Specific Scanning Encrypted Traffic Scanning Redundancy User Based Signatures North America APAC EMEA Maintains 700,000 sensors globally to feed Global Correlation program, boosting efficacy and driving reputation scores that are pushed out to all devices on the network.

24. McAfee offers the most impressive feature list, but is priced at a hefty premium to the market, destroying value per dollar McAfee achieved low Composite Performance Index scores in all categories due to its exceptionally high price point. McAfee’s high price point negatively impacted its composite performance despite the breadth of its features and the strength of the product on the whole. It’s viability score was especially low due to the uncertainty surrounding the IntruShield offering post Intel acquisition. Vendor Listing Advanced Features Bonus Support Delivery and Reach DoS Protection Inherent Firewall Reputation Based Scanning Virtual Signatures Virtual Infrastructure Protection Application Specific Scanning Encrypted Traffic Scanning Redundancy User Based Signatures North America APAC EMEA The McAfee IntruShield appliance lineup offers integrated VoIP protection to specifically protect against threats using this increasingly common communications mechanism.

26. IBM offers average functionality but is backed by a strong corporate brand & large support network IBM achieved a slightly above average overall Composite Performance Index score with good specific results in support and viability, but poor results in strategy and usability. As the largest and most stable vendor in this survey, IBM’s high viability score is to be expected. The company’s usability score was negatively impacted by a complex management system, while it’s strategy was impacted heavily by to the firm’s focus on the enterprise market. Vendor Listing Advanced Features Bonus Support Delivery and Reach DoS Protection Inherent Firewall Reputation Based Scanning Virtual Signatures Virtual Infrastructure Protection Application Specific Scanning Encrypted Traffic Scanning Redundancy User Based Signatures North America APAC EMEA As Data Leakage Protection becomes an ever more prevalent technology, it is finding its way into many other security solutions; IBM is the first to integrate DLP capability into its IDPS sensors.

28. Juniper is the only vendor in the landscape offering ‘honeypot’ capabilities, and is priced well relative to its peers Juniper achieved a high Composite Performance Index score in all categories except for Strategy, where its score was below average. Juniper's high across-the-board scores are the result of its solution having one of the lowest price points in the group, while providing more features than other, similarly priced vendors. It’s strategy score is below average due to its focus on the enterprise space with its IDPS solution – the firm carries a UTM solution geared much better towards the SME. Vendor Listing Advanced Features Bonus Support Delivery and Reach DoS Protection Inherent Firewall Reputation Based Scanning Virtual Signatures Virtual Infrastructure Protection Application Specific Scanning Encrypted Traffic Scanning Redundancy User Based Signatures North America APAC EMEA Juniper’s IDP series of appliances uniquely offers ‘honeypot’ capabilities to track and confound illicit reconnaissance efforts.

30. Sourcefire focuses heavily on IDP & benefits from the large open-source community behind Snort Sourcefire recorded one of the higher Composite Performance Index scores due to the combination of generally positive criteria scores and overall attractive pricing. Sourcefire was regarded as having the highest CPI score for strategy as a result of its IDP only focus and attractiveness to the SME space. As with the other smaller vendors in the study, viability is impacted when compared with multi hundred billion dollar companies. Vendor Listing Advanced Features Bonus Support Delivery and Reach DoS Protection Inherent Firewall Reputation Based Scanning Virtual Signatures Virtual Infrastructure Protection Application Specific Scanning Encrypted Traffic Scanning Redundancy User Based Signatures North America APAC EMEA As the commercial offering from the developers of Snort, the world’s most commonly deployed IDP solution, Sourcefire can draw on that massive community user base for signature development.

32. Check Point performs poorly on a CPI basis due to a lofty price point & minimal functionality, resulting in poor value Check Point achieved a low Composite Performance Index as a result of the second highest price in this study, compared against generally modest results in most categories. Check Point achieved its best results in usability (due to a very clean management interface) and strategy (due to its focus). It’s advanced feature set was deemed one of the weakest in the comparison, resulting in the low CPI for that criteria. Vendor Listing Advanced Features Bonus Support Delivery and Reach DoS Protection Inherent Firewall Reputation Based Scanning Virtual Signatures Virtual Infrastructure Protection Application Specific Scanning Encrypted Traffic Scanning Redundancy User Based Signatures North America APAC EMEA Though not a metric in this evaluation, Check Point has recently been reviewed favorably on performance and throughput capabilities by NSS Labs, an independent testing house.

34. Top Layer offers an IPS-only, SME focused product with a free appliance option, but its recent takeover hurts viability Top Layer offers a reasonably competitive product, at a slightly above average price, resulting in a lower overall Composite Performance Index result. This may be mitigated however with Top Layer’s innovative free appliance approach. Top Layer’s focus on the IDP market, and the SME client, earns it solid Strategy marks; however, its just announced acquisition by UK based Corero as the flagship of that company’s new (and still being defined) security division significantly impacts viability scores. Vendor Listing Advanced Features Bonus Support Delivery and Reach DoS Protection Inherent Firewall Reputation Based Scanning Virtual Signatures Virtual Infrastructure Protection Application Specific Scanning Encrypted Traffic Scanning Redundancy User Based Signatures North America APAC EMEA Top Layer’s TopMSS managed services offering allows enterprises to invest in technology and the management of that technology from a single provider.

