Raising the security bar: Know and fine-tune your IPS
A long time ago, people thought that having a firewall in place would protect their systems and networks from any and every outside attack. And for a very short while, they were right.
But, as history has taught us, there is no silver bullet that will stop all threats, because they are forever evolving and our defenses must consequently evolve, too.
Detecting and understanding threats – and developing signatures for them – is a very difficult and very costly process. “Evasion techniques are fantastically effective,” said Anthony Haywood, CTO of Idappcom, at the Infosecurity press event in London. “They easily evade poor quality security rules.”
The other problem is a large quantity of disabled rules. Some due to performance, other to age – and all with the same goal: to increase (or keep) the speed up. But the vendors don’t tell you that – they don’t tell you their product is set up in such a way to detect only the last 1000 threats, that it looks for threats only on the default port, or that it looks only at the the first 300 bytes of the packet, which makes most signatures pointless.
Buying a security product, turning it on and choosing the default policy doesn’t make you safe. As a test conducted by NSS Labs in 2009 has shown, fine-tuning policies in Intrusion Prevention Systems is critical for an increased effectiveness:
In this particular example, the Sourcefire solution was 65 percent effective when using default policies, and 89 percent effective when the policies were tuned by the vendor. “With additional policy rules from outside organizations, the effectiveness can reach a 100 percent,” said Haywood.
He said that the expression “default policy” is misleading, and that it actually should be “simpler performance policy”. The truth is, if you want maximum throughput, you’ll get minimal protection – and that is something he feels that vendors should be upfront about. Bad security is worse than no security, because it gives you a false sense of safety.
There are a number of things that every organization can do to raise the security bar. It should add high quality security rules to their policies in order to increase detection and lower the number of false positives. It should perform regular assessments of used security technologies – and extend the life of existing devices. Regular auditing of defensive capabilities should also be a must.
Striking the right balance between speed and security can be difficult, but should be a priority for every organization.