|
|
|
|
|
|
 
|
ISP-Planet Survey: Managed Security Service Providers
(Back to Article) Intrusion Detection Systems (IDS) Chart |
|
Provider
|
|
Approach & Depth
|
Analysis & Response
|
|
Additional Comments
|
| AT&T
|
Level 3: Cisco, Enterasys Dragon & Sensor HIDS Level 2: Cisco Level 1: ISS RealSecure & Intrusion.com |
Passive inspection of content or application payload
|
Level 3: Event correlation & root cause analysis Levels 1 and 2: Intrusion blocking, TCP reset & IP Logs |
Customer Web Portal
|
Host IDS for servers also available. Level 3 investigation support and custom report options.
|
| Bangalore Labs |
ISS RealSecure (Solaris, Nokia, Windows, Linux), Snort, Enterasys Dragon, Symantec |
In-line inspection of TCP stream |
Root cause analysis, intrusion blocking and e-mail/firewall integration (e.g., OPSEC, SNMP)
|
E-mail & SNMP alerts, periodic reports and recommendations via Secure Web Portal | Includes 24x7 availability and performance monitoring of IDS sensor, signature and response policy updates, change management, backup/restore and periodic reporting. |
| Cable & Wireless
|
Cisco Secure IDS, ISS Real Secure (on Nokia 330/350 platform) | Passive IDS based on simple & stateful pattern matching, protocol decode-based & heuristic-based signatures, TCP stream inspection, application header & payload inspection
|
Event correlation & root cause analysis, but events are always reviewed by security engineers before response takes place |
Logs via Secure Web Server, alerts via E-mail, Secure Web Portal, or by page or phone, by customer-defined procedure | Content Integrity Monitoring (CIMS) uses digital hashes to check one Critical System Integrity profile and one Baseline Integrity profile for changes. Customer Defined Integrity profiles may be purchased separately.C&W Cyber Attack Team provides 24/7 incident response. |
| ClearPath Networks |
Cisco 7200 reporting | Passive inspection, depth not specified
|
Intrusion blocking, but no event correlation or root cause analysis
|
Logs all attempted intrusion activity, reports through iView Network reporting tool | Available as Firewall option only. |
| Guardent |
Guardent Security Defense Appliance, plus commercial technology like ISS RealSecure, Intrusion.com | Inspection method and depth varies by client request and platform
|
Event correlation, root cause analysis, intrusion blocking
|
Secure Portal | Also monitors basic IDS signatures from leading firewalls like NetScreen and Checkpoint. Options include Network IDS, Host IDS, Host-based Behavior Blocking, and correlations with firewall and vulnerability scan data. Based on open source SNORT technology. |
| Interliant, Inc. |
Enterasys Dragon (appliances and host OS platforms available) | In-line or passive inspection covers TCP/UDP stream reassembly, overlapping IP fragment detection, TCP sequence & checksum verification, application-based event detection
|
Event correlation, root cause analysis, optional intrusion blocking, automated customer notification of requested events
|
All events / alerts / logs are available to customers via secure website | Standalone service that can be provided along with other managed security services. |
| Internet Security Systems
|
RealSecure Network Sensor, RealSecure Gigabit Network Sensor, RealSecure for Nokia Appliances, RealSecure Guard, RealSecure Network for Crossbeam, RealSecure Server Sensor, RealSecure Desktop Protection | In-line and passive inspection of TCP stream, application headers and payload, source and destination port and IP
|
Event correlation, root cause analysis, optional intrusion blocking. ISS security engineers automatically contact customer, using auto-escalation processes for known threats and vulnerabilities.
|
Permanent activity logs summarized in a monthly executive summary and available via ISS Customer Portal | Standalone service, but ISS recommends using with firewall and scanning services. Basic, Silver, Gold and Platinum levels. Qualified security engineer inspects each High-level event to determine whether the event is a genuine Security Incident, indicative of network misuse, or a false-positive event. Specified actions are then taken for each Security Incident. |
| LURHQ Corporation
|
Snort, ISS RealSecure, Intrusion.com, Cisco Secure IDS | In-line or passive detection, depth depends on hardware/software
|
Event correlation, root cause analysis, intrusion blocking, and automated responses as dictated by client
|
Secure, Web-based Sherlock Enterprise Security Portal | Host-based automatic signature creation and updates for Snort are optional. |
| NetSolve, Inc.
|
Cisco | Passive full packet inspection, including TCP stream, application headers and payload
|
Event correlation, root cause analysis, intrusion blocking and other automated responses |
Secure Web Portal provides access to all security reports and raw data | Options include Host IDS, Internet Router, managed WAN, LAN or IP telephony services. Fixed fee per device includes all change requests, custom signature development, configuration archiving, firewall policy changes, OS upgrades, etc. |
| PresiNET Systems
|
PresiNET's vDeadbolt and vDeadbolt Enterprise Appliances For more information see files on vDeadbolt (.pdf) and vDeadbolt Enterprise (.pdf) |
In-line inspection of TCP stream, application headers and payload and more
|
Event correlation, root cause analysis, and intrusion blocking. Critical event signatures propagated to additional monitoring and management systems for proactive solution
|
Real-time reporting via a Secure Web interface and PDF | IDS is part of Internet Security Management services package. Options include Server IDS, automated policy reconfiguration, automatic signature updates, and real-time event monitoring. Client-premises appliances act as remote sensors and service delivery platforms, with core services from SOC. |
|
Provider
|
|
Approach & Depth
|
Analysis & Response
|
|
Additional Comments
|
| Proseq AS
|
WISE: Runs on Linux, module-based, correlates logs from different IDS systems µIDS: IDS, web, firewall, VPN and DB appliance |
Passive inspection down to, and including, packet payload
|
Event correlation, root cause analysis (fee per incident), intrusion blocking (with managed firewall) and automated alarms and notifications on new issues
|
Secure Web interface and encrypted e-mail | Available alone or as Firewall option. Other options include server IDS, automated policy reconfiguration and consultancy services.
