Imagine what would happen if the police in a major city regularly published their plans to stop crime and catch thieves, including where all patrols are every hour. Do you think crime would go up? Do you think successful robberies would increase?
Now think about network intrusion prevention. Some of the most widely used intrusion prevention system (IPS) signatures are freely available online for anyone to download. I’m willing to bet that most cybercriminals have studied those rules and are constantly inventing new ways to beat them.
The fact that nearly all of these rules are based on pattern-matching — a method of identifying known threats and exploits — only continues to increase an attacker’s chance of success in breaching your network and getting to your business-critical data.
Issues With Old Network Protection Systems
Commonly, IPSs have focused on preventing specific exploits or known attack patterns. Using these pattern-based signatures, when an IPS found something it knew to be a threat, it could stop it. But developing a signature for each and every known exploit (as opposed to focusing on protection at the vulnerability level) was and is an onerous task, and using so many signatures can severely degrade the performance of your network security devices. Sacrificing network performance for protection was not an attractive trade-off.
There is a long-standing debate on the effectiveness of pattern-matching signatures. The simple truth is that the nature of threats has evolved over time. There has been a steady rise in unknown threats, such as zero-day attacks and mutated threats, compounded by advanced evasion techniques that obfuscate a strike. By definition, we do not yet have a pattern-based signature for the threats we’ve never seen before. So it begs the question: How do we stop this growing number of unknown threats?
Using Deep Packet Inspection for Intrusion Prevention
Pattern-matching signatures, while helpful in some instances, are simply no match for the tidal wave of evolving threats most organizations are up against today. But if you were able to inspect the content inside the data packets traveling along your network as opposed to just looking for known patterns, you would be in a much better position to protect yourself.
That’s where deep packet inspection (DPI) can help. DPI is software technology that provides the ability to inspect any network packet to its very end.
The advantages of doing so are clear: Full parsing of the content layers of the packet (layers six and seven) is the only reliable way to detect some of the most dangerous attacks, which are often mutated or obfuscated using embedded content, special encoding schemes, compression or nonstandard syntax.
By inspecting and recognizing the entire application payload of a packet, DPI enables intelligent security threat detection with heuristics and behavioral-based rule sets that is simply not possible with pattern-matching technology.
Protocol Analysis Module Stops Tomorrow’s Threats Today
Since 1999, IBM’s intrusion prevention products have been using deep packet inspection to protect networks. The core IPS protection engine is the IBM Protocol Analysis Module (PAM), developed by IBM X-Force.
PAM offers full DPI through layer seven and applies heuristics and behavioral analysis to its findings to identify both known and unknown threats, even within encrypted traffic. It is highly tuned to block suspicious content while letting legitimate traffic pass through.
Additionally, our next-generation IPS offers throughput speeds of up to 25 Gbps, so you don’t need to sacrifice performance for protection. So that malware hiding inside an image inside the PDF file you received attached to an encrypted email? Yeah, we can detect and block that.
If you’d like to learn more about the IBM Protocol Analysis Module, watch the on-demand webinar “Breaking the Pattern: The Importance of Deep Packet Inspection for Intrusion Prevention.” Not only will you learn more about PAM and how it works, but our IBM X-Force team will discuss specific examples of how PAM’s unique approach has protected against vulnerabilities months and even years before exploits were disclosed.