Next-generation intrusion prevention: Defense before, during and after the attack

Over the past few years we've seen progress in the areas of network intrusion detection and prevention. For the most part this has been based on increasing the scope of the associated traffic and event inspection capabilities. For example, most signature bases have expanded to account for protocol usage. Of course, this has also enabled a shift, albeit a relatively small one, toward implementing more real-time responses (i.e., prevention), as opposed to manually initiated, after-the-fact corrective measures. Yet, it is still difficult to imagine anyone arguing against the need for even greater levels of effectiveness.

A significant challenge for intrusion detection and prevention technologies is that they operate at a single point along the timeline that characterizes an attack. Understanding this timeline is important for several reasons. It can help organizations position the confusing array of self-proclaimed, all-encompassing, policy, compliance, configuration, patch, vulnerability, threat and XYZ management technologies and capabilities that currently flood the market. It can also help organizations establish an over-arching monitoring and response process. And, it is the key to next-generation intrusion prevention -- a system that integrate capabilities across the continuum and enables what can best be described as automated policy enforcement.

The timeline itself is a relatively straightforward concept. It is comprised of three primary parts: the pre-attack period, time zero and the post-attack period. Briefly, the pre-attack period concerns activities to minimize the exposure to exploits; the time-zero period concerns activities that deal with both onset and ongoing exploitation of a defensive weakness; and the post-attack period is concerned primarily with "extended detection" (i.e. ex post facto), and recovery and remediation.

Admittedly, the nature of some attacks causes some blurring between the lines. For example, it is arguable whether low-and-slow, multi-stage attacks have a discrete time zero associated with them. Rather, they can be viewed as consisting of multiple time-zero events that, if left unchecked, culminate in a more significant and recognizable attack. These nuances are addressed further in part two of this series. The key points for now are that different technologies and sub-processes are applicable during the different phases of the evolution of an attack and that achieving maximum effectiveness at thwarting intrusions depends on implementing a solution that addresses each of these time periods. Accordingly, it is also necessary to take a closer look at each of these time periods.

NEXT-GENERATION INTRUSION PREVENTION

  A continuum of capabilities
  The pre-attack period
  Time zero (during the attack)
  The post-attack period
  The power of an integrated system

ABOUT THE AUTHOR:

Martin Roesch founded Sourcefire in 2001 and serves as its Chief Technology Officer. A respected authority on intrusion detection technology and forensics, he is responsible for the technical direction and product development efforts. Martin, who has 17 years industry experience in network security and embedded systems engineering, is also the author and lead developer of the Snort Intrusion Detection System (www.snort.org) that forms the foundation for the Sourcefire 3D System.

Rate this Tip To rate tips, you must be a member of SearchSecurity.com. Register now to start rating these tips. Log in if you are already a member. Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Network Security Tactics Microsoft WIL: How to take control of data integrity levels Screencast: Penetration testing with Metasploit Microsoft PatchGuard: Locking down the kernel, or locking out security? How to lock down instant messaging in the enterprise Employee-owned handhelds: Security and network policy considerations Worst practices: Exposing IAM blunders Screencast: Nessus Phased NAC deployment for compliance and policy enforcement BitLocker: Windows data protection with whole-disk encryption? Screencast: Opening up the Network Security Toolkit Network Intrusion Detection (IDS) RSA 2008: Sourcefire founder Roesch previews Snort 3 Screencast: Opening up the Network Security Toolkit Can a firewall alone effectively block port-scanning activity? Should an intrusion detection system (IDS) be written using Java? What security risks do enterprise honeypots pose? What are the benefits of 'in-the-cloud' network security services? Screencast: Snort -- Tactics for basic network analysis Can Snort stop application-layer attacks? Juniper UAC to deliver Shavlik patch management technology What kinds of network packet data can be extracted from Snort IDS? Network Intrusion Detection (IDS) Research Network Intrusion Prevention (IPS) What security risks do enterprise honeypots pose? What are the benefits of 'in-the-cloud' network security services? What is a 'top-down' IPS sensor search? Is a 'self-defending network' possible? Best practices for purchasing an intrusion detection device VeriSign, AirMagnet team up for wireless IPS Sourcefire, Nmap deal to open vulnerability scanning Interop: Vendors update software, demonstrate new security features McAfee launches IPS for 10g networks, but is IT ready? Microsoft NAP-TNC compatibility won't speed adoption, users say Network Intrusion Prevention (IPS) Research RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary computer forensics  (SearchSecurity.com) Diffie-Hellman key exchange  (SearchSecurity.com) Einstein  (SearchSecurity.com) HIDS/NIDS  (SearchSecurity.com) intrusion detection  (SearchSecurity.com) network behavior analysis  (SearchSecurity.com) ultrasound  (SearchSecurity.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.