Next-generation intrusion prevention: The power of an integrated system

Previous tips in this series introduce the concept of an attack timeline and propose that next-generation intrusion prevention systems need to account for the full range of technologies and processes associated with its primary periods: pre-attack, time-zero and post-attack.

Of course, there is already evidence of the recognition for this need in the security market. Various vendors initially focused on one segment of the timeline have gone on to offer products addressing multiple sub-periods or even wholly different periods. Still others have attempted to achieve a similar result through complementary partnerships. However, in either case, the result to date has only been a relatively loose coupling or integration of disparate parts. What is needed for a true, next-generation system of intrusion prevention is a more thorough scope and depth of integration. Ideally, components in one period should provide benefits to components in each of the other periods. A minimum set of integration points that meet this objective would include the following:

• Results of assessments associated with the pre-attack period, depending on their depth of interrogation, can at a minimum establish the potential for susceptibility to certain threats and at a maximum definitively establish the presence of a known weakness. In either case, this information is used to automatically tune intrusion detection and prevention products, yielding less false positives, more reliable responsive actions, and even better performance and capacity (e.g., by foregoing inspections that are irrelevant to the specific systems that are being protected). Furthermore, this tuning can be dynamic, and therefore of even greater benefit, but only if the assessments are continuous in nature, as opposed to being based on infrequent snapshots.

• This very same assessment-based information can similarly support post-attack period tools. In particular, security event/information management systems (SEM/SIMs) can use it to improve their correlation accuracy as well as prioritization of findings.

• Considering the reverse direction of flow, it is inevitable that various post-attack period products, such as network behavior anomaly detectors (NBADs), SEM/SIMs and forensic tools, will uncover some number of attacks that evade whatever other safeguards have been put in place. Feeding information about these attacks back to intrusion detection and prevention tools will help prevent recurrence. At the same time, discovery of these successful attacks may point to previously undisclosed vulnerabilities, and feeding this information back to the pre-attack assessment tools will enable them to discover which other systems remain susceptible and support taking appropriate measures. The challenge in both of these cases, though, is to properly package and articulate the feedback so that the other tools can automatically make use of it.

• Finally, there is also the role of conventional access control tools. These have little to offer the other components, but can undoubtedly be used more effectively when presented with concise information from products at either end of the attack timeline.

Obviously, having this degree of integration is significant because it yields a more effective solution – one where the total is truly greater than the sum of the pieces. In part, this enhanced effectiveness can be attributed to the additional layers of automation that are achieved. After all, it is quite clear that today's fast moving worms and viruses are no match for defenses that depend on even a single manual reaction – not to mention the more common scenario of requiring multiple occurrences of "think time plus responsive action" to account for all of the different gaps in the vulnerability and threat management processes.

But even automation is subservient to and even dependent upon a much more significant prerequisite. Specifically, the role that establishing context plays in the success of next-generation intrusion prevention should not be under-estimated. Comprehensive and timely information about the particular environment that is being protected is the essential ingredient that underlies improved effectiveness. It affords better accuracy of detection and determination of relevancy while also facilitating greater automation by reducing the occurrence of false positives. Without such context, all of the other enhancements merely result in a more effective communication prevention system.

A closing thought has to do with appropriate terminology. The next-generation system of intrusion prevention that I've described can just as easily be called a Threat Protection System or even a Threat and Vulnerability Management System. For that matter it can be referred to by any other similar term that captures the extensive nature of its scope. The difference in these labels boils down to semantics and is mostly a matter of perspective. The underlying characteristics are the important distinction (e.g., scope, context and integration) and these should therefore be the focal point of enterprises striving for greater effectiveness in their information security endeavors.

NEXT-GENERATION INTRUSION PREVENTION

  A continuum of capabilities
  The pre-attack period
  Time zero (during the attack)
  The post-attack period
  The power of an integrated system

ABOUT THE AUTHOR:

Martin Roesch founded Sourcefire in 2001 and serves as its Chief Technology Officer. A respected authority on intrusion detection technology and forensics, he is responsible for the technical direction and product development efforts. Martin, who has 17 years industry experience in network security and embedded systems engineering, is also the author and lead developer of the Snort Intrusion Detection System (www.snort.org) that forms the foundation for the Sourcefire 3D System.

Rate this Tip To rate tips, you must be a member of SearchSecurity.com. Register now to start rating these tips. Log in if you are already a member. Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Network Intrusion Detection (IDS) RSA 2008: Sourcefire founder Roesch previews Snort 3 Screencast: Opening up the Network Security Toolkit Can a firewall alone effectively block port-scanning activity? Should an intrusion detection system (IDS) be written using Java? What security risks do enterprise honeypots pose? What are the benefits of 'in-the-cloud' network security services? Screencast: Snort -- Tactics for basic network analysis Can Snort stop application-layer attacks? Juniper UAC to deliver Shavlik patch management technology What kinds of network packet data can be extracted from Snort IDS? Network Intrusion Detection (IDS) Research Network Intrusion Prevention (IPS) What security risks do enterprise honeypots pose? What are the benefits of 'in-the-cloud' network security services? What is a 'top-down' IPS sensor search? Is a 'self-defending network' possible? Best practices for purchasing an intrusion detection device VeriSign, AirMagnet team up for wireless IPS Sourcefire, Nmap deal to open vulnerability scanning Interop: Vendors update software, demonstrate new security features McAfee launches IPS for 10g networks, but is IT ready? Microsoft NAP-TNC compatibility won't speed adoption, users say Network Intrusion Prevention (IPS) Research Network Security Tactics Microsoft WIL: How to take control of data integrity levels Screencast: Penetration testing with Metasploit Microsoft PatchGuard: Locking down the kernel, or locking out security? How to lock down instant messaging in the enterprise Employee-owned handhelds: Security and network policy considerations Worst practices: Exposing IAM blunders Screencast: Nessus Phased NAC deployment for compliance and policy enforcement BitLocker: Windows data protection with whole-disk encryption? Screencast: Opening up the Network Security Toolkit RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary computer forensics  (SearchSecurity.com) Diffie-Hellman key exchange  (SearchSecurity.com) Einstein  (SearchSecurity.com) HIDS/NIDS  (SearchSecurity.com) intrusion detection  (SearchSecurity.com) network behavior analysis  (SearchSecurity.com) ultrasound  (SearchSecurity.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.