Intrusion prevention systems (IPS) have been touted for a couple of years now as a way of stopping organisations getting hit. However, although there have been some major deployments in Australia to date, they are still far from ubiquitous.
TippingPoint's regional sales director, Sean Abbott, said the market was still going through an education phase because organisations were a little nervous about putting something inline that inspects traffic before it hits the network. Those who had been hacked and suffered downtime were more likely to be early adopters.
"We go through a proof of concept so the customer understands what an IPS does and can see that it provides high throughput and low latency," he said. "Once they see that, their comfort level rises."
Fujitsu's security services manager, Brendan Smith, said it positions IPS largely as a way of stopping information going out of the network.
"A lot of people think of an IPS as stopping attacks coming in but they are bi-directional," he said. "Most firewalls are configured to allow outbound connections to almost anywhere but an IPS will look at a packet and know that it's a Trojan phoning home."
Klikon Solutions' senior security consultant, Daniel Smith, said products that updated via the Web had started with antivirus, and then went through protocol anomaly detection, but most vendors now were going for reputation-based decision making.
"If they know an email is coming from somebody that repeatedly does bad things, they will store it in case you need it but their initial reaction is to kill it," he said.
"There are two advantages for the vendors. One is that the more products they sell, the more samples they have to make those reputation-based decisions on. The second is that the customer is tied to that particular vendor for updates.
"We've seen cases where we've reduced incoming email traffic by 70 per cent just by checking the source IP address."
Blue Coat country manager, Wayne Neich, said it also does reputation databases but advised people to be careful about what they pass into their network."If it's bad, block it; but even if it has a good reputation then it should still be scanned. There's no such thing as a trusted website," he said.