Intrusion Prevention: Keeping the Bad Guys Out
In the past, "it was about detection, and you had reaction technologies," said HP Network Security Architect Jim O'Shea. "Then we evolved to trying to detect things that were malicious with intent by using IDS. But that was a reactionary-type thing. It was a nice approach, but we were reacting: Something happened, you reacted. But if you knew it was bad, why did we let it in in the first place?"
Jan 13, 2014 5:00 AM PT
By improving the security and availability of services, IT leaders can deliver better experiences and payoffs for businesses and end users alike.
In this podcast, we're joined by Jim O'Shea, Network Security Architect for HP Cyber Security Strategy and Infrastructure Engagement.
We'll explore the ins and outs of improving enterprise intrusion prevention systems. We'll also see how HP and its global cybersecurity partners have made the HP Global Network more resilient and safe and hear how a vision for security has been effectively translated into actual implementation.
Listen to the podcast (30:23 minutes).
Here are some excerpts:
Dana Gardner: Before we get into the nitty-gritty, what do you think are some of the major trends that are driving the need for better intrusion prevention systems nowadays?
Jim O'Shea: If you look at the past, it was about detection, and you had reaction technologies. We had firewalls that blocked and looked at the port level. Then we evolved to trying to detect things that were malicious with intent by using IDS. But that was a reactionary-type thing. It was a nice approach, but we were reacting: Something happened, you reacted. But if you knew it was bad, why did we let it in in the first place?
The evolution was the IPS, the prevention. If you know it's bad, why do you even want to see it? Why do you want to try to react to it? Just block it. That's the trend that we've been following.
Gardner: But we can't just have a black-and-white situation. It's much more gray. There are sorts of intrusion, I suppose, that we want. We want access control rather than just a firewall. So is there a new thinking, a new vision, that's been developed over the past several years about these networks and what should or shouldn't be allowed through them?
O'Shea: You're talking about letting the good in. Those are the evolutions and the trends that we are all trying to strive for. Get the good traffic in. Get who you are in. Maybe look at what you have. You can explore the health of your device. Those are all trends that we're all striving for now.
Gardner: I recall, Jim, that there was a Ponemon Institute report about a year or so ago that really outlined some of the issues here. Do you recall that? Were there any issues in there that illustrate this trend toward a different type of network and a different approach to protection?
O'Shea: The Ponemon study was illustrating the vast number of attacks and the trend toward the costs for intrusion. It was highlighting those type of trends, all of which we're trying to head off. Those type of reports are guiding factors in taking a more proactive, automated-type response.
Gardner: I suppose what's also different nowadays is that we're not only concerned with outside issues in terms of risk, but also insider attacks. It's being able to detect behaviors and things that occur that data can detect. The analysis can then provide perhaps a heads-up across the network, regardless of whether they have access or not. What are the risk issues now when we think about insider attacks, rather than just outside penetration?
O'Shea: You're exactly right. Are you hiring the right people? That's a big issue. Are they being influenced? Those are all huge issues. Big Data can handle some of that and pull that in. Our approach on intrusion prevention wasn't to just look at what's coming from the outside, but it was also look at data traversing the network.
When we deployed the TippingPoint solution, we didn't change our policies or profiles that we were deploying based on whether it's starting on the inside or starting on the outside. It was an equal deployment.
An insider attack could also be somebody who walks into a facility, gains physical access and connects to your network. You have a whole rogue wireless-type approach in which people can gain acess and can they probe and poke around. And if it's malware traffic from our perspective, with the IDS we took the approach, inside or outside -- doesn't matter. If we can detect it, if we can be in the path, it's a block.
Gardner: For those who might not be familiar with the term "intrusion prevention systems," maybe you could illustrate and flesh that out a bit. What do we mean by IPS? What are we talking about? Are these technologies? Are these processes, methodologies or all of the above?
O'Shea: TippingPoint technology is an appliance-based technology. It's an inline device. We deploy it inline. It sits in the network, and the traffic is flowing through it. It's looking for characteristics or reputation on the type of traffic, and reputation is a more real-time change in the system. This network, IP address or URL is known for malware, etc. That's a dynamic update, but the static updates are signature-type, and the detection of vulnerability or a specific exploit aimed at an operating system.
So intrusion prevention is through the detection of that, and blocking and preventing that from completing its communication to the end node.