Latest news
"Shooting the Hostage": Why Current Generation Intrusion Prevention Systems Fails Business
by Dominic Storey - Technical Consultant at Sourcefire - Wednesday, 27 October 2004.
As a corporate security manager, you are caught between a rock and a hard place. Your networks are under attack at an ever-increasing rate, from viruses, worms and people. The consequences of successful intrusion or infection continue to rise. And in the arms race, the dark side seems to have the upper hand: Intrusion detection and prevention (IDP) systems haven’t delivered the goods.
Ever since Gartner declared "IDS is Dead", you would have thought that the rush of vendors putting out IDP systems would have by now solved all problems and resulted in a dramatic reduction of viruses, worms and whatnot. But it just isn’t so; corporations have balked about using IDP in-line.
Why is this? Simply put, IDP lacks the information to make accurate decisions, and as a consequence, tends to make the wrong decisions. And a wrong decision from an intrusion prevention perspective is to deny valid traffic at the first hint of an alert. Current IDP is like a police marksman when confronted with hostage and hostage taker – use the wrong weapon (such as a shotgun) and you take out the hostage as well as the criminal.
The problem is that current generation IDP lacks context about the network. It may positively identify an attack, but it knows nothing about the target’s likelihood of succumbing to the attack. An IDS can simply alert on anything that looks alarming, and generate many (false positive) events. An IPS does not have that luxury. So IPS vendors reduce the number of active rules to combat this, which simply defers the issue. Eventually, more rules must be made available to deal with the larger number of attacks.
But a larger problem lies at the heart of IPS. They can only detect the act of infection, whereas companies need also to detect the result of infection. Why? Because people take their laptops home, or take them to Starbucks. And once off the corporate LAN, they can roam wherever they like, pick up something nasty and bring it back to the office.
Gartner have hinted at the solution to this problem: Continuous scanning. Yet continuous scanning is not possible in the traditional sense, as scanning is by definition an iterative process. Also, scanning is an intrusive technology, which uses network bandwidth and can induce software instabilities in the scanned machines.
A better approach is to acquire information about network assets without resorting to intrusive means. This can be achieved by using a passive approach such as fingerprinting methods to profile the network. Such passive asset detection can determine OS vendor, OS version, services and service revision levels and hence likely vulnerabilities– all information vital in providing network context. This method has another advantage – it profiles machines much faster than active scanning as it is bounded by the line speed of the network, not on the response time of the queried machine.
Ever since Gartner declared "IDS is Dead", you would have thought that the rush of vendors putting out IDP systems would have by now solved all problems and resulted in a dramatic reduction of viruses, worms and whatnot. But it just isn’t so; corporations have balked about using IDP in-line.
Why is this? Simply put, IDP lacks the information to make accurate decisions, and as a consequence, tends to make the wrong decisions. And a wrong decision from an intrusion prevention perspective is to deny valid traffic at the first hint of an alert. Current IDP is like a police marksman when confronted with hostage and hostage taker – use the wrong weapon (such as a shotgun) and you take out the hostage as well as the criminal.
The problem is that current generation IDP lacks context about the network. It may positively identify an attack, but it knows nothing about the target’s likelihood of succumbing to the attack. An IDS can simply alert on anything that looks alarming, and generate many (false positive) events. An IPS does not have that luxury. So IPS vendors reduce the number of active rules to combat this, which simply defers the issue. Eventually, more rules must be made available to deal with the larger number of attacks.
But a larger problem lies at the heart of IPS. They can only detect the act of infection, whereas companies need also to detect the result of infection. Why? Because people take their laptops home, or take them to Starbucks. And once off the corporate LAN, they can roam wherever they like, pick up something nasty and bring it back to the office.
Gartner have hinted at the solution to this problem: Continuous scanning. Yet continuous scanning is not possible in the traditional sense, as scanning is by definition an iterative process. Also, scanning is an intrusive technology, which uses network bandwidth and can induce software instabilities in the scanned machines.
A better approach is to acquire information about network assets without resorting to intrusive means. This can be achieved by using a passive approach such as fingerprinting methods to profile the network. Such passive asset detection can determine OS vendor, OS version, services and service revision levels and hence likely vulnerabilities– all information vital in providing network context. This method has another advantage – it profiles machines much faster than active scanning as it is bounded by the line speed of the network, not on the response time of the queried machine.
Spotlight
A closer look at Mega cloud storage
Posted on 21 May 2013. | Once a novelty, nowadays many cloud storage services are fighting for their piece of the market in the virtual world. Mega offers 50GB of free space with great pricing on Pro accounts.
The CSO perspective on healthcare security and compliance
Posted on 20 May 2013. | Randall Gamby is the CSO of the Medicaid Information Service Center of New York. In this interview he discusses healthcare security and compliance challenges and offers a variety of tips.
Cyber espionage campaign uses professionally-made malware
Posted on 20 May 2013. | A massive cyber espionage campaign has been hitting government ministries, IT companies, academic research institutions, and more.
Ransomware adds password stealing to its arsenal
Posted on 17 May 2013. | Microsoft researchers are warning about a new variant of the well-known Reveton ransomware doing rounds.
IT security jobs: What's in demand and how to meet it
Posted on 15 May 2013. | Let's say you want a career in information security, where do you start? What credentials do you need? What are employers looking for? Read on to find some answers.
Daily digest
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
Weekly newsletter
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.
 |
