"Windows XP SP2 is going to break all the vulnerability scanners out there because the desktop firewall is on by default - and in the next version too," says Martin Roesch, security guru and author of the popular Snort open source IDS (intrusion detection system).
Nor is SP2 the only problem for the $1 billion vulnerability management market, he adds: "The traditional approach to network vulnerabilities is active scanning but that takes time and is intrusive. It also tends to be done overnight, when many PCs will be away or off, so you're loading stale data."
Roesch is still working on Snort - he recently added an IP defragmentation tool to it. He says this is designed to spot disguised attacks by allowing the IDS to mimic the way that different operating systems reassemble fragmented packets.
But his main job these days is as CTO of Sourcefire, which he founded to build appliances based on Snort. It covers a range of network intrusion and vulnerability technologies though, and with those vulnerability problems in mind he has taken on the role of evangelist for another one of them: passive network analysis.
The idea behind this is deceptively simple - so simple in fact that he says people often have difficulty believing that it could possibly work. By listening to traffic on the network, the scanner is able to derive and deduce a huge amount of information about what's running where and what's going on.
"It's a sniffer just like an IDS, and the same order of complexity, but using different code to do a different job," Roesch explains. "Passive listening determines what services, operating systems and protocols are running, and infers vulnerabilities and the network topology from those, building up a map of the network and activity.
"We realised that the scanner's view of the network is different from the IDS view because of the time taken to do the scan. With passive listening you get the same data as a scan, but in real time and without the need to scan, so you can see new hosts or hosts changing. You can even see the sites people are surfing to."
Sourcefire's passive listening software, called RNA (real-time network analysis), still needed some work on its reporting options when we reviewed it earlier this year, but Roesch says he's well aware of the need to do more.
In particular, the company has been working to integrate RNA and IDS with other network tools to do more than just raise an alert. It tags this as its 3D strategy, for Discover, Determine, Defend.
The 3D concept starts with analysis and information gathering, then aggregates events to contextualise and prioritise. Next, you apply policies and look for violations, and then you take action, with APIs to arbitrate other services.
"The determine phase has a second level, where it uses rules to do something about what it's detected, such as tell the patch management system to check it out or arrange a more precise active vulnerability scan," Roesch explains.
"APIs allow you to write agents to drive other systems and orchestrate your response, so you can reconfigure a CheckPoint firewall or Cisco devices, say. It makes security automated and event-driven, with the ability to apply policy evenly throughout the network." Looking forward, Roesch thinks the key to network security is going to be offloading as much of the gruntwork as possible to the machines.
"I think the automation of security technology is going to be big over the next few years," he says. "The current approach requires bright people to be there all the time. We're trying to make equipment that will enable any enterprise to defend itself to a certain level - it will be much better than most organisations are able to do for themselves.
"IDS is a tremendously powerful technology but needs tuning because it's very noisy. That's not a simple task - you might tune it at a specific time, say, but networks aren't constant. It means very smart people having to do a very laborious job.
"Plus, one thing I've learnt is that very few organisations - maybe five percent - tune their IDS, and 95 percent gripe about false positives. So if the users won't tune their sensors, I'm going to make the sensors tune themselves. So we are building IDS that don't require tuning, and which are harder to evade and spoof."
But will people be happy to let the machines take control? Roesch says that the volume of data these sensors generate makes it inevitable, and cites the relative success of IPS - intrusion protection systems, which look for known attacks and block them - as evidence.
"I didn't think anyone would deploy IPS - I thought they'd be crazy to, but they did. People are ready for automation, at least to cover the low-hanging fruit. If you define the policy well, it should be extremely effective."
Find your next job with techworld jobs