As soon as I saw the life-sized Boba Fett cardboard stand-up on the fifth floor of Internet Security Systems, I knew I had found my people. After over 12 years in very large companies honing my competitive intelligence skills, I was looking for a smart, agile company to join and dig in and contribute on a small team, and the market leader in intrusion prevention fit the bill exactly.

By the end of my second week, the IBM acquisition of ISS was announced. We were but the first in a long list of independent network intrusion prevention companies to be acquired by big tech giants. In subsequent years, TippingPoint and Sourcefire were acquired by HP and Cisco, respectively. I eventually moved away from security in 2007, taking advantage of working for a very large company again, but the itch got the better of me and I returned to the security division in January of this year.

While I was away, intrusion prevention technology shifted over to make way for new layers of protection. Better analytics led to security intelligence solutions that analyze data from multiple security sources as behavioral-based endpoint detection surpassed the signature-only antivirus model. With the advent of bring-your-own-device and increased use of mobile technology to conduct business, networks no longer have a clearly defined perimeter. Is the intrusion prevention systems (IPS) model outdated?

Is There a Break-In Without Walls?

Seven years ago, Wikis were an emerging technology to crowdsource information. I won an internal competition for Wiki contribution at ISS and was awarded an iPod classic with a click wheel, a state-of-the-art way for me to listen to the same ’80s music as I had in my CD collection. Now, however, I can listen to my tunes (I’ve progressed slightly to the ’90s, so please get off my lawn while I shake my fist at you, kids) on the same device I use to make phone calls and check my work email. While the Wiki of seven years ago was solidly within the network perimeter, checking my work email on a mobile device means that perimeter is now nonexistent.

The deperimeterization of corporate networks and the advent of cloud computing means that classic intrusion prevention technology isn’t enough to detect malicious traffic. Detection has to improve and provide deeper inspection and contextual awareness.

Does This IPS Make My Network Look Fat?

There is still a divide in IPS technology between those that rely on statistical or protocol anomalies and those that are signature-based for specific threats. While statistical anomalies on a network can be effective in flagging malicious traffic in a proactive manner, proper tuning of the IPS is key to minimizing false-positives. On the other hand, a reactive, signature-based model isn’t effective for zero-day threats, given the lag between the malware and the deployment of the signature. Additionally, advanced persistent threats will mutate and outwit a signature-based intrusion prevention system. So what’s a security analyst to do?

A few months ago, my colleague, Jim Brennan, posted a blog called “Detection Is NOT the New Prevention,” which spoke to the oft-repeated question of reactive versus proactive protection methodologies. This comparison was around seven years ago, too, when concerns about turning on blocking signatures and capabilities was met with a heavy dose of skepticism because legitimate traffic could be blocked. Woe be to the security analyst who stopped valid traffic, so the ability to tune protection rules according to the organization’s traffic patterns and applications was imperative. To further fuel the fire, turning on massive numbers of signatures can significantly slow down performance of any intrusion prevention system, compromising network performance for the sake of protection.

Performance is still an issue, especially given mutations and the cyclical nature of malware, with attackers returning time and again to the “classics” because they still work. In this summer’s IBM X-Force Threat Intelligence Quarterly, researchers reported that attackers return to image-based spam because so many organizations are now relying on text filtering rather than image filtering for email servers. Attackers are smart, however, and took advantage of these lowered defenses to infiltrate networks.

No IPS Is an Island

One of the biggest advancements in the last seven years in IPS has been the evolution of integration with other technologies like malware sandboxing and security intelligence solutions. IPS, it seems, has found its place as a key component of a protection ecosystem rather than operating as an island. Bidirectional control with a security intelligence solution that lends additional insight into network traffic and anomalies based on data from users, applications and infrastructure can help security practitioners make smarter, timelier decisions on what to block or let through.

Individual excellence isn’t enough when organizations have a multitude of vendors with an even greater number of security products installed in their networks. Having an intrusion prevention system that can work with other security technologies is no longer a luxury, but rather a requirement to maximize protection. Security vendors are no longer competitors, but now also partners in a protection ecosystem for the benefit of our clients.

The Black Hat conference in Las Vegas was like a family reunion earlier this month. Competitors surveyed each other’s booths with the healthy skepticism of longtime rivals now made partners, appreciating the clever booth tchotchkes, slick demos and expanded protection capabilities. It was good to feel at home again, but I do miss Boba Fett.

More from Mainframe

How Dangerous Is the Cyberattack Risk to Transportation?

If an attacker breaches a transit agency’s systems, the impact could reach far beyond server downtime or leaked emails. Imagine an attack against a transportation authority that manages train and subway routes. The results could be terrible. Between June of 2020 and June of 2021, the transportation industry witnessed a 186% increase in weekly ransomware attacks. In one event, attackers breached the New York Metropolitan Transportation Authority (MTA) systems. Thankfully, no one was harmed, but incidents like these are cause…

Low-Code Is Easy, But Is It Secure?

Low-code and no-code solutions are awesome. Why? With limited or no programming experience, you can quickly create software using a visual dashboard. This amounts to huge time and money savings. But with all this software out there, security experts worry about the risks. The global low-code platform market revenue was valued at nearly $13 billion in 2020. The market is forecast to reach over $47 billion in 2025 and $65 billion in 2027 with a CAGR of 26.1%. Very few,…

Starting From Scratch: How to Build a Small Business Cybersecurity Program

When you run a small business, outsourcing for services like IT and security makes a lot of sense. While you might not have the budget for a full-time professional on staff to do these jobs, you still need the services.However, while it might be helpful to have a managed service provider handle your software and computing issues, cybersecurity for small and medium businesses (SMBs) also requires a personal, hands-on approach. While you can continue to outsource some areas of cybersecurity,…

A Journey in Organizational Resilience: Supply Chain and Third Parties

The next stop on our journey focuses on those that you rely on: supply chains and third parties.  Working with external partners can be difficult. But, there is a silver lining. Recent attacks have resulted in an industry wake-up call when it comes to cybersecurity resilience. You see, the purpose of using external partners is to take advantage of a capability that your organization did not have, or the vendor was just better at than you. In turn, there was…