Isn't IPS all about catching malware?

Opinion by Dan Raywood

With so much furore over data-loss prevention, it is rare that we look at the capturing technology, in particular intrusion prevention systems (IPS).

With so much furore over data-loss prevention, it is rare that we look at the capturing technology, in particular intrusion prevention systems (IPS).

I recently spoke with Matt Jonkman, CTO of Emerging Threats Pro, who described its efforts in IPS as a "ten-year-old open source technology", but "the only open source that exists as anyone can do what they want with it".

I asked Jonkman the most basic question about IPS: should it stop malware coming in? He said: “We have one major target: an IPS that is good at catching malware. Companies have moved away from that as they are not getting hardware based on how comprehensive the ruleset is.

“Our focus is always on malware; IPS is better with an anti-virus client, but Suricata uses the session's command and control centre. With the major ruleset in the first version of Suricata, people took to it and decided to put in new features – from this we created a ruleset and this is where we came to be where we are. Our real focus is on malware and we publish a new ruleset every day.”

I asked him if a new daily ruleset was standard. He said most providers will issue a new ruleset once a week or once a month, but as Emerging Threats Pro takes in more than 50,000 malware samples a day and delivers 20-40 new signatures every day, it feels the need to issue a ruleset daily.

“A ruleset is around 1MB and the rule manager will see what it did not have and push it to the sensors,” said Jonkman.

“We are very much vendor agnostic and work with partnerships; we do not compete and hardware companies see us as a partner and an OEM.”

Emerging Threats Pro claims to be the only IPS company serious about identifying and analysing malware before it becomes effective. It also called the reliance on desktop-based anti-virus "a very short-sighted decision".

I asked Jonkman how it deals with zero-day threats; he said these were not the biggest threat as the company will get an initial sight of the command and control centre.

Emerging Threats Pro produces the ruleset for Snort and its own Suricata IDS that is based on, and supports, the Emerging Threats open source project. Jonkman explained that it was initially funded by the US Department of Homeland Security to build an open infrastructure; eventually the Open Software Foundation (OSF) built a next-generation engine, which it acquired and called Suricata.

Suricata remains an open source development owned by the OSF. It was recently boosted by Kaspersky Lab after the anti-virus vendor, which uses this ruleset for its in-lab research, began a co-operation, with malware samples exchanged and further work made on extending Emerging Threats Pro ruleset coverage.

Kaspersky Lab said its specialists had begun feeding data into Emerging Threats Pro to improve the ruleset for all its users.

Nikita Shvetsov, director of anti-malware research at Kaspersky Lab, said: “We are happy to be collaborating with the Emerging Threats Pro Team, the open source team to go to for the best IDS/IPS ruleset. Our combined efforts will [allow] both organisations to optimise their signatures, which will then trickle down to better internet security for all.”

Jonkman said Suricata is being used extensively and it continues to support the open version, which has been downloaded 170,000 times. He added: “We want people to realise that IDS is the best protection against malware and would like to say to administrators, 'why do you not just focus on catching malware?'."


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Upcoming Events