Before we delve into the why, let’s first discuss what Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) are and how they work, since they are two of the most common security measures that enterprises use to protect themselves from malware, worms and all other types of cyber attacks.
From a technical standpoint, an IDS is an appliance or software application that monitors networks and/or systems for malicious activity or policy violations. If the product detects something anomalous, it will send alarms and alerts, or report to a third-party management system. An IDS identifies suspected intrusions on signature-based, statistical anomaly based, and/or stateful protocol analysis detection. The IDS is a passive system that looks at traffic as it traverses the network, but cannot do anything to actually stop the intrusion. Initial configuration time can be substantial, with ongoing tuning essential as network characteristics and known threats change. An IDS has a reputation for false positives.
The IPS is the active part of the solution. It either works alongside, or has embedded IDS capabilities. An IPS is connected in line with the network, and actively prevents intrusions by dropping the malicious packets, resetting the connection and/or blocking the traffic from the offending IP address.
In order for an IDS or an IPS to be effective, it must have some idea of the attack signature before it can defend against it. Fortunately most systems come pre-configured with a comprehensive set of intrusion definitions (like a file with anti-virus software that is updated frequently by the software producer). But the traffic is different on every network, so in order for an IDS to limit any false positives, it needs frequent tuning to adjust it to your particular network characteristics. While the issue of false positives has diminished a bit in recent years, there still are lingering issues. And remember that even with all these definitions and the ongoing tuning, attacks still occur. Over 90% of the respondents to the Ponemon Institute’s Survey of IT and IT Security Practitioners (June 2011) reported at least one breach in the past year, with just about 70% reporting 2 or more attacks within the same period.
Although IDS/IPS might be an integral part of your security strategy, it should not be the whole security strategy. Networks remain especially vulnerable to new forms of attacks (zero day attacks), since it’s impossible to have a signature for an attack that hasn’t been seen yet. In addition, there are 120K malware incidents identified per day by these tools, with 5 – 20 new malware strains missed every day. With all these new threats, not to mention the highly targeted Advanced Persistent Threats, IDS/IPS is simply incapable of protecting your network 100% of the time.
In addition to the growth and increased maliciousness of attacks, there is also the rise of BYOD (bring your own device) to consider. Often, breaches or security risks are introduced from within the organization, either through disgruntled, or at least sloppy, workers or an infected mobile device that goes undetected by IDS/IPS because it’s already inside the firewall. Many organizations are also increasing network bandwidth and data throughput on the network by switching to 10Gigabit backbones – or even 40G or 100G. This increased data throughput puts a heavy strain on IDS/IPS software, making it very difficult to create a signature calculation and track each possible incident.
This short video gives a good overview of how malicious data can skate around your firewall and IDS/IPS detection systems:
No security system on the market is fool-proof. And although we are certainly not advocating that you can your IDS/IPS, we are strongly encouraging you to supplement these systems with network recorders. Network recorders, like WildPackets TimeLine appliance, store all network data, 24/7, at steady state data rates in excess of 10Gbps. With a network recorder, when a breach does occur, you have access to key information like where the breach happened, the source of the intrusion, what was compromised and whether or not the intruder left anything behind. And based on this information you can recalibrate your IDS/IPS to make sure this breach will not occur again, not to mention be armed with all the data you need for compliance reporting of the incident. This is why it’s important to have more than just an IDS/IPS security system in place. As cyber crimes get more sophisticated, companies must have a contingency plan in place that can help clean up in the inevitability of an attack, and to ensure that a similar breach doesn’t happen again. Your reputation, and your business, depends on it.