36. Radware carries a high initial investment cost on its appliances & involves using an extremely complex management interface Radware’ s overall Composite Performance Index score was radically impacted by the high initial costs of it appliances compared against mostly mediocre scores in all categories. Radware’s best results came in strategy due to its strict focus on the IDPS space. It’s worst results, usability and viability, are attributable first to a complex and confusing interface, and second to being a very small company in the presence of much larger competition. Vendor Listing Advanced Features Bonus Support Delivery and Reach DoS Protection Inherent Firewall Reputation Based Scanning Virtual Signatures Virtual Infrastructure Protection Application Specific Scanning Encrypted Traffic Scanning Redundancy User Based Signatures North America APAC EMEA The ERT provides instantaneous, expert security assistance in order to restore network and service operational status when a client is under DDoS attack or malware outbreak.

37. Not all vendors are created equal; pick the right one for your case Effectiveness is highly vendor dependent. The Composite Performance Index is a measure of value for dollar, but certain, specific select criteria may be driving your needs. The table below provides some insight into what vendors Info-Tech recommends, based on specific needs. I want… Info-Tech Recommends The best value for my dollar. Cisco, Juniper The greatest feature set. HP, McAfee The most up-to-date signatures at all times. HP, IBM A vendor that is focused on the small enterprise. Radware, Sourcefire, Top Layer, Check Point The ability to scale up cheaply as I grow. Radware Full redundancy. HP, Top Layer Inherent firewall. Radware, McAfee, Top Layer

43. Start with nearline monitoring, but move to inline blocking as probe performance is optimized Getting the throughput specifications right for the appliance should be a prime focus point. A small box becomes a network bottleneck, a large box requires significantly more capital. Info-Tech Insight A nearline deployment provides IT with a chance to monitor the default rules setup of the appliance and assess throughput capacity without materially impacting the network. Start with a nearline deployment and only move to inline when you are sure the appliance will not become a bottleneck on the network. In terms of tuning the rules of the box, trial and error is the generally used method. Start by turning on the baseline rules, and tweak both rules and thresholds until the appliance performs at an acceptable rate. Once the appliance is performing satisfactorily, move it inline and implement blocking. 43% 98% 31% 92%

44. Use a pilot group & monitor actively during the initial tuning phase; IPS requires constant attention to be effective The initial configuration of an IDPS appliance is extremely important to the optimal functioning of the solution, but the effort must be maintained throughout the system’s lifetime to remain effective. Info-Tech Insight Understand that IPS is not an idle technology – monitoring reports and logs is the only way to configure an IPS solution to optimal block rates. The goal with monitoring is to develop an idea for what baseline figures and activities look like, making it easier to spot anomalies in the future. After a few days of running the solution, open up the event logs and begin to understand what is happening. Check that the applications you expect to be running are running, resolve early false positives, and ensure the processes and services are correct. Tuning accurately is a major differentiator between an adequate solution and a great one. At this stage in the game, focus on finding the right thresholds. Increase the risk threshold for processes being logged that shouldn’t be, and do the inverse for those that should. Reducing noise in the management console is the quickest way to reduce the time spent reviewing logs daily. Create exceptions for commonly logged but non-threatening actions, such as running sanctioned scripts so you can focus on logging and analyzing potential threats. The final step in tuning the appliance is to configure dashboards and reporting to display the most pertinent information. Make displaying trends, query results, and issues the priority, and schedule reports to be sent automatically to the responsible individuals for mitigation. Monitor Daily Review Logs Begin Tuning Create Exceptions Configure Reporting 1 2 3 4 5

48. Appendix Info-Tech Research Group

49. Vendor Landscape Methodology Info-Tech Research Group Info-Tech Research Group Vendor Landscape market evaluations are a part of a larger product selection solution set, referred to as a Select Set. The Vendor Landscape evaluation process starts with a customer survey. Customers tell us which vendors and products they ’ve heard of and which ones they use, plan to use, or are investigating. From the survey results, and the domain experience of our analysts, a vendor/product shortlist is established. Product briefings are requested from each of these vendors, asking for information on the company, products, technology, customers, partners, sales models, and pricing. Our analysts then score each vendor and product across a variety of categories. These scores are then weighted according to weighting factors that our analysts believe represent the weight that an average client should apply to each criteria. The weighted scores are then averaged for each of two high level categories: vendor score and product score. A plot of these two resulting scores is generated to place vendors in one of five categories: Champion, Competitor, Emerging Player, Innovator, and Industry Standard. Analysts take the individual scores for each vendor/product in each evaluation category and normalize them to a scale of zero to four . This produces a relative scoring, where a low score value indicates low performance in that category relative to the performance of the other products in that category and vice versa for a high score . These normalized scores are represented with Harvey Balls , ranging from an open circle for a score of zero and a filled-in circle for a score of four . Harvey Ball scores do not represent absolute scores , only relative scores. Individual scorecards are then sent to the vendors for factual review, and to ensure no information is under embargo. We will make corrections where factual errors exist (e.g. pricing, features, technical specifications). We will consider suggestions concerning benefits, functional quality, value, etc; however, these suggestions must be validated by feedback from our customers. We do not accept changes that are not corroborated by actual client experience or wording changes that are purely part of a vendor ’s market messaging or positioning. Any resulting changes to final scores are then made as needed, before publishing the results to Info-Tech clients. Vendor Landscapes are refreshed every 12 to 24 months, depending upon the dynamics of each individual market.