By Cassandra Balentine
The cloud is increasingly important to enterprise infrastructure. However, security concerns are a continued challenge. The cloud security market—an industry expected to be worth $8.71 billion by 2019 according to research from MarketsandMarkets—includes a variety of subtopics. Intrusion detection and prevention systems (IDPS) represent an important category within cloud security.
“Enterprises are dealing with an environment where workloads and networks have become much more dynamic, driven by the explosion of software-defined data centers,” shares Amit Chakrabarty, senior manager, product management, Intel. “Applications must constantly scale so that they can respond to rapid changes in business without rigid security controls. These have created new threat surfaces.”
The job of stopping intrusions is now much more than just securing the network perimeter. “Most security teams realize that no matter how secure the perimeter is, we live in a world where some attacks still get through. Stopping intrusions today means preventing attackers from stealing or destroying your data. A comprehensive security approach calls for preventing attacks from coming into your network and detecting attacks that manage to slip past your perimeter defenses,” says Kurt Bertone, CTO, Fidelis Cybersecurity.
IDPS is broken into two categories, intrusion detection systems (IDS) detects threats and intrusion protection systems (IPS) prevents threats.
A firewall sets the basic rules for network traffic, allowing or denying packets with broad strokes, explains Mark Nunnikhoven, VP of cloud research, Trend Micro. “An IPS is the next step for security. It examines the contents of the packet and makes sure there’s nothing malicious inside. If it finds something bad, it drops the network traffic.”
An IDS does the same thing but in a detect-only mode. “It won’t stop an attack, but it will raise an alert if it sees one,” says Nunnikhoven. “Most prevention systems have a detect only mode if you don’t want to stop the attacks. This mode is usually on to avoid false positives when confidence in the system is low.”
IDS and IPS are often implemented together. “In fact, these are not separate technologies or even layers in a security architecture,” says Darrell L. Burkey, director, IPS products, Check Point Software Technologies, Ltd. He points out that detection and prevention are merely elements of a refined and cohesive IDPS security policy.
IDPS protects enterprises against known bad things—including known attacks and against known vulnerability being exploited, according to Burkey. “While today’s IDPS engines leverage multiple methods of detection and analysis, the primary protection capabilities are based on known threat information. For example, IDPS signatures detect and protect against known exploits targeting known vulnerabilities. Additionally, bad IP addresses and behavioral recognition of suspicious outbound communications can be leveraged as IDPS protection techniques,” he offers.
Pierluigi Stella, CTO, Network Box USA, Inc., argues that IDS and IPS solutions serve different purposes, and over time, have come to occupy different spaces. He suggests that at the edge of a network, an active solution that blocks bad traffic before it gets inside your network is necessary. “Therefore, you want an IPS. Think of it as the difference between having a camera at your door or a security guard. The first only alerts you that something wrong is going on, by the time you react the theft might have already been done,” he shares. “The internet of today is much too fast for anyone to think that reacting on an alert can be a viable security solution. The speed at which threats are thrown at us requires real time reaction—proactive action, hence the adoption of IPS.”
In the Enterprise
Enterprises look to and reevaluate IDPS protection for a variety of reasons. Many are challenged with the inability to see what’s in the network and increasingly complex threats.
“As networks become more abstracted, traditional network security misses many of the advanced threats and zero-day attacks,” says Chakrabarty. “While signature-based attacks upon known software vulnerability are still prominent, a new breed of attacks include unknown and advanced threats that are expertly crafted and carefully developed for maximum damage and data exfiltration,” he adds.
With network abstraction coupled with the dynamic nature of applications, organizations need a security solution that scales. Between physical networks, virtual networks, and cloud deployments, the location requirement for visibility has never been more fragmented, warns Chakrabarty. He says this comes down to interoperability and how easily a product is built into a platform. “As it is often the case, IT administrators do not have the data they need to connect the dots on security breaches. Data remains scattered and in silos, across multiple point products that do not share information.”
Bertone suggests that traditional IPS first entered the mainstream in the early 2000s before the introduction of the smartphone. “Much like the rapid innovation of our mobile devices, there’s also been tremendous innovation in the security industry and attackers have been evolving their tactics to keep pace. He points out that the threat landscape has evolved considerably, yet thousands of organizations continue to deploy and maintain their legacy IPSs at great expense, even as the value they offer continues to shrink in the face of innovation,” he adds.
Many organizations reevaluate legacy IPS solutions because they are overwhelmed by alerts and often lack the information needed to immediately validate a threat. To determine if a threat is real—and how dangerous it is—you must correlate information from one security product to another. “That’s grunt work for security professionals that should be spending their time ferreting out weaknesses on the network,” says Bertone.
Today, IDPS is a required layer in a sound enterprise security architecture. Burkey says a few years ago, IDPS deployment was driven by compliance requirements. While these still exist today, it is accepted within the enterprise that the IDPS layer provides essential protection against known attacks.