|
| RedSiren |
Cisco IDS, ISS RealSecure, NFR, Enterasys Host, Symantec ITA |
Vendor specific,
mostly passive inspection, varies by signature method, anomaly detection, heuristic
analysis, and behavioral statistics
|
Event correlation, root cause analysis, intrusion blocking, vendor-specific methods and RedSiren incident investigation
|
Secure Web Portal | Available alone or as Firewall option. Service includes specific tuning to the customer environment, correlation across the customer's infrastructure, scanning service, and 24x7 SOC coverage. Options are NIDS and HIDS, gold level for rapid response and platinum level for incident investigation. |
| SBC Communications |
Cisco Secure IDS, Enterasys Dragon, ISS RealSecure | Passive, although IDS sensor does have TCP reset and ACL shun capability; depth varies by IDS sensor, includes attack signature recognition
|
Event correlation, investigation and "suggestive remediation." SBC does not recommend automated response, but will do so at customer request or in response to an overwhelming "internet wide" attack.
|
Serious Incident Reports provided directly to client by security engineers via e-mail, phone, or pager, plus composites posted to Secure Authenticated Web Portal | Available alone or as Firewall option. Vulnerability Scanning, Penetration Testing, Secure Policy Development, Security Architecture Design/Review and On-Site Engineering Visits are available as options. Dedicated engineer assigned to each customer as the primary POC. Incident Response Triage conducted as part of service. On-site Incident Response Cyber Forensics is an optional service. |
| SecurePipe, Inc. |
SecurePipe RM-512 HW & SW | Passive inspection of all layers and layer-7 payload, with TCP reset and firewall rule modification options
|
Event correlation, root cause analysis, and Security Engineer responses like firewall ruleset modification, customer contact and incident report filing
|
Customer notified of issues requiring immediate action via chosen alert mechanism; SecurityConsole reports on alert, packet payload and SP's analysis and response | Available alone or as Firewall option. IDS platform utilizes Snort engine. |
| SecureWorks |
Host: Okena Network: SecureWorks iSensor Intrusion Prevention Appliance (on Dell PowerEdge 350 or IBM x345) |
Host: All content including header and payload Network: In-line TCP stream, application header and payload inspection |
Event correlation, root cause analysis, intrusion blocking, and notification via phone, e-mail, pager
|
E-mail, Web, downloadable importable file formats | Network-based service has a High Availability option. Host-based service observes behavior to prevent against unknown attacks. Both are proactive prevention services, not reactive detection services. |
| TruSecure Corporation |
Guard: Enterasys Dragon & Squire, Cisco IDS, ISS RealSecure, Entercept, etc. (on vendor-approved appliances and Sun/Solaris) Watch: Any SNMP and/or SYSLOG compliant systemm |
Guard: In-line and passive TCP stream, application header and payload inspection Watch: Depends upon customer platform and content of SNMP and/or SYSLOG reporting stream |
Event correlation, Intrusion blocking (ShadowGuard only, to extent allowed by IDS software), and emergency firewall rule set changes (when managing both devices)
|
Change request status, Incident logs and reports provided through Secure Customer Web Portal, plus raw logs can be viewed through each IDS console | ShadowGuard is full-service turnkey outsource solution for NIDS and SIDS systems. SecureWatch is monitor-only solution for IDS, Firewall and VPN systems. Both are available in Standard and Premium versions, differentiated by Service Level Agreement (SLA) commitments. |
| Unisys Corporation
|
ISS RealSecure NIDS & HIDS, Cisco Secure IDS, Cisco/Entercept HIDS, Enterasys Dragon NIDS |
Passive inspection, depth depends on selected IDS |
Event correlation, root cause analysis, intrusion blocking |
Logs available real-time (via a hardware/software mirroring solution) or upon request via secure e-mail. Trouble ticketing system tracks every incident, problem, etc, viewable from secure website |
Available alone or as Firewall option. Options include NIDS, HIDS, signature file updating, IDS policy reconfiguration (all requests reviewed by senior security engineer), software upgrades, re-licensing, and hardware maintenance. HW maintenance includes remote problem identification, site dispatch, equipment repair/replacement, service restoration, and validation. |
| Verio
|
Enterasys Dragon Sensor (on Dell PowerEdge 1650) | Passive inspection, depth not specified
|
Event correlation, root cause analysis, and alert generation |
Secure Web Portal | Standalone service. |
| VeriSign, Inc.
|
ISS RealSecure, Enterasys Dragon, Intrusion.com | Passive inspection based on signature sets, ranges from network to application layers
|
Event correlation, root cause analysis, intrusion attempts blocked at managed firewall. For High and Extreme events, trouble tickets generated and security engineers immediately engaged. |
Web Portal allows clients to view and query logs, alerts, and static and dynamically created reports | NIDS and HIDS options. SP monitors for health, performance and security events. Suspicious activities are normalized and analyzed; security engineers are automatically engaged as needed. Includes free vulnerability scans of IDS device during initial deployment and quarterly. |
| MCI (WorldCom)
|
Cisco IDS |
In-line stateful pattern recognition, protocol analysis, traffic and protocol anomaly detection
|
Event correlation, root cause analysis, optional intrusion blocking and other customer-defined responses
|
Secure Web Portal | Custom service, offered in conjunction with MCI's Managed WAN Services. |
|
Provider
|
|
Approach & Depth
|
Analysis & Response
|
|
Additional Comments
|
