Free Trial
Schedule Demo
In Part 1 of this series we asked the question: Would you re-hire your IPS if you interviewed it today? But it’s not a totally fair question. Because, before you hire someone (or in this case buy something) it’s pretty obvious that you need a deep and thorough understanding of what the job entails. Otherwise, frustration, handwringing, and assorted HR crises will emerge.
So, we pose this question to you: Can you even remember why you bought your IPS in the first place? It seems like a self-answering question for a product whose name, after all, is an Intrusion Prevention System.
Perhaps you got it for perimeter threat detection when protocol exploits were all the rage. Or maybe you wanted visibility into packet activity across the enterprise. Whatever your original rationale was for buying your IPS, the job description for an IPS has radically and forever changed.
Here’s why.
The job of stopping intrusions is now about much more than just securing the front door (or the network perimeter). Yes, you have to do that. But most security teams realize that no matter how secure, how Fort Knox, your front door is, we live in a world where some attacks will still get through. Given this reality, the definition of an “intrusion” must change. The proverbial goal posts have moved down the field. Today, stopping intrusions means preventing attackers from stealing or destroying your data.
Attackers use evolving techniques like exploits and malware embedded in content that target users’ applications. That means your IPS needs to give you full-stage visibility as attackers move throughout your network – and not just when they barge in through the front door. It also means your IPS has to be able to look into content so that when your IPS gives you an alert, it can also give you enough information for you to DO something about it…in minutes…not days.
Also consider the seemingly endless array of “complementary” security components we’ve collected. We have firewalls, antivirus, IPSs, secure web gateways, DLP, full packet capture systems, security analytics, mail hygiene products, and the list goes on…and on…and on. We’ve bought SIEMs to help us interpret all that data, yet breaches keep happening at an alarming rate. We’ve acquired so many of them, in fact, that we spend most of our time managing them instead of using them.
To make ourselves feel good about all this, we’ve even developed a term – “Defense in Depth” – to rationalize all of these purchases (a term which Rick Holland, formerly an analyst at Forrester rightly threw cold water on in his Expense in Depth blog post back in 2012). The reality is that – far from being “failsafe” – in many cases these products are all using the same technique (i.e. signatures) to spot the bad guys. And unfortunately, most of them – including your IPS – end up being alert generating machines that feed your SIEM. They create more work for you but don’t let you do anything about them.
Expense in Depth (including your legacy IPS) has brought us a world of superficial security. Do any of these situations sound familiar?
With this reality in mind, what’s the new job description for an IPS? An example will help us think this through. A major U.S. healthcare company was evaluating a Next-Gen Intrusion Prevention System (NGIPS). Their mission was to lock down their sensitive data – including patient information – without piling more work onto the plate of their already-burdened security analysts. While prevention was important to them, they operated with the assumption that they were already compromised. So they knew they needed an approach that would enable them to rapidly respond to threats and identify compromised systems to prevent data theft.
So they looked for a solution that would help them automate their way out of the problem. While they ultimately selected Fidelis as their Next-Gen IPS, their requirements are instructive for anyone with limited security resources who’s rethinking their approach to IPS.
They wanted an NGIPS that could:
To sum up: a changing landscape means that we demand much more from an IPS than we ever did before. So it’s time to take a hard, fresh look at what your IPS needs to do, and then assess whether the one you have measures up.
So, whether you are buying a new next-gen IPS solution for the first time (like the healthcare organization we described) or looking to optimize your existing security stack, Step 1 is to define the job you are hiring it to do.
Next up in Part 3 of our series, we’ll move to a review of other technologies that organizations are using within their next-generation security stack, including next-gen firewalls, and explain how a next-gen complements them.
-Jared Phipps, West Coast Manager