Additionally, businesses reevaluate IDPS to develop product and broader business initiatives. Product challenges consist of product failure or shortcomings that affect production operations and aging hardware.
Customers embrace the cloud as part of digital transformation for the benefits mentioned above. “At the same time, they find that the cloud can expose enterprises to new risks and that deploying security into the cloud is a challenge. Traditional approaches to security don’t fit easily into the dynamic and software-defined nature of the cloud,” adds Burkey.
Nunnikhoven says the large number of remotely exploitable issues in today’s software is the number one driver of IPS adoption.
Network vulnerabilities cannot be effectively thwarted with one solution. An integrated, multi-layered solution provides multiple opportunities in multiple phases to detect and block an attack.
Bad actors adopt complex evasive techniques and unique creative ways to breach into enterprises, notes Chakrabarty. Layered security is effective in breaking the kill chain and mitigating threats.
Burkey adds that today’s advanced attacks are deigned to execute over multiple stages to progress toward its target while remaining stealthy.
Sesh Sayani, director of product management, Gigamon, suggests four pillars and a foundation layer help form a well-architected defense against cyber threats. The first pillar is good hygiene—or IPS; the second detection or IDS; the third, prediction; the fourth, action; and finally the foundation layer, which is pervasive visibility. “The lifeblood of a security immune system is pervasive visibility. It encompasses visibility across physical, virtual, and cloud infrastructures; visibility into plain-text and encrypted traffic; visibility inline with data flows and out-of-band to data flows; and visibility at the network-packet level and at the flow and metadata level. All of the pillars and the foundation layer work in a continuous cycle. In other words, a security immune system is a continual feedback cycle, constantly learning, adapting, predicting, and taking action based on past learnings and current incidents,” he explains.
Stella points out that layered security extends well beyond IPS/IDS. “Everything security in any company should always be layered because there is no one solution that can ever hope to be 100 percent effective.”
Burkey says an advanced, multi-layer security is needed in the public cloud where cloud providers secure their infrastructure and customers are responsible for protecting their servers, workloads, services, and data hosted in the cloud. He explains that customers can deploy IDPS in the network layer host layer of the cloud infrastructure.
Bertone cautions that while necessary, deploying, maintaining, and operating large security stacks doesn’t come cheap. Beyond initial licensing costs and ongoing annual maintenance, hidden costs include training and ongoing customization to match desired workflows. “Streamlined approaches that integrate endpoint and network protection and detection with the powerful computing capacity of the cloud help minimize the cost and work required to maintain security—so security staff can focus on resolving issues, not ensuring their myriad security tools are up to date,” he adds.
A number of advancements to IPDS technology benefit enterprise users.
Noteworthy advancements to IPD and IDS technology include near instantaneous protection against previously unknown or even zero-day attacks, comments Burkey. “Historically, when a new vulnerability was discovered, the discoverer would follow responsible disclosure process to report the vulnerability to the vendor owner. Days, weeks, and sometimes months later, the vendor would produce and release a patch for the vulnerability. It was a this time that IDP vendors could write a signature to cover the vulnerability. With an integrated, multi-layered threat prevention solution, the sandbox component detects zero-day attacks and previously unknown attacks and share the intelligence back with the product’s cloud, which automatically pushes those threat indicators and IDP signatures out to all customer security gateways within minutes or hours,” he explains. “This is a dramatic reduction in the window of exposure to new vulnerability and attacks and IDP play a critical role.”
Bertone notes that attackers use evolving techniques like exploits and malware-embedded in content to target users’ applications. “Organizations are realizing that they need an IPS that provides full-stage visibility as attackers move throughout your network—and not just when they barge in through the front door.”
He adds that security professionals are buried in alerts. “Next-generation IPSs are able to look into content and automatically validate alerts so that when the IPS gives you an alert, it can also give you enough information for you to do something about it—in minutes—not days.” They also allow security professionals to break free of their dependence on IT. Security staff can now remotely investigate an endpoint, determine if a potential threat actually compromised an endpoint, and immediately take remediation actions if it did.
Many IDS and IPS technologies use signature patterns to detect and prevent anomalies. “Recent advancements in these technologies include a Software as a Service-based signature database, where this service is constantly updated with new signatures, bad and nefarious URLs. This real-time information allows for more real-time protection, effectively increasing your enterprise’s security posture,” says Sayani.
Another advancement is migration to the public cloud. Sayani says customers migrate their workloads and applications to public clouds it is the customer’s responsibility to secure their data. Having these IDS and IPS solutions helps the SecOps teams bless the migration of some of the ‘crown jewel’ applications to the cloud.
IPS continues to get faster and smarter, shares Nunnikhoven. “The latest round of IPS leverage advanced techniques like behavioral analysis and machine learning in order to detect attacks across multiple packets. Combine that with high performance, fast updates from the cloud, and better reputation services, and you get extremely strong protection from network-based attacks.”
As more data and processes move to the cloud, security is a top concern. IDPS solutions offer detection and protection and enable a faster and smarter response to threats. SW
May2017, Software Magazine