Security

How Context-Aware Intrusion Prevention Builds Better Network Defenses

The latest advances in network security can help organizations keep the bad guys out.

Mike Chapple is associate teaching professor of IT, analytics and operations at the University of Notre Dame.

Over the past few years, security professionals around the world have undertaken projects to convert their enterprise firewalls to the latest technology: next-generation firewalls. NGFW systems level up this technology by providing firewalls with more information — data that provides context about applications and users and allows the firewall to make more intelligent decisions about network access.

Considering the increasingly sophisticated arsenal of tools at the disposal of today’s modern cyberattacker, it’s now time for intrusion prevention systems (IPSs) to make that same leap into contextual awareness.

The newest intrusion prevention technology, next-generation IPS (NGIPS), is able to incorporate new data sources that dramatically improve the IPS’s ability to protect networks against attack. With these systems, you can incorporate information about your network and applications into your intrusion prevention strategy to build more robust defenses for your organization’s network.

48%

The percentage increase in cybersecurity incidents in 2014 versus 2013

SOURCE: PwC, “Global State of Information Security Survey 2015,” September 2014

The History of IPS

The standard IPS of yesteryear relied exclusively upon signature detection technology, similar to that used in anti-virus products. Research teams at IPS vendors developed large databases containing the signatures of known malicious activity. The IPS then monitored the network, searching for traffic matching those patterns and taking action to block any offending traffic. This standard IPS technology did an excellent job defending against known threats. If the IPS vendor saw an attack against any of its customers, it immediately sent out an updated signature file to all subscribers. Once they applied these updates, IPS users were protected against the new threat should it appear on their network.

But this old technique has a significant disadvantage: It uses a one-size-fits-all approach that simply doesn’t match up with today’s technology environment. The reality is that our network traffic consists of data generated by a wide variety of systems, users and applications, each of which has unique operating characteristics.

Traffic that may be indicative of an attack when directed at a sensitive database may be nothing more than routine requests when the destination system is a public-facing web server. The result is that security administrators are deluged with false alarms that ultimately lead them to disregard or disable IPS security controls.

How the Next Generation Uses Context

NGIPS technology uses contextual information in an attempt to overcome this limitation and restore the IPS’s place as a useful component of an enterprise security strategy. The NGIPS builds upon the signature detection mechanism of a standard intrusion prevention platform, but supplements it with the ability to synthesize information from a variety of sources in three contexts: network, vulnerability and user. In the network context, the NGIPS identifies the types of systems running on the local network. If a network consists entirely of Linux servers, the IPS can disregard an attack against a Windows service as noise. When scoping out the vulnerability context, the NGIPS calculates the likelihood that an inbound attack will succeed. By leveraging information from vulnerability scans, the NGIPS can identify and prioritize attacks against unpatched, vulnerable servers over those against fortified targets.

NGIPS administrators can automatically ignore alerts related to vulnerabilities that are already patched or are not applicable to the target’s operating system, and instead spend their time focusing on the most relevant IPS alerts. When older IPS technology is in use, the administrator often needs to perform this correlation manually, wasting valuable analysis time. In the user context, the NGIPS identifies the individual or individuals involved in a specific compromise. Information about devices is important to security professionals, but quickly linking that information to a specific human being can improve the speed and effectiveness of an incident response. If an intruder compromises the account of a user in the IT department to wage an attack, the NGIPS can quickly identify that illegitimate account use and isolate future activity from that user.

These new NGIPS capabilities hold great promise for improving the visibility that security administrators have into the state of security on their networks. By incorporating information about the network, vulnerabilities and users, NGIPS technology can help administrators make more informed security decisions.

Getting Started with Context-Aware IPS Technology

The key to getting a next-generation intrusion prevention system project off the ground well is to begin slowly and build upon your success. The most common cause of failure in an IPS deployment is the overzealous application of “block” rules. IPS projects are often quickly abandoned after disrupting legitimate business processes and gaining a reputation as the source of problems on a network.

You can overcome this by planning a gradual NGIPS deployment. Start by running the system in monitor-only mode and allow security analysts to interpret the NGIPS results. You may then slowly tune the system to actively defend against a threat when you are confident that the rules you are enabling have a low probability of creating false positive–induced outages.

This slow-but-steady approach to NGIPS will improve your odds of success. By integrating information from a wide variety of sources, NGIPS technology will let your IT security team make data-informed decisions about technical controls and improve the quality of intrusion prevention on corporate networks.

Atomic Imagery/ThinkStock