Network Intrusion Prevention Systems have been a mainstay of the network security stack for well over a decade. When they first entered the mainstream in the early 2000s, the iPhone hadn't been invented. We were still in the age of the PalmPilot (anyone remember using that stylus?). But, at the time, IPSs represented real innovation. They were a welcome departure from the classic firewall, which was limited by its primitive accept-and-deny rules that were inadequate for the more sophisticated attacks to come.
IPSs were a breath of fresh air. They came with new detection languages, like Snort. They could operate on high-speed networks, apply rules to provide visibility on the network and, eventually, they could even block sessions that matched those rules. It was great at the time. So what went wrong?
Much like the rapid innovation of the iPhone, there’s also been tremendous innovation in the security industry, and attackers have been evolving their tactics to keep pace. But the IPS lives on, largely unchanged in scope or capability for five years or more. You could say it’s stuck in a time warp.
It’s actually pretty stunning when you consider these major shifts over the past decade in the cat-and-mouse game that is security:
- Protocol and application stacks have hardened, so the deep-packet inspection techniques that traditional IPSs use to identify exploits against these layers have become less relevant.
- With a few simple tweaks to their exploits, adversaries can bypass signatures that are often written for proof-of-concept exploits rather than addressing the underlying vulnerability. Signatures for both Heartbleed and Shellshock vulnerabilities were endlessly updated to map to the latest exploits that were observed. Clearly, the research teams involved deserve kudos for their vigilance, but it points to underlying issues with the packet inspection engine.
- The exploits attackers use have shifted from servers to clients. Enterprise intrusions more often involve web exploit kits and documents delivered by email to users. Security professionals have faced an ongoing struggle to cover the breadth and variations of these tactics.
- Your biggest vulnerabilities aren't unpatched applications -- they’re humans. And humans can't be patched. Ransomware, as well as breaches involving users accessing sites spoofing their OWA or VPN login page, are legion. Likewise, most ransomware has been delivered via email over the past few months and hasn't even involved exploits. They rely on unusual file types like hta or wsf bypassing classic email protection layers and tricking unsuspecting users to click on a file or enable a macro.
- Traditional IPSs continue to ingest threat intelligence in the form of Snort rules, Or, in a best- case scenario (with great labor), they may also use reputation lists for basic fields, such as IP addresses and URLs. But experts have long recognized the sheer futility of this. Today’s most valuable threat intelligence is shared in modern formats, like Yara rules that can be applied against content and less easily morphed fields like certificate hashes.
- While "preventing intrusions" was the core value of the original IPS, a secondary benefit was often the visibility it provided into activity on the network (though skeptics might argue that this was just a way to justify the large volume of alerts IPSs generate). Traditional IPS solutions generated limited flow data. And, as enterprise networks have evolved, that data, which they archive in the SIEM, has become increasingly less interesting. What's far more interesting (and relevant) are content flows. Why is that self-signed executable on its way to my Domain Controller? Why do I have so many documents marked 'confidential' leaving a specific remote office? Answers to these types of questions are essential to situational awareness, and today the IPS simply cannot answer them.
Which brings us back to the title of this blog. Would you re-hire your IPS today? Why do thousands of organizations continue to deploy and maintain their legacy IPSs at great expense, even as the value it offers continues to shrink in the face of innovation? The only answer I can think of is: habit. We've always done it. So we continue to do it. Sure, IPSs are incorporated into standards such as PCI and there may be compliance-driven reasons to deploy them. But if you ask most security practitioners what role traditional IPSs play in actually securing their enterprise, the answer would be "little to none". While there are a few classes of threat activity where packet inspection continues to be a useful approach, the reality is that other products in the network stack have absorbed this trivial function.
So, if the traditional IPS isn't pulling its weight in your security stack, what should you do about it? That's exactly what we'll be exploring over the coming weeks. Up next are specific examples of how some organizations are evolving their approaches.
-- Hardik Modi, VP, Threat Research