Moving beyond firewalls, intrusion detection tools that monitor corporate networks for hacker attacks are emerging as a hot new category in the Internet security market.
Evidence is mounting that intrusion detection--pegged by market analysis firm Aberdeen Group as a $100 million market in 1998, again doubling in size over last year--is becoming the next booming security market, after firewalls.
Today, Axent Technologies (AXNT), an Internet security firm that's buying firewall vendor Raptor (RAPT), will announce that its new version of OmniGuard/Intruder Alert software will repel attackers instantly.
Last week Internet Security Systems, the market leader, announced that its flagship RealSecure product can now reconfigure Cisco routers when they're under attack. ISS, which does the same for firewalls from Check Point and other vendors, also filed Wednesday for an IPO.
Analyst Matthew Kovar of Yankee Group says intrusion detection is important, along with the security assessment tools that probe corporate networks to find security holes before the bad guys find them.
"Together, these are the most significant advances in enterprise security since the advent of both firewalls and server-based virus-scanning combined," Kovar said.
Risk assessment tools are important not only because they can find problems before intruders do but also because they're effective against the biggest source of security problems--employees.
"The press focuses on intrusion detection the most, but risk assessment is even more important," Kovar contended.
Aberdeen's Jim Hurley, whose report on "adaptive network security" was released Friday, agrees: "Intrusion detection alone isn't enough. You have to have other features."
Hurley notes that vendors in the space are madly adding features in response to customer demand, as vendors move into intrusion detection from other security segments.
"A point solution is not what the industry needs. It has been proven not to be successful in solving the problems of security," Axent's Drew Williams said. "The industry needs something that's bigger."
The hot capability today is automatic response to attacks.
"Our products recognize vulnerabilities and threats on the network. Particularly for the threats, there's a strong need and benefit to act immediately," said Patrick Taylor, director of strategic marketing at ISS, generally regarded as the leading vendor in this market. "We can reconfigure devices [routers and firewalls ] to stop an attack before it gets further into the network."
The markets for firewall and intrusion detection software may be converging. That's evidenced by both Axent's pending acquisition of Raptor and Trusted Information Systems' (TISX) October acquisition of Haystack Labs.
"These products should be in perimeter devices like firewalls," Kovar said flatly. "They should be incorporated in all network equipment inside an organization." Thus companies like ISS are into serial partnering, signing on with firewall vendors, ISPs like GTE Internetworking for managed security services, and networking hardware firms like Cisco.
Axent's version 3.0 of Intrusion detection comes with 300-plus built-in security checks to guard against the most common hacker break-ins. A single central management console can monitor reports from security agents installed on each network device running on 50 platforms, including most Unix operating systems, NetWare, and Windows.
Aberdeen's report ranks ISS as the leading vendor in this space with 35 percent market share. The second tier is headed by Axent with 23 percent, followed by Intrusion Detection Incorporated at 12 percent, TIS/Haystack with 8 percent, then SAIC, AbriNet, and WheelGroup with 5 percent apiece.
WheelGroup, with its roots in security consulting, has enjoyed notable success recently with big vendors, like IBM, Perot Systems, and EDS, using its NetGuard software in their security monitoring services. Some also resell WheelGroup in their systems integrator practices.
IDI's Kane software first earned acceptance among security-conscious financial services firms, Aberdeen notes, but the company has now broken out into the broader Windows NT and NetWare markets.
Aberdeen thinks TIS' WebStalker, which is deployed with Web server software, will be adapted to work with multiple Web servers and the TIS firewall, Gauntlet.
Aberdeen holds out less hope for SAIC's Computer Misuse and Detection System (CMDS), which has been deployed in a handful of federal agencies. AbirNet's SessionWall-3 inspects content on networks but can't handle encrypted data, Aberdeen says, while Trident is trying to make the transition from a services firm to selling its NetRisk product.
Up and coming players identified by Aberdeen include Centrax and Netect, due to ship products this month.
But if this market starts to boom, look for bigger players to get interested quickly.
Network Associates (NETA), formed in merger of McAfee and Network General, has introduced CyberCop. Based on technology acquired from WheelGroup, CyberCop can be integrated with Network General's well-known Sniffer network management software. But CyberCop can't handled encrypted data yet, Aberdeen says.
Start-up Netect positions its software as applications, not tools, that will put together assessment, simulated attacks, and intrusion detection and response.
"We see the market as ready for wide-scale mass technical adoption," said Marc Camm, Netect's executive vice president of marketing, who also said Netect will announce OEM deals with major players when its product ships. "Many of the products out there are tools used by security experts."
"We see ours as an application used by the mass technical market--easy to use, runs automatically, reports automatically, and gets updates [of new threats] automatically," he said.
"Security is only as good as the last time you checked it."