Intrusion prevention systems have become one of the most critical layers in today’s network security infrastructure. Although a mature technology, intrusion prevention technologies employ some of the most sophisticated analysis capabilities available and are tasked with identifying and blocking an incredibly wide range of attacks, while doing so at lightning fast speeds required in today’s enterprises. It is clear that today’s intrusion prevention system must deal with an even broader and more sophisticated attack spectrum.
Looking back at the key trends of 2012, and the developments throughout the first half of 2013, today’s IPS technology needs to address several key areas. Let’s take a look at the four most critical:
1. Phishing Attacks and Malware Sites
As Phishing attacks become more prevalent, targeted and sophisticated, it is critical that an IPS is able to help protect both targeted users and the greater organization as a whole. Years ago, email security and anti-spam were the main solutions deployed for keeping phishing email from reaching users. Today, with the increasing adoption of social media, inspecting email isn’t enough.
Organizations need to have a way of securing the newest delivery mechanism for these attacks, such as social media. In addition to educating users on best practices, an IPS can be instrumental by granularly controlling access to social media sites that may be used as a delivery mechanism for phishing messages, as well as blocking access to known malware sites if a user inadvertently clicks a malicious link in an email that was not flagged as spam. In modern Spear Phishing attacks, social media sites catering to professionals are a preferred choice for attackers, making securing access to these sites a key priority for network security professionals.
2. Web Application Attacks
For the last several years, attacks targeting vulnerabilities in web applications have reined supreme. In fact, out of all of the disclosed vulnerabilities, Web application vulnerabilities have made up roughly 40-50% – a staggering number considering the thousands of vulnerabilities disclosed every year.
Modern day intrusion prevention systems must now deal with application-layer attacks,including providing monitoring and blocking of high severity web application attacks such as SQL injection and Cross-site Scripting. In many cases, IPSes can be used in conjunction with a Web Application Vulnerability Scanning tool to provide near-term protection as vulnerabilities are found and subsequently fixed.
3. Attacks Hidden in SSL Encrypted Traffic
This one is pretty straight forward – if you can’t inspect it, you can’t secure it. With the extensive use of SSL encryption in a variety of applications – including popular spear phishing vehicles like Facebook and Twitter – intrusion prevention systems must have the ability to look into encrypted sessions to identify potential security risks or attacks.
This could be a user accessing a a malware-infected site over SSL (possibly through a shortened link)or an external attacker using SSL to mask communication with a botnet command-and-control server. Since this type of inspection can often be very performance intensive, it is critical that today’s IPS solutions are able to perform this type of inspection extremely quickly and with minimal disruption.
4. Multi-faceted Attacks and APTs
With attackers now executing targeted, multi-faceted attacks, an IPS can no longer function in a silo. Modern intrusion prevention systems need to be able to integrate with other security technologies to help security administrators understand what other events are occurring outside their immediate view of the network. They also need to be able to provide security events and data flows to other analysis tools to perform critical correlation and anomaly detectionfunctions. This enables network security professionals to detect security threats that may have already penetrated perimeter defenses and are now hiding within the internal network.
Intrusion prevention systems continue to be the cornerstone of any organization’s main line of defense and will need to constantly evolve to meet the changing demands of securing today’s complex network environments. This includes adapting to new types of attacks, as well as attacks that are constantly mutating, while keeping pace with the speed and connectivity requirements within the Enterprise.