Intruding on the bottom line

• Article 2 of 33
• SC Magazine, July 2006
• View the original article online

Page 1 | Page 2 | Page 3 | All 3 Pages

It's a familiar story to Donal Casey, one he's seen many times. As a security consultant at Morse, he has installed several intrusion prevention systems. But he went back six months after installing an IPS at one client only to find they had unplugged their new IPS and put it in a storeroom. “They just couldn't cope with it,” he recalls.

As the latest step up the evolutionary ladder from intrusion detection systems (IDSs), IPSs try to block attacks rather than just warn that a possible attack might be under way. Many companies, including traditional security companies and networking vendors such as Cisco, Symantec, Check Point and McAfee, have begun to provide IPS systems. But the first generation of IPSs proved a management nightmare to many customers, or were simply ineffective. So is the latest generation any better?

“Years ago, when IPS was an emerging technology, it had all sorts of issues,” recalls Andrew Wilson of the Information Security Forum. He has been watching the market since the emergence of IPS and over that time, little has happened to change his views.

“[There are] things to do with signature distribution, things to do with false positives, things to do with false negatives. There is the intense amount of effort needed to tune and get the right amount of management reporting. I think people now recognise that all of that is bedevilling IPS. The problems haven't gone away.”

Although approaches vary, intrusion prevention systems typically monitor the corporate network, either on the hosts that are likely to be attacked or on network devices. They are not just looking at the traffic itself, but also at the content of the traffic, trying to detect either malicious behaviour designed to exploit particular vulnerabilities or malicious content in the payload, such as a worm, virus or trojan.

The problems with many IPSs have been the questions of false positives and false negatives – what happens when the IPS wrongly identifies legitimate traffic as malicious, or misses an actual attack, thinking it was legitimate. If the IPS blocks legitimate traffic, it is effectively creating its own denial-of-service attack. And if it lets through an actual attack, of course, the network it is supposed to defend is compromised.

The result was a thumping management headache for many early IPS users. Configuring the IPS to the correct degree of sensitivity was often a tediously long and labour-intensive process that could still often result in a poorly calibrated system. Dealing with constant reports of potential malicious activity was also more than most IT staff had the resources to cope with. The result was an IPS that was often ignored or turned off altogether.

According to Dave Beesley, managing director of security consultancy Network Defence: “Customers are not really buying into this space. There is a perception that it's not really value for money and that the security budget is quite tight. I don't think historically there's been a compelling case provided for IPS, which I think the industry has begun to recognise.”

Yet many users still stuck with IPS. The requirements of auditors, typically for compliance, have proved a factor behind many such installations. “In the enterprise area, compliance is a major factor,” adds Beesley. “It can be a requirement of the auditors to have an audit trail. For SOX compliance, it's a useful tool for auditors to see logs of attacks being stopped.”

But genuine security concerns have also motivated organisations to invest in an IPS. There are now so many malicious internet attacks, mainly from automated “script kiddie” attacks, that the CERT security organisation has stopped recording the number, regarding it as meaningless. Despite a decrease in malware releases, last year IBM's Global Business Security Index Report saw an increase in attacks with criminal motivation, and expects that trend to continue. In particular, 2005 saw the arrest of cybercriminals around the world who were found to have links to organised crime. Many more were motivated by financial gain rather than destruction or ostentation.

Page 1 | Page 2 | Page 3 | All 3 Pages