The future of IPS, IDS and SIEM
Malware hits the Mac but is it worth worrying about?
Last year I asked what role intrusion prevention systems (IPS) play in modern IT departments, and wasn't it all about catching malware.
The truth is, anti-virus is more about catching malware than IPS and security incident and event management (SIEM) has emerged as the technology to review incidents in the aftermath.
What we have seen in the past few years is a series of technologies launched that add another layer to existing capabilities, so protection for web defence is aided with a second layer and even SIEM is now called ‘2.0' in some areas.
I asked some of the new and existing vendors what they thought of this sector of the market. James Todd, European technical lead at FireEye, said that the introduction of IPS came from the development of another layer to protect firewalls and desktop anti-virus. A common flaw with signature-based and heuristic engines is that they have milliseconds to make a decision, so attacks are only detected on static code. Therefore SIEM can give a wider view of the environment.
Ashley Stephenson, European vice president of Corero Network Security, said that nothing is dead or obsolete; rather it is revamped or remade to meet industry demand. Users are looking for integration rather than building blocks and features are moving into fewer appliances, so what was in ten boxes is now in two or three.
Asked if these will shrink into more compact solutions, he said: “They will not shrink, but there will be more features and more consolidation until a new capability is added. Check Point can add more and more options into the software blade technology and Corero uses the firewall technology into our IPS technology. We are the first line of defence to determine and protect against DDoS attacks, so we don't see obsolete equipment, we see an overall evolution of product layers.
“The features will be integrated and the capabilities will be put into fewer boxes that need to deploy and it is possible that a new layer will pop-up as attacks become more sophisticated.”
Ash Patel, country manager for UK and Ireland at Stonesoft, said that with the plethora of devices, it was important to have a holistic view, and a good SIEM that ‘can bring things together' and allow you to manage third party software is crucial.
He said: “Security is not about technology, it is about people managing it and a good management system. Is it still relevant? If you do deep packet inspection (DPI) and intrusion prevention then why do you need a separate IPS? A DPI firewall will not look at all traffic types but it is the core gateway.
“The other part that is laxed is the use of IPS internally, and the combination of internal and external security is blurred with the use of personal devices and flexible workers.
“The security need is ever changing and the problem with technology is that it is quite siloed, a firewall is a firewall and it will reach the security needs of today but the security lifecycle is ever decreasing, while the threat is increasing. It is about transformable, agile and dynamic solutions that change with business needs.”
I asked Ross Brewer, managing director and vice president of international markets at LogRhythm, whether such technologies are still relevant. He said he would question whether IPS or intrusion detection systems (IDS) are still relevant, but only as much as the return on investment dictates.
“It is difficult to ‘sweat' the assets as they throw up an enormous amount of activity, so is it worthless? SIEM is ten years old and was launched as people thought they were not getting value from firewalls and not tracking threats. Now in 2012, we are asking the same question,” he said.
“I think they are all still relevant, as there are cyber crime toolkits that use exploit methods. A customer recently told me that the ‘reality is that there is nothing new', as the techniques are the same as ten years ago, but the programming and speed it operates at is different.
“IDS picks up some activity and you need to see within that activity, and that is the next generation that looks into attacks, but it is very limited in its view into the handling of protocols and threat vectors to get into the organisation. Holistically it is one sliver of the holistic view and SIEM 2.0 has increased the relevance to sweat the IDS so it can determine the background noise of the internet or something more significant.”
According to this view, SIEM and IPS are still relevant as they can protect against modern attacks. They evolve as the attacks evolve, which adds credibility to the argument that a second layer is needed to protect networks.
I questioned Joern Dierks, EMEA chief security strategist at NetIQ, about if there was a need to consider a second layer or advanced protection and whether IPS and SIEM still served a purpose. He said: “In the context of today's regulatory environment, there definitely remains a need for log management solutions for compliance purposes. There are still many companies that don't see a benefit in running full SIEM solutions, but are rather looking to fulfil their regulatory needs for long-term data storage.
“With regard to IPS solutions, I firmly believe that these also have a purpose. They are able to intelligently add value into a SIEM solution by analysing the network traffic and alerting on detected patterns of attack.
“Whether the value is high for customers buying only an IPS solution as a standalone system is debatable, but when integrated with a SIEM solution, the value rises due to the additional analysis capabilities of it. So, do you need to add a second layer? Not if a SIEM solution is used.”
I put the same question to Jon Inns, co-founder of EdgeSeven, which runs as a second layer to the ArcSight SIEM and was established after the HP acquisition. He said that he felt that IPS and SIEM still very much serve a purpose, and if anything they are not deployed widely enough.
He said: “There has been a lot of investment in security technology over the last five to ten years, but the mentality is commonly one of buy cheap, install fast and then forget about it. Quite often this is due to some compliance requirement and the reality is that this approach will deliver little to no value or protection. It may tick a compliance box, but when the whole purpose of compliance is to drive standards and improvements, the tick box approach really doesn't do anything to improve security.”
Inns said that his customers' perspective is that they want the technology to work for them, and for it to deliver when they want and need it to. The next evolution in security is about an attitude adjustment that should ultimately result in a ‘business-driven integrated platform'.
