"Shooting the Hostage": Why Current Generation Intrusion Prevention Systems Fails Business
by Dominic Storey - Technical Consultant at Sourcefire - Wednesday, 27 October 2004.
As a corporate security manager, you are caught between a rock and a hard place. Your networks are under attack at an ever-increasing rate, from viruses, worms and people. The consequences of successful intrusion or infection continue to rise. And in the arms race, the dark side seems to have the upper hand: Intrusion detection and prevention (IDP) systems havenít delivered the goods.

Ever since Gartner declared "IDS is Dead", you would have thought that the rush of vendors putting out IDP systems would have by now solved all problems and resulted in a dramatic reduction of viruses, worms and whatnot. But it just isnít so; corporations have balked about using IDP in-line.

Why is this? Simply put, IDP lacks the information to make accurate decisions, and as a consequence, tends to make the wrong decisions. And a wrong decision from an intrusion prevention perspective is to deny valid traffic at the first hint of an alert. Current IDP is like a police marksman when confronted with hostage and hostage taker Ė use the wrong weapon (such as a shotgun) and you take out the hostage as well as the criminal.

The problem is that current generation IDP lacks context about the network. It may positively identify an attack, but it knows nothing about the targetís likelihood of succumbing to the attack. An IDS can simply alert on anything that looks alarming, and generate many (false positive) events. An IPS does not have that luxury. So IPS vendors reduce the number of active rules to combat this, which simply defers the issue. Eventually, more rules must be made available to deal with the larger number of attacks.

But a larger problem lies at the heart of IPS. They can only detect the act of infection, whereas companies need also to detect the result of infection. Why? Because people take their laptops home, or take them to Starbucks. And once off the corporate LAN, they can roam wherever they like, pick up something nasty and bring it back to the office.

Gartner have hinted at the solution to this problem: Continuous scanning. Yet continuous scanning is not possible in the traditional sense, as scanning is by definition an iterative process. Also, scanning is an intrusive technology, which uses network bandwidth and can induce software instabilities in the scanned machines.

A better approach is to acquire information about network assets without resorting to intrusive means. This can be achieved by using a passive approach such as fingerprinting methods to profile the network. Such passive asset detection can determine OS vendor, OS version, services and service revision levels and hence likely vulnerabilitiesĖ all information vital in providing network context. This method has another advantage Ė it profiles machines much faster than active scanning as it is bounded by the line speed of the network, not on the response time of the queried machine.

Once context is established, data reduction methods can be applied to reduce the number of events that an IPS reports. In other words the accuracy goes up, and in the case where intrusion prevention is being performed, the system becomes much more reliable (the marksman now has a snipers rifle). And more information about the network means that further decisions can be made to deal with the aftermath of an intrusion Ė if a machine is seen to be hit by an exploit that is known to be successful, steps can be taken to repair the damage, such as running a virus scanner or patch management system.

Are there systems out there that can establish context and deliver the goods? Yes, there are some vendors who can do this. How can you tell?

One way is to apply the following simple criteria:


What's the real cost of a security breach?

The majority of business decision makers admit that their organisation will suffer an information security breach and that the cost of recovery could start from around $1 million.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Thu, Feb 11th