The Future Of IPS

Will next-generation IPS (NGIPS) feature sets maintain the relevance of IPS in security strategies?
Lauded long ago as a miracle pill for security operations, intrusion prevention systems (IPS) have been there and back again along the hype cycle curve. Now, as next-generation IPS (NGIPS) products are being put through their paces in real-world IT environments, the question is whether IPS will maintain its relevance in the enterprise or fade away as organizations put less emphasis on perimeter security and look to bundle similar feature in unified threat management and next-generation firewall deployments.

There's no real consensus answer to that question. But if you average out the noise from promoters of NGIPS and nonbelievers on either side of the table, a middle ground emerges. As with many re-engineered products in the pantheon of old-school security technology, IPS continues to maintain a valid place in enterprise IT security roster when deployed well and supported by skilled staff.

"Despite the significant trend of deperimiterzation [which has largely happened], IPS is still useful," says James Lyne, director of technology strategy at Sophos. "You may no longer depend on your network as the boundary of security, [but] it does not detract from the benefits of keeping your network clean and spotting unusual activity."

That's not to say there aren't naysayers. Take security consultant Nathaniel Couper-Noles, who considers himself a skeptic when it comes to IDS/IPS.

"For many of my clients, there's better bang-for-the-buck focusing on fundamentals like strategy and process before diving into complex reactive solutions they may not have the organizational capacity to use effectively," says Couper-Noles, principal security consultant for Neohapsis, explaining that trends around mobile, cloud computing IPv6, and censorship-evasion technologies all pose challenges to the economics behind IPS. "IDS/IPS will probably not go away altogether, but current architectures may lose some mindshare, akin to how AV has lost some ground to the face of advanced and polymorphic attacks."

[Are you missing the downsides of big data security analysis? See 3 Inconvenient Truths About Big Data In Security Analysis.]

Nevertheless, other practitioners find that with the refinements offered by the latest crop of NGIPS, the technology helps beat the numbers game of risk reduction -- namely, not shooting for perfection but instead for incremental improvement.

"All of these solutions can be bypassed, but the evolving nature and comprehensive monitoring that they offer decrease the number of incidents where hackers are able to evade the technology," says Joshua Crumbaugh, lead penetration tester at IT Cyber Security. "Another benefit of these systems is their application awareness and full-stack visibility features. These features allow for strict enforcement of corporate acceptable use policy and prevent unauthorized use of restricted operating systems and software."

Perhaps most important in evaluating NGIPS is understanding that the "next" in next-gen is not revolutionary.

"They could of named it 'A Little Better than Before IPS' (ALBtBIPS) -- who in technology doesn't like a new acronym?" jokes Alex Chaveriat, consultant for SystemExpert. "These devices are getting better -- not by introducing new methods, but [by] vastly improving old methods like network heuristics -- contextual awareness, security reporting, application awareness, and overall deeper inspection."

That context piece is perhaps the most crucial addition to the quiver of IPS features, says Marty Roesch, founder and CTO of Sourcefire.

"A next-generation IPS is built on a foundation of information about the network it's protecting, continuously updated in real time," says Roesch, explaining that the system builds a map of the environment it protects and uses that to inform the IPS, "telling us how important the events are for a given specific network at a specific point in time."

This kind of context can be useful in better gauging the severity of perimeter threats by helping organization evaluate them and look at their contextual significance, Chaveriat says.

"Also, the NGIPS devices are starting to handle security reporting in better ways by providing an easy platform to review all data in one place," he says. "This data can be used to create plans not only to deal with the immediate threat, but also create future plans to prevent threats using analytics and metrics gathering from the new reporting platforms."

And however an organization may feel about the death of the perimeter, IPS still holds relevance as a segmentation tool, says Michael Patterson, CEO of Plixer International.

"Some companies should consider deploying an IDS/IPS on the internal network," Patterson says. "Monitoring for odd behavior patterns on the edge can miss visibility into threats trying to move laterally within the organization."

Even if an organization considers perimeter protection a priority, though, IPS solutions are not necessarily a lock for all organizations. According to some, the more NGIPS adds features to its bag of tricks, the more it starts bleeding over into other categories that are already performing those functions.

"NGIPS shares a lot of cross-over with the functionality of UTM and NGFW. Both those solutions have the functionality of NGIPS, plus other capabilities as well," says Corey Nachreiner, director of security strategy for WatchGuard, which incidentally offers UTM technology. "If you believe you can benefit by consolidating the functionality found in NGIPS, then why not consolidate even more?"

Regardless, whether choosing the features in UTM or NGIPS, Nachreiner says organizations seeking to up their network control and visibility should be on the hunt for a tool that offers granular information about application activity, can decrypt HTTPS, and integrates with a range of authentication platforms. Most importantly, organizations should pay close attention to reporting and management consoles.

"Many of these solutions might look similar on paper, but the real differentiation is in how easy they are to manage and how many useful reports are," Nachreiner says. "Look for features and functionality that will save you time in management and upkeep without sacrificing security."

And just as with traditional IPS, organizations newly deploying NGIPS should avoid "turning it to 11" when starting out.

"I think the biggest mistake, always, with intrusion prevention systems is to start with the kitchen sink approach: turning everything on and letting the chips fall where they may," Roesch says. "That's where people run into trouble with their intrusion prevention. People need to be willing to invest the time into configuring it properly, but you've got to start simple and build from there."

Herein may be the root of disillusion that many organizations have experienced with IPS in the past. According to Ron Schlecht of security service provider BTB Security, traditional signature-based technology is easily evaded, but as IPS added anomaly-based solutions and other advanced features, the learning curve has steepened.

"The appetite to continue to buy into these solutions is low, and people are more aware of the heavy lifting that goes in to correctly implementing the solutions," he says. "Additionally, companies have to be mature enough to not only understand what they should be looking for, but have the capability to take action when something is detected."

The fact, agrees Chaveriat, is that organizations need the systems, processes, and skill sets in place to respond to threats or the investment is for naught. However, if those processes have already been honed, then NGIPS can be a successful part of the security equation.

"If IDS/IPS detection is a large part of your security program, then the upgrade [to NGIPS] is worth it as systems are constantly improving, offering less false positives and more detail," he says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.