He said: “What this really means is that technologies such as SIEM, IDS and privileged user management are all key to securing their own part of the enterprise. They are still current and still have capabilities to detect or prevent most attacks, but the goal must be everything integrated to provide a coherent and contextual view, not lots of standalone bits and pieces that only one person understands and controls and nobody else cares about.”
John Vecchi, vice president of marketing at Solera Networks, said that as organisations now accept the inevitability of security breaches, they need to consider those advanced, emerging technologies that will help them quickly and accurately answer key questions after a major security event – such as who was responsible, how did they do it and what data was compromised?
He said: “Having the visibility that provides these answers will require a new, advanced security technology - Security Intelligence and Analytics (SIA) - that combines with the standard/traditional security technologies, which will continue to be deployed and used, already deployed.
“This new, advanced technology goes beyond traditional predictive models and embraces the industry move from 'packets' to 'flows' to 'DPI' to 'files'. SIA also embraces big data and the metadata explosion, paving the way to a new approach based on an explorative security model—collecting the data and allowing for information and relationships to emerge rather than succumbing to confirmation bias (i.e. predictive security models).
“This provides data-driven situational awareness, as opposed to the situational blindness that exists today. So, this new, advanced technology (full packet capture, combined with high-speed deep packet inspection, indexing and reconstruction) will not only represent the next critical layer of security, and the next mainstream security segment, I believe it will revolutionise the security space.”
It seems these technologies are important to visibility, so they will remain key to businesses, but what can the new technologies add to the security sector and their users?
I asked Solera Networks, NetIQ and EdgeSeven if they felt that their offerings could cause the end, or at least a sea change, in the traditional IPS and SIEM space.
Solera Networks' Vecchi said that he felt that there is a shift occurring under the feet of the traditional security market, due to a new sense of enlightenment, as organisations of all shapes and sizes accept that security breaches are likely and inevitable.
He said: “However, this does not mean that today's preventative security technologies are facing the end as we know it, or are not important, effective or needed. They're absolutely needed, effective and advised, and very much still an important part of an effective, multi-layered security strategy.
“In fact, these traditional technologies just continue to evolve delivering more functionality, coverage and security effectiveness in a more consolidated solution. These include next-generation firewalls, next-generation IPS, SIEMs and advanced malware solutions and more. We integrate with most of these solutions and work to make them even better and more effective. Yet the reality is that these technologies cannot stop the threats they can't see.”
He said that organisations today have deployed a significant number of preventative security point-products, and this has led them to have a gap-filled ‘picket fence' perimeter and today's next-generation security products are working to make those gaps tighter, but can't close them.
“Advanced malware will therefore target those gaps, leading to inevitable security breaches and information loss. Thus, as organisations reach their tipping point with 'point-product' fatigue, they are accepting the reality of this picket fence and turning their attention towards breach 'preparedness' — technologies that can help prepare for the reality of these gaps while delivering 20/20 visibility of everything going in and out of the network (advanced security intelligence and big data security analytics). This is what is now causing a sea change in the traditional IPS/SIEM/next-generation firewalls/log management technology space,” said Vecchi.
So, are advanced, or next-generation technologies in effect working alongside existing technologies rather than adding a second layer, or perhaps doing a bit of both? If they provide visibility, is it a case of creating too much data?
NetIQ's Dierks said that the traditional IPS/SIEM/log management solutions very often create more issues than they solve and the ‘event flood' required is so big that the analysis needs to be performed by an individual who has to have extensive knowledge in the monitored solutions, the network topology, networking protocols, systems and applications, etc.
He said: “There are many things that are not detectable by a correlation engine. This is really where new technology comes into play. Correlation can detect incidents that you know might exist, whereas anomaly detection can detect incidents that you did not know exist. This capability is a breakthrough to the issues previously found in traditional IPS/SIEM/log management solutions.
“By providing a self-learning technology that uses the taxonomy of the incoming events to build a baseline, modern SIEM solutions can automatically detect deviations from the baseline in order to make users aware of any new, unknown threats. In order to remain competitive, providers must deliver these advanced capabilities alongside ease-of-use, which will definitely create a change within the SIEM market.”
Finally, EdgeSeven's Inns said that while new and exciting technology is always great to see, what is already available is very capable and in his opinion, the next engineering marvel will be the re-engineering of business attitude and the sea change still needs to be in executive support for security.
“Executives don't need to be security gurus to make the decision, but they need to believe in the risk and want to be proactive about the solution,” he said.
It seems then, that IPS, IDS and SIEM solutions are still important parts of modern IT departments, but they need to evolve and change with the times.
Coincidentally, while I was researching this article I was asked why I was looking at IPS and SIEM in the same article. My answer was that while not closely linked, the two technologies are what the majority of IT departments will have, and possibly use, for similar purposes (to know and see what is going on in the network).
Technologies exist because people need them and use them; otherwise they would not be on the marketplace and would not have passed an approval stage in R&D. However things evolve because the threats change and improve, and in order to keep up to date, vendors have to produce what the user wants.