December 06, 2007

Is Bot Defense the IDS of 2008?

I don’t’ think there is any question that bots and botnets are a dangerous threat. The combination of a worm delivery vehicle and a malware payload of varying capabilities is a potent one that attackers have morphed to suit their own purposes. Bot defense is proving to be a difficult task even as traditional AV vendors and others have purported to include bot defense in and among the various protections they offer.

There are also a couple of specialty vendors that focus on the threat and claim to be able to identify not just the threat, but the best way to defeat it in the future. If this all sounds strangely like the rhetoric surrounding Intrusion Detection Systems in the early days -- it’s because it does. As you may recall, IDS vendors all touted their ability to identify attacks. The market bifurcated itself into network and host and vendors pretty much camped out on one side or the other.

Then one day, at a Gartner security conference of all places, an analyst (Richard Stienon now with Fortinet) coined the phrase “IDS is dead!” The market went into a tizzy with much scurrying around by vendors to re-position themselves as Intrusion Prevention rather than Intrusion Detection. In retrospect Stienon merely stated the obvious that end user organizations didn’t want a complete description of their problem, they wanted technology to make sure the problem didn’t occur in the first place.

So should it be with bots and botnets. The community wants and needs prevention more than it needs detection and identification. I offer this blog as a call for vendors to develop measures that do more than diagnose the threat but can provide detailed guidance to non-security professionals such as those that work in the Network Operations Center (NOC) to help them thwart these efforts in an exceptionally timely manner. Ideally perhaps the products would also offer the capability to invoke the recommended solution with a key stroke or two in accordance with previously approved security and operations protocols and permissions.

We know that the edge belongs to the attacker. Security professionals have to win all the time to keep their IT world safe, attackers only have to win a few times to accomplish their goals. Let’s hope that the botnet world becomes a proving ground for being one step a head of the enemy, rather than behind them.