Over the years, the idea of intrusion prevention has morphed well beyond the traditional packet inspection. So when you have a conversation about intrusion prevention, it’s important to make sure that you agree on its definition.
In this world, semantics matter. Using an old network-based IPS appliance as your intrusion prevention system may be exactly what you ordered. But it also may leave you horribly exposed when you thought you were getting a more wholistic solution. Clear communication around objectives and the ways to meet those objectives is always better than simply asking for specific methods and technologies.
Information security technologies constantly mature to keep pace with the ever-growing threat, and that blurs lines between traditional technologies or methods. Along the way, the words used to describe various tools evolve. And that means that simply ordering up a tool based on a name you recognize from the past could leave you less prepared for threats than you think.
Intrusion prevention, specifically, currently means many things to different people. Some still look at it in the traditional packet sense. Some consider it a host-based system that looks at network activity, OS and kernel functions, and application calls. Others look at it as an entire methodology that not only detects behavior but can modify security configurations on the fly across an entire organization to address threats in real-time. Needless to say, the idea of intrusion prevention is not the same today that it was even 10 years ago.
The changing views of Intrusion detection (IDS) and prevention (IPS) have followed roughly this progression:
- At first, IDS simply alerted to potentially malicious or abnormal behavior based on the signature of the data payload in a packet.
- Then we moved to actively blocking these suspicious packets in IPS. But these were still network-based systems. Traffic had to flow through a choke point to be inspected along its travels.
- As threats changed, we moved to host-based IPS and looked at packets as they reached their destination. This helped address threats that somehow bypassed a network IPS or came from an internal source.
Focus on Your Security Objectives — Not Just a Technology
As protection methods and terminology evolve to respond to the cybersecurity threat landscape, cybersecurity professionals must work with each other, with infrastructure and application development teams and with business leadership to understand the protection objectives they have to meet.
Consider the evolution of firewalls as one example of how we must constantly update our thinking about a technology:
- Traditional firewalls operated at Layer 3 of the OSI model. It was clean and simple. Once a packet reached Layer 3, IP addresses were assigned, and we could identify the source and destination. Administrators created rules that permitted or blocked traffic based on that information.
- Then we moved to inspecting the ports the traffic was flowing to. Next, we moved up the stack to inspect the payload and compare it to the port. We knew we shouldn’t see FTP commands in an SMTP packet, so we’d block that traffic.
- Today, we have Next Generation Firewalls (NGFW) and Web Application Firewalls (WAF) that inspect all seven layers and use combinations of rules to govern whether a packet reaches its destination.
See the Control Environment as a Whole
When evaluating technologies, it’s critical to view the control environment in a very wholistic way. I like the Cyber Kill Chain developed by Lockheed Martin, which helps frame protection scenarios by showing the following seven stages in the lifecycle of a cyber attack:
1. Reconnaissance – Harvest e-mail addresses, conference information, etc.
2. Weaponization – Coupling exploit with backdoor into deliverable payload.
3. Delivery – Delivering weaponized bundle to the victim via e-mail, web, USB, etc.
4. Exploitation – Exploiting a vulnerability to execute code on victim’s system.
5. Installation – Installing malware on the asset.
6. Command & Control (C2) – ommand channel for remote manipulation of victim.
7. Actions on Objectives – With “Hands on Keyboard” access, intruders accomplish their goals.
Clearly, it takes many different technologies and methods to prevent intrusions. Each step of the kill chain affords us the opportunity to identify, protect, detect, respond and recover.
Many organizations need an outside opinion to help them step back from their own environment and see the right solutions for the entire landscape. To get help forming your most effective strategy, check out our cybersecurity consulting services or contact us today.