In Part 1 of this series we asked the question: Would you re-hire your IPS if you interviewed it today? But it’s not a totally fair question. Because, before you hire someone (or in this case buy something) it’s pretty obvious that you need a deep and thorough understanding of what the job entails. Otherwise, frustration, handwringing, and assorted HR crises will emerge.
So, we pose this question to you: Can you even remember why you bought your IPS in the first place? It seems like a self-answering question for a product whose name, after all, is an Intrusion Prevention System.
Perhaps you got it for perimeter threat detection when protocol exploits were all the rage. Or maybe you wanted visibility into packet activity across the enterprise. Whatever your original rationale was for buying your IPS, the job description for an IPS has radically and forever changed.
The job of stopping intrusions is now about much more than just securing the front door (or the network perimeter). Yes, you have to do that. But most security teams realize that no matter how secure, how Fort Knox, your front door is, we live in a world where some attacks will still get through. Given this reality, the definition of an “intrusion” must change. The proverbial goal posts have moved down the field. Today, stopping intrusions means preventing attackers from stealing or destroying your data.
Attackers use evolving techniques like exploits and malware embedded in content that target users’ applications. That means your IPS needs to give you full-stage visibility as attackers move throughout your network – and not just when they barge in through the front door. It also means your IPS has to be able to look into content so that when your IPS gives you an alert, it can also give you enough information for you to DO something about it…in minutes…not days.
Also consider the seemingly endless array of “complementary” security components we’ve collected. We have firewalls, antivirus, IPSs, secure web gateways, DLP, full packet capture systems, security analytics, mail hygiene products, and the list goes on…and on…and on. We’ve bought SIEMs to help us interpret all that data, yet breaches keep happening at an alarming rate. We’ve acquired so many of them, in fact, that we spend most of our time managing them instead of using them.
To make ourselves feel good about all this, we’ve even developed a term – “Defense in Depth” – to rationalize all of these purchases (a term which Rick Holland, formerly an analyst at Forrester rightly threw cold water on in his Expense in Depth blog post back in 2012). The reality is that – far from being “failsafe” – in many cases these products are all using the same technique (i.e. signatures) to spot the bad guys. And unfortunately, most of them – including your IPS – end up being alert generating machines that feed your SIEM. They create more work for you but don’t let you do anything about them.
Expense in Depth (including your legacy IPS) has brought us a world of superficial security. Do any of these situations sound familiar?
- You’re Out of Money and Out of Time. Deploying, maintaining and operating large security stacks doesn’t come cheap. Beyond initial licensing costs and ongoing annual maintenance, the operating experience comes with hidden costs, including training and ongoing customization to match desired workflows.
- You’re Alert Rich, but Information Starved. Alert triage hell is not security. Security pros are overwhelmed by oceans of alert data – but it often lacks the information needed to immediately validate a threat. To determine if a threat is real – and how dangerous it is – you must correlate information from one security product to another. That’s grunt work for security pros who should be spending their time ferreting out weaknesses on the network.
- You’ve Got an Alert. Now What? The current defense in depth approach has largely ignored the validation, response and remediation aspects that are core to the security workflow. Many security products are oriented toward detection – leaving security pros overwhelmed with alerts.
- You’ve Got Threat Intel. Now What? The reality is that even as organizations have acquired multiple analysis platforms and sometimes more for managing threat intelligence, it’s still difficult to apply that intel. Yara rules are powerful. But few are able to actually apply it at scale in their enterprise.
With this reality in mind, what’s the new job description for an IPS? An example will help us think this through. A major U.S. healthcare company was evaluating a Next-Gen Intrusion Prevention System (NGIPS). Their mission was to lock down their sensitive data – including patient information – without piling more work onto the plate of their already-burdened security analysts. While prevention was important to them, they operated with the assumption that they were already compromised. So they knew they needed an approach that would enable them to rapidly respond to threats and identify compromised systems to prevent data theft.
So they looked for a solution that would help them automate their way out of the problem. While they ultimately selected Fidelis as their Next-Gen IPS, their requirements are instructive for anyone with limited security resources who’s rethinking their approach to IPS.
They wanted an NGIPS that could:
- Do Their Work for Them. Their top requirement was that it had to reduce the total amount of work in their operation. That meant they wanted it to automatically validate network-based alerts using endpoint activity so they would only see real, confirmed problems. They also wanted enrichment activity to happen without their security team logging into multiple products. For example, if a HTTP malware alert was generated in the system they wanted to know if it was the result of a user clicking on a URL received in an email. They also wanted to know if that user machine was actively compromised.
- Optimize Their “Expense in Depth” Stack. Next, they were focused on optimizing their investment in their network security stack, without adding to it. That meant doing more within a single product. For example, when they get an alert they wanted to be able to quickly get context about what was happening before and after the alert fired. They also want to see what type of content was involved. For example, an alert involving patient data would be much more important than a generic phishing email. And they wanted to do this and act immediately without having to swivel from one product to another and another.
- Eliminate Their Dependence on IT. They needed a solution that would allow them to break free of their dependence on IT. Specifically, they wanted to be able to take action without having to call in favors IT to track down a log file (wait about a day), find out that IT gave them the wrong log files and request them again (and wait another day), only to do a deep AV scan and decide to just re-image the box because results were inconclusive (and wait for IT to reimage that box). In short, they wanted to take control of their own security program with a solution that could remotely investigate an endpoint (on or off network), determine if a potential threat actually compromised an endpoint, and immediately take remediation actions when it did. They chose to automatically quarantine suspected endpoints to a vlan until an investigator could terminate malware processes and delete malware objects.
To sum up: a changing landscape means that we demand much more from an IPS than we ever did before. So it’s time to take a hard, fresh look at what your IPS needs to do, and then assess whether the one you have measures up.
So, whether you are buying a new next-gen IPS solution for the first time (like the healthcare organization we described) or looking to optimize your existing security stack, Step 1 is to define the job you are hiring it to do.
Next up in Part 3 of our series, we’ll move to a review of other technologies that organizations are using within their next-generation security stack, including next-gen firewalls, and explain how a next-gen complements them.
-Jared Phipps, West Coast Manager