Attacks/Breaches
9/4/2013
10:28 PM
Connect Directly
Twitter
Twitter
RSS
E-Mail
50%
50%
Repost This

The Future Of IPS

Will next-generation IPS (NGIPS) feature sets maintain the relevance of IPS in security strategies?

Lauded long ago as a miracle pill for security operations, intrusion prevention systems (IPS) have been there and back again along the hype cycle curve. Now, as next-generation IPS (NGIPS) products are being put through their paces in real-world IT environments, the question is whether IPS will maintain its relevance in the enterprise or fade away as organizations put less emphasis on perimeter security and look to bundle similar feature in unified threat management and next-generation firewall deployments.

There's no real consensus answer to that question. But if you average out the noise from promoters of NGIPS and nonbelievers on either side of the table, a middle ground emerges. As with many re-engineered products in the pantheon of old-school security technology, IPS continues to maintain a valid place in enterprise IT security roster when deployed well and supported by skilled staff.

"Despite the significant trend of deperimiterzation [which has largely happened], IPS is still useful," says James Lyne, director of technology strategy at Sophos. "You may no longer depend on your network as the boundary of security, [but] it does not detract from the benefits of keeping your network clean and spotting unusual activity."

That's not to say there aren't naysayers. Take security consultant Nathaniel Couper-Noles, who considers himself a skeptic when it comes to IDS/IPS.

"For many of my clients, there's better bang-for-the-buck focusing on fundamentals like strategy and process before diving into complex reactive solutions they may not have the organizational capacity to use effectively," says Couper-Noles, principal security consultant for Neohapsis, explaining that trends around mobile, cloud computing IPv6, and censorship-evasion technologies all pose challenges to the economics behind IPS. "IDS/IPS will probably not go away altogether, but current architectures may lose some mindshare, akin to how AV has lost some ground to the face of advanced and polymorphic attacks."

[Are you missing the downsides of big data security analysis? See 3 Inconvenient Truths About Big Data In Security Analysis.]

Nevertheless, other practitioners find that with the refinements offered by the latest crop of NGIPS, the technology helps beat the numbers game of risk reduction -- namely, not shooting for perfection but instead for incremental improvement.

"All of these solutions can be bypassed, but the evolving nature and comprehensive monitoring that they offer decrease the number of incidents where hackers are able to evade the technology," says Joshua Crumbaugh, lead penetration tester at IT Cyber Security. "Another benefit of these systems is their application awareness and full-stack visibility features. These features allow for strict enforcement of corporate acceptable use policy and prevent unauthorized use of restricted operating systems and software."

Perhaps most important in evaluating NGIPS is understanding that the "next" in next-gen is not revolutionary.

"They could of named it 'A Little Better than Before IPS' (ALBtBIPS) -- who in technology doesn't like a new acronym?" jokes Alex Chaveriat, consultant for SystemExpert. "These devices are getting better -- not by introducing new methods, but [by] vastly improving old methods like network heuristics -- contextual awareness, security reporting, application awareness, and overall deeper inspection."

That context piece is perhaps the most crucial addition to the quiver of IPS features, says Marty Roesch, founder and CTO of Sourcefire.

"A next-generation IPS is built on a foundation of information about the network it's protecting, continuously updated in real time," says Roesch, explaining that the system builds a map of the environment it protects and uses that to inform the IPS, "telling us how important the events are for a given specific network at a specific point in time."

This kind of context can be useful in better gauging the severity of perimeter threats by helping organization evaluate them and look at their contextual significance, Chaveriat says.

"Also, the NGIPS devices are starting to handle security reporting in better ways by providing an easy platform to review all data in one place," he says. "This data can be used to create plans not only to deal with the immediate threat, but also create future plans to prevent threats using analytics and metrics gathering from the new reporting platforms."

And however an organization may feel about the death of the perimeter, IPS still holds relevance as a segmentation tool, says Michael Patterson, CEO of Plixer International.

"Some companies should consider deploying an IDS/IPS on the internal network," Patterson says. "Monitoring for odd behavior patterns on the edge can miss visibility into threats trying to move laterally within the organization."

Even if an organization considers perimeter protection a priority, though, IPS solutions are not necessarily a lock for all organizations. According to some, the more NGIPS adds features to its bag of tricks, the more it starts bleeding over into other categories that are already performing those functions.

"NGIPS shares a lot of cross-over with the functionality of UTM and NGFW. Both those solutions have the functionality of NGIPS, plus other capabilities as well," says Corey Nachreiner, director of security strategy for WatchGuard, which incidentally offers UTM technology. "If you believe you can benefit by consolidating the functionality found in NGIPS, then why not consolidate even more?"

Regardless, whether choosing the features in UTM or NGIPS, Nachreiner says organizations seeking to up their network control and visibility should be on the hunt for a tool that offers granular information about application activity, can decrypt HTTPS, and integrates with a range of authentication platforms. Most importantly, organizations should pay close attention to reporting and management consoles.

