There’s a reason why airport security x-rays your bags. It’s because the only way you can tell if something is a true threat is to actually look at the contents.
It’s the same with network security. The only way to prevent modern intrusions is to actually inspect the content on your network in real time…which brings us to the first requirement for stopping modern intrusions.
Requirement #1: Deep Visibility into Network Content (Not Just Packets) in Real Time
As we pointed out in the first blog post in this series (“Would You Re-Hire Your IPS Today?”), the vast majority of successful intrusions are not packet-level, server-side attacks, but content-level, client-side attacks – like spear-phishing emails followed by document-based exploits that target vulnerabilities in desktop applications. These attacks don’t break down the front door. They exploit human vulnerabilities. And they are nowhere near visible in the packets.
Content is to next generation intrusion prevention what packets were to the traditional IPS. A modern IPS needs to be able to detect deeply embedded, content-level threats in real time, and take a prevention (blocking) action when it sees one, just like traditional IPSs can do with packet-level attacks.
And guess what the only way is to inspect the content on your network? You have to reassemble, decode and analyze those network sessions (not just the packets) on the fly. Fidelis is the only vendor that can do that.
You’re probably thinking “What have you got against packets?” And the answer is: nothing. But it’s important to understand that content and packets are not the same thing – especially when it comes to stopping intrusions. Traditional IPS’s are packet-aware but content-blind.
At Fidelis, we use a patented technology called Deep Session Inspection® that operates on network sessions rather than packets and enables our products to see much deeper into the content that’s flowing over the network in real time than a traditional IPS. This enables us to detect and prevent content-level threats that are invisible to a traditional IPS.
Requirement #2: Visibility, Detection and Prevention at All Phases of an Intrusion
A modern intrusion is a process, not a single event. It is a series of actions that take place over a period of time, and it has multiple phases. Preventing modern intrusions means stopping the attackers before they complete their ultimate objective: stealing, destroying or encrypting your data.
History has shown us that modern intrusions are difficult to detect and even harder to prevent. Getting fixated on one or two phases of the attack life cycle is a losing proposition. To prevent modern intrusions you must have visibility, detection and prevention capability at all phases of the intrusion, including the data staging and data exfiltration phases. That requires seeing and stopping attackers at all phases of the attack lifecycle – not just the initial infiltration, which is the exclusive focus of traditional IPSs.
Requirement #3: Detecting and Preventing in REAL TIME and in the PAST
If anyone ever tells you they can detect – let alone prevent – all attacks in real time, they’re lying to you.
That’s why next generation intrusion prevention requires the ability “go back in time” so you can apply new threat intelligence to network and endpoint events that occurred in the past. This lets you detect threats (and intrusions) that you didn’t know were malicious when they occurred.
This cyber time travel requires rich non-selective network memory. That means you need to record information (rich metadata) about every single session that traverses the network, whether or not you think the session is bad.
Traditional IPSs are focused on real-time detection and prevention. They have no non-selective memory and no ability to go back in time. That’s a problem when it comes to stopping modern intrusions.
At Fidelis we’ve developed a patent-pending technology that extracts, stores, and analyzes rich protocol, application and content level metadata from every session that traverses the network. As we pointed out in a previous blog post, this enables us to detect certain threats that you can only see if you are looking for a pattern of network behavior that occurs over a period of time and across a number of network sessions. It also gives us a platform for doing what we call “data-driven threat detection” that uses machine learning techniques to detect threats with no a priori threat intelligence at all.
Requirement #4: Automated Alert Enrichment and Validation
Traditional intrusion prevention systems are often criticized for being “noise machines”. They spew out tons of alerts but don’t tell you which ones are the most important. And they don’t give you enough information to act on them. That’s a problem when the scarcest resource for most security teams is people.
Next generation intrusion prevention saves time by automatically validating whether a threat compromised your endpoints and giving your security people all of the information they need about what happened before and after an alert.
Requirement #5: All of the Above on Networks AND Endpoints
One last requirement. No matter how good you are at detecting threats on the network, you will never be able to detect (or prevent) all attacks exclusively by looking at network traffic. You need eyes on the endpoints as well. The data attackers are after lives on endpoints. Exploits happen on endpoints. Malware executes on endpoints, and leaves traces and trails on endpoints. Remediation happens on endpoints.
That’s why next generation intrusion prevention requires the ability to see and stop intrusions on the endpoint. The endpoint capability in the Fidelis next generation IPS solution gives us the same deep visibility, real-time threat detection, non-selective memory and ability to detect attacks in the past that we have on the network. As a bonus, you get endpoint-based investigation and remediation capabilities so you can take action.
While these five requirements aren’t the only things you need to stop intrusions, they are the five most important things that separate next generation intrusion prevention from traditional IPS. Having them together – as part of a single system – will dramatically improve your odds when it comes to preventing intrusions. If you want a longer list of requirements for next generation intrusion prevention, check out Gartner’s recent research paper, Defining Intrusion Detection and Prevention Systems.
-- Fidelis Cybersecurity CTO Kurt Bertone