Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Network Security //

IPS

6/14/2018
08:05 AM
Simon Marshall
Simon Marshall
Simon Marshall
50%
50%

IPS: A Key Network Protection in an Age of Increasing Threats

Intrusion prevent systems or IPS have had a checkered history in the enterprise, but increases in malicious activity across business networks have shown the technology can make a big security difference.

Intrusion prevention systems (IPS) have had something of an up-and-down history within enterprise security. Originally not as popular as their intrusion detection cousins, IPS eventually outpaced detection systems, and today's next-generation IPS market is flooded with different vendors, approaches and results.

But behind the shiny storefront, what do enterprises need to know about IPS, what does the technology actually do for security, and why is it sometimes not ideal?

IPS vs. IDS vs. reality
Years ago, many companies were skeptical about IPS, and worried that because the system typically sits inline on the network, false positives would slow all traffic and deny access to users. This was seen in the early 2000s as a greater risk than instead adopting detection systems that flag issues but leave treatment to analysts.

The theory was that humans are better at deciding a course of action, rather than IPS sets of rules which may be correctly or incorrectly applied.

Of course, as the number of vulnerabilities and even more exploits came along, that approach wasn't viable any more as enterprises and their security teams succumbed to alert fatigue and the lack of resources to handle them all. Although still signature-based, IPS was seen as more proactive than mere detection, and the rest is history.

Retail impact
The retail industry is unfortunately full of examples where IPS could have helped, such as details stolen from 5 million credit cards of Saks customers, or the loss of card data from customers of SONIC Drive Thru.

Gary Sprague, director of information security at Rent-A-Center, a national rent-to-purchase consumer goods retailer with over 3,000 stores in 50 states, knows that IPS is a 24x7x365 operation. He's aware of the mistakes other retail organizations have made.

So, although Sprague acknowledges it's a chore to keep IPS signature files up-to-date, along with manual tuning to ensure legitimate traffic is not stopped, he treats customer data very seriously.

"We work to not store information that is most attractive (to hackers). One cannot rest when protecting important data," Sprague told Security Now.

IPS for the cloud
One thing that really gives at least one CEO the willies is the lack of physical access to the perimeter when data is stored or moves through the cloud. That's not surprising because, as a cloud supplier to enterprises, he's responsible for his "half" of that.

"We have to assume that the shared responsibility model is working. AWS and Azure handle the physical side. If we can count on them -- and I believe we can -- then we have to get our arms around virtual entry points," David Levin, CEO of CloudspaceUSA, a firm that provides cloud services to enterprises based in Houston, told SecurityNow.

"There are many (of these) as we have many accounts, public addresses, gateway devices, VPNs, etc. That means we need as much verbose log information on external transitioning traffic as possible," Levin added. "Plus, we need internal traffic details from agents monitoring network traffic, and then a system to boil it all down from our partner Alert Logic, for the SOC and analytics."


Now entering its fifth year, the 2020 Vision Executive Summit is an exclusive meeting of global CSP executives focused on navigating the disruptive forces at work in telecom today. Join us in Lisbon on December 4-6 to meet with fellow experts as we define the future of next-gen communications and how to make it profitable.

Levin makes the point that, with so many existing variables in the cloud environment, one thing he loves is consistency -- meaning limiting the number of weak points in his architectures. He works with a single IPS supplier because to work with more would be an inherent security risk.

"That would introduce varying standards, protocols and other variables… and our designs would have to be more complex which would inherently be less secure," he said.

The bugbear for Levin is that some IPS systems never feel integrated or automated enough for his comfort level, and so there are still some trade-offs. And, as an evident realist, he's clear that security is fundamentally about best effort and practice. Along with the pen tests and security audits you'd expect from this type of company, Levin leans on automation to ensure systems he creates for his customers are designed, built and maintained securely.

So, given his preference to limit the number of moving parts in his security operation, how does he feel about the flood of new technology on the market?<p?

"If a new technology does a better job than an existing system, I want it. Unless I can’t tell whether it does a better job," Levin said.

Related posts:

— Simon Marshall, Technology Journalist, special to Security Now

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
When It Comes To Security Tools, More Isn't More
Lamont Orange, Chief Information Security Officer at Netskope,  1/11/2021
US Capitol Attack a Wake-up Call for the Integration of Physical & IT Security
Seth Rosenblatt, Contributing Writer,  1/11/2021
IoT Vendor Ubiquiti Suffers Data Breach
Dark Reading Staff 1/11/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-3166
PUBLISHED: 2021-01-18
An issue was discovered on ASUS DSL-N14U-B1 1.1.2.3_805 devices. An attacker can upload arbitrary file content as a firmware update when the filename Settings_DSL-N14U-B1.trx is used. Once this file is loaded, shutdown measures on a wide range of services are triggered as if it were a real update, r...
CVE-2020-29446
PUBLISHED: 2021-01-18
Affected versions of Atlassian Fisheye &amp; Crucible allow remote attackers to browse local files via an Insecure Direct Object References (IDOR) vulnerability in the WEB-INF directory. The affected versions are before version 4.8.5.
CVE-2020-15864
PUBLISHED: 2021-01-17
An issue was discovered in Quali CloudShell 9.3. An XSS vulnerability in the login page allows an attacker to craft a URL, with a constructor.constructor substring in the username field, that executes a payload when the user visits the /Account/Login page.
CVE-2021-3113
PUBLISHED: 2021-01-17
Netsia SEBA+ through 0.16.1 build 70-e669dcd7 allows remote attackers to discover session cookies via a direct /session/list/allActiveSession request. For example, the attacker can discover the admin's cookie if the admin account happens to be logged in when the allActiveSession request occurs, and ...
CVE-2020-25533
PUBLISHED: 2021-01-15
An issue was discovered in Malwarebytes before 4.0 on macOS. A malicious application was able to perform a privileged action within the Malwarebytes launch daemon. The privileged service improperly validated XPC connections by relying on the PID instead of the audit token. An attacker can construct ...