“Shooting the Hostage”: Why Current Generation Intrusion Prevention Systems Fails Business
As a corporate security manager, you are caught between a rock and a hard place. Your networks are under attack at an ever-increasing rate, from viruses, worms and people. The consequences of successful intrusion or infection continue to rise. And in the arms race, the dark side seems to have the upper hand: Intrusion detection and prevention (IDP) systems haven’t delivered the goods.
Ever since Gartner declared “IDS is Dead”, you would have thought that the rush of vendors putting out IDP systems would have by now solved all problems and resulted in a dramatic reduction of viruses, worms and whatnot. But it just isn’t so; corporations have balked about using IDP in-line.
Why is this? Simply put, IDP lacks the information to make accurate decisions, and as a consequence, tends to make the wrong decisions. And a wrong decision from an intrusion prevention perspective is to deny valid traffic at the first hint of an alert. Current IDP is like a police marksman when confronted with hostage and hostage taker – use the wrong weapon (such as a shotgun) and you take out the hostage as well as the criminal.
The problem is that current generation IDP lacks context about the network. It may positively identify an attack, but it knows nothing about the target’s likelihood of succumbing to the attack. An IDS can simply alert on anything that looks alarming, and generate many (false positive) events. An IPS does not have that luxury. So IPS vendors reduce the number of active rules to combat this, which simply defers the issue. Eventually, more rules must be made available to deal with the larger number of attacks.
But a larger problem lies at the heart of IPS. They can only detect the act of infection, whereas companies need also to detect the result of infection. Why? Because people take their laptops home, or take them to Starbucks. And once off the corporate LAN, they can roam wherever they like, pick up something nasty and bring it back to the office.
Gartner have hinted at the solution to this problem: Continuous scanning. Yet continuous scanning is not possible in the traditional sense, as scanning is by definition an iterative process. Also, scanning is an intrusive technology, which uses network bandwidth and can induce software instabilities in the scanned machines.
A better approach is to acquire information about network assets without resorting to intrusive means. This can be achieved by using a passive approach such as fingerprinting methods to profile the network. Such passive asset detection can determine OS vendor, OS version, services and service revision levels and hence likely vulnerabilities- all information vital in providing network context. This method has another advantage – it profiles machines much faster than active scanning as it is bounded by the line speed of the network, not on the response time of the queried machine.
Once context is established, data reduction methods can be applied to reduce the number of events that an IPS reports. In other words the accuracy goes up, and in the case where intrusion prevention is being performed, the system becomes much more reliable (the marksman now has a snipers rifle). And more information about the network means that further decisions can be made to deal with the aftermath of an intrusion – if a machine is seen to be hit by an exploit that is known to be successful, steps can be taken to repair the damage, such as running a virus scanner or patch management system.
Are there systems out there that can establish context and deliver the goods? Yes, there are some vendors who can do this. How can you tell?
One way is to apply the following simple criteria:
Can the system perform the Three D’s? Can it detect the act of intrusion and the result of intrusion? Can it apply data reduction methods to determine the best course of action? And can it defend your network by applying the ABC’s of defence – Alert you on critical events, block events if required and correct systems which have been compromised?
If these questions can be answered to your satisfaction, you can be assured that such a system can provide real business value and provide you with real-time network defense.