"Many of these solutions might look similar on paper, but the real differentiation is in how easy they are to manage and how many useful reports are," Nachreiner says. "Look for features and functionality that will save you time in management and upkeep without sacrificing security."

And just as with traditional IPS, organizations newly deploying NGIPS should avoid "turning it to 11" when starting out.

"I think the biggest mistake, always, with intrusion prevention systems is to start with the kitchen sink approach: turning everything on and letting the chips fall where they may," Roesch says. "That's where people run into trouble with their intrusion prevention. People need to be willing to invest the time into configuring it properly, but you've got to start simple and build from there."

Herein may be the root of disillusion that many organizations have experienced with IPS in the past. According to Ron Schlecht of security service provider BTB Security, traditional signature-based technology is easily evaded, but as IPS added anomaly-based solutions and other advanced features, the learning curve has steepened.

"The appetite to continue to buy into these solutions is low, and people are more aware of the heavy lifting that goes in to correctly implementing the solutions," he says. "Additionally, companies have to be mature enough to not only understand what they should be looking for, but have the capability to take action when something is detected."

The fact, agrees Chaveriat, is that organizations need the systems, processes, and skill sets in place to respond to threats or the investment is for naught. However, if those processes have already been honed, then NGIPS can be a successful part of the security equation.

"If IDS/IPS detection is a large part of your security program, then the upgrade [to NGIPS] is worth it as systems are constantly improving, offering less false positives and more detail," he says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
AnonymousMan
50%
50%
AnonymousMan,
User Rank: Apprentice
9/23/2013 | 8:28:00 PM
re: The Future Of IPS
At the end of the day, if a system has enough context to know about and prevent real intrusions at the network layer...then we're either talking about the small window between identification and remediation, or something is absolutely wrong at the host layer. IPS can serve as a virtual patch for those vulnerability windows, but beyond that one has to wonder....why aren't we fixing the vulnerabilities rather then spending more time and money on tuning IPS?
Drew Conry-Murray
50%
50%
Drew Conry-Murray,
User Rank: Apprentice
9/6/2013 | 2:01:37 AM
re: The Future Of IPS
As usual, it seems like the best defense is well-trained and motivated security staff. Yes, they need products and tools, but tools are just the start, not the end. Many organizations just want to throw a magic box at the problem so they don't have to think about it any more.
AccessServices
50%
50%
AccessServices,
User Rank: Apprentice
9/5/2013 | 2:00:56 PM
re: The Future Of IPS
I design security solutions. There are three problems with IPS:
1. You can't monitor everything. The technology to power monitoring everything is not cost effective. Most companies will choose to pass the packets that the IPS cannot process in lieu of dropping them. So a highly skilled person has to "tune" the IPS. This leads to problem 2.
2. IPS takes an investment in professional time to tune. Most companies that purchase an IPS don't understand the investment it takes to do this. An improperly tuned IPS will either allow malicious packets or drop valid packets. At this point the IPS is either neutered or disabled.
3. An IPS cannot inspect encrypted data unless it can decrypt it. If it is decrypting the data and inspecting it, it is putting a greater load on the device (see problem 1).

An IPS deployment is important for a defense in-depth strategy. A properly tuned IPS will make it harder for someone to penetrate an environment. For example, with an IPS, an attacker might have to flood the IPS with data in order to get malicious packets through. While this technique might work, the security staff should be more vigilant that a compromise took place.
Jeff Jones
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-1421
Published: 2014-04-22
Cross-site scripting (XSS) vulnerability in Craig Knudsen WebCalendar before 1.2.5, 1.2.6, and other versions before 1.2.7 allows remote attackers to inject arbitrary web script or HTML via the Category Name field to category.php.

CVE-2013-2105
Published: 2014-04-22
The Show In Browser (show_in_browser) gem 0.0.3 for Ruby allows local users to inject arbitrary web script or HTML via a symlink attack on /tmp/browser.html.

CVE-2013-2187
Published: 2014-04-22
Cross-site scripting (XSS) vulnerability in Apache Archiva 1.2 through 1.2.2 and 1.3 before 1.3.8 allows remote attackers to inject arbitrary web script or HTML via unspecified parameters, related to the home page.

CVE-2013-4116
Published: 2014-04-22
lib/npm.js in Node Packaged Modules (npm) before 1.3.3 allows local users to overwrite arbitrary files via a symlink attack on temporary files with predictable names that are created when unpacking archives.

CVE-2013-4472
Published: 2014-04-22
The openTempFile function in goo/gfile.cc in Xpdf and Poppler 0.24.3 and earlier, when running on a system other than Unix, allows local users to overwrite arbitrary files via a symlink attack on temporary files with predictable names.

Best of the Web