Decision CenterIT

n INTRUSION DETECTION AND PREVENTION

From Business Problem to Technical SolutionMalicious intruders are intent on breaking into your corporate systems. The latest IDS/IPS technologies, though, are effective means to prevent or at least identify and minimize security breaches. Learn what IDS and IPS can do and what concrete benefits they offer companies of every size.

ASSESSING THE

BUSINESS ISSUE

BUSINESS BENEFITS

INTRUSION DETECTION AND PREVENTION

2 FROM BUSINESS PROBLEM TO TECHNICAL SOLUTION • SEARCHSECURITY.COM

From Business Problem to Technical Solution by Bill Hayes

ASSESSING THE BUSINESS ISSUE

G iven the never-ending headlines of recent years, detailing enter-prise data breaches affecting hundreds of thousands of cus-tomers and involving losses in the billions, business leaders no longer have to be told that there’s

a threat. But they do have to learn how their orga-nizations can address the very real risk of data loss.

Corporate auditors use risk assessments to iden-tify information resources that, if lost or exposed, could adversely affect the organization. Once infor-