Once context is established, data reduction methods can be applied to reduce the number of events that an IPS reports. In other words the accuracy goes up, and in the case where intrusion prevention is being performed, the system becomes much more reliable (the marksman now has a snipers rifle). And more information about the network means that further decisions can be made to deal with the aftermath of an intrusion – if a machine is seen to be hit by an exploit that is known to be successful, steps can be taken to repair the damage, such as running a virus scanner or patch management system.

Are there systems out there that can establish context and deliver the goods? Yes, there are some vendors who can do this. How can you tell?

One way is to apply the following simple criteria:


Can the system perform the Three D’s? Can it detect the act of intrusion and the result of intrusion? Can it apply data reduction methods to determine the best course of action? And can it defend your network by applying the ABC’s of defence – Alert you on critical events, block events if required and correct systems which have been compromised?

If these questions can be answered to your satisfaction, you can be assured that such a system can provide real business value and provide you with real-time network defense.