Intrusion Prevention and the Seven-Year Itch

As soon as I saw the life-sized Boba Fett cardboard stand-up on the fifth floor of Internet Security Systems, I knew I had found my people. After over 12 years in very large companies honing my competitive intelligence skills, I was looking for a smart, agile company to join and dig in and contribute on a small team, and the market leader in intrusion prevention fit the bill exactly.

By the end of my second week, the IBM acquisition of ISS was announced. We were but the first in a long list of independent network intrusion prevention companies to be acquired by big tech giants. In subsequent years, TippingPoint and Sourcefire were acquired by HP and Cisco, respectively. I eventually moved away from security in 2007, taking advantage of working for a very large company again, but the itch got the better of me and I returned to the security division in January of this year.

While I was away, intrusion prevention technology shifted over to make way for new layers of protection. Better analytics led to security intelligence solutions that analyze data from multiple security sources as behavioral-based endpoint detection surpassed the signature-only antivirus model. With the advent of bring-your-own-device and increased use of mobile technology to conduct business, networks no longer have a clearly defined perimeter. Is the intrusion prevention systems (IPS) model outdated?

Is There a Break-In Without Walls?

Seven years ago, Wikis were an emerging technology to crowdsource information. I won an internal competition for Wiki contribution at ISS and was awarded an iPod classic with a click wheel, a state-of-the-art way for me to listen to the same ’80s music as I had in my CD collection. Now, however, I can listen to my tunes (I’ve progressed slightly to the ’90s, so please get off my lawn while I shake my fist at you, kids) on the same device I use to make phone calls and check my work email. While the Wiki of seven years ago was solidly within the network perimeter, checking my work email on a mobile device means that perimeter is now nonexistent.

The deperimeterization of corporate networks and the advent of cloud computing means that classic intrusion prevention technology isn’t enough to detect malicious traffic. Detection has to improve and provide deeper inspection and contextual awareness.

Does This IPS Make My Network Look Fat?

There is still a divide in IPS technology between those that rely on statistical or protocol anomalies and those that are signature-based for specific threats. While statistical anomalies on a network can be effective in flagging malicious traffic in a proactive manner, proper tuning of the IPS is key to minimizing false-positives. On the other hand, a reactive, signature-based model isn’t effective for zero-day threats, given the lag between the malware and the deployment of the signature. Additionally, advanced persistent threats will mutate and outwit a signature-based intrusion prevention system. So what’s a security analyst to do?

A few months ago, my colleague, Jim Brennan, posted a blog called “Detection Is NOT the New Prevention,” which spoke to the oft-repeated question of reactive versus proactive protection methodologies. This comparison was around seven years ago, too, when concerns about turning on blocking signatures and capabilities was met with a heavy dose of skepticism because legitimate traffic could be blocked. Woe be to the security analyst who stopped valid traffic, so the ability to tune protection rules according to the organization’s traffic patterns and applications was imperative. To further fuel the fire, turning on massive numbers of signatures can significantly slow down performance of any intrusion prevention system, compromising network performance for the sake of protection.

Performance is still an issue, especially given mutations and the cyclical nature of malware, with attackers returning time and again to the “classics” because they still work. In this summer’s IBM X-Force Threat Intelligence Quarterly, researchers reported that attackers return to image-based spam because so many organizations are now relying on text filtering rather than image filtering for email servers. Attackers are smart, however, and took advantage of these lowered defenses to infiltrate networks.

No IPS Is an Island

One of the biggest advancements in the last seven years in IPS has been the evolution of integration with other technologies like malware sandboxing and security intelligence solutions. IPS, it seems, has found its place as a key component of a protection ecosystem rather than operating as an island. Bidirectional control with a security intelligence solution that lends additional insight into network traffic and anomalies based on data from users, applications and infrastructure can help security practitioners make smarter, timelier decisions on what to block or let through.

Individual excellence isn’t enough when organizations have a multitude of vendors with an even greater number of security products installed in their networks. Having an intrusion prevention system that can work with other security technologies is no longer a luxury, but rather a requirement to maximize protection. Security vendors are no longer competitors, but now also partners in a protection ecosystem for the benefit of our clients.

The Black Hat conference in Las Vegas was like a family reunion earlier this month. Competitors surveyed each other’s booths with the healthy skepticism of longtime rivals now made partners, appreciating the clever booth tchotchkes, slick demos and expanded protection capabilities. It was good to feel at home again, but I do miss Boba Fett.

Pamela Cobb

Market Segment Manager, IBM X-Force and Security Intelligence

Pamela Cobb directs product marketing activities for the IBM X-Force and Threat Protection offerings developing...