Today, IPS is deployed for two primary use cases. First is compliance (SOX, HIPAA, etc.). This is pretty boring and self-explanatory so feel free to yawn right now. The second is server-side protection. IPS does provide effective and legitimate server protection against cyber attacks.
But there are two major problems with IPS that plague its effectiveness:
- Too many alerts—IPS is signature based and in today’s environment where attacks are constantly changing (67% of the attacks we saw in 2014 used malware just once), signature-based detection misses attacks and creates a lot of false positives. To address this issue, I’ve seen cases where our customers spend months to get their IPS just right. Even then, it still produces many alerts, and it's difficult for a SOC to cherry pick the urgent from the noise. You can’t leverage IPS visibility to see broader context—the promise of IPS comes from its traffic visibility. But any of you who are frustrated by SIEM know that this is no easy task.
While deep packet inspection is a critical piece in an overall defense strategy, the main problem is where the most focus is needed.
How has IPS changed over the last five years?
- Emergence of Next-generation firewall: include IPS with a firewall, i.e., you get two products in one and some associated cost (capex) savings with it. But this does nothing to address the major problems with IPS: you still get too many alerts and you still miss attacks. More importantly, NGFW is a key component in network routing, and any performance degradation because of IPS impacts the business directly.
- Emergence of Next-generation IPS: where IPS vendors are attaching a sandbox – talk about adding insult to injury! You now have an IPS with the above-mentioned deficiencies, and by adding a sandbox, you have just added another sensor that will create more alerts (false positives) and still miss advanced attacks (to learn why “sandboxes” miss advanced attacks, see our paper on this topic).
So given that IPS does have its use, how can you make it effective? Reduce alerts while leveraging its visibility and packet inspection capabilities. And this is how the FireEye IPS product is built. Specifically:
- All IPS alerts are validated by our MVX engine. By validating IPS alerts, we automate “tuning.” Instead of relying on SOC analysts, our virtual machine validates the aler,t giving you “MVX-validated” IPS alerts. FireEye’s IPS still gives you all the alerts you would received from a traditional IPS, but in a different tab – after all, you need these alerts for compliance reasons. But by providing “MVX-validated” IPS alerts, we inform you of the attacks that you need to pay most attention to (you could consider it as an analyst in a box).
- Use IPS data to build a broader attack picture. Security teams need to build a picture to tell an attack story, such as how the attack is part of a broader campaign, attribution, and much more. By combining IPS alerts and FireEye alerts, the SOC team can more quickly see the complete picture of how the attacker conducted recon, perhaps tried to exploit known vulnerabilities, and, failing all, used an advanced attack.
This is the future of IPS! Just as we didn’t attach a jet engine to a bicycle to travel fast, we shouldn’t use a sandbox attached to an IPS to deal with today’s advanced attacks. You might be “compliant” but breached!
Rick Holland at Forrester published a paper recently saying that “Advanced attacks are the new normal.” We are already seeing a strong security budget realignment to adapt to this new norm. Unlike antivirus, it won’t disappear. It’ll stay but morph into something that adapts to today’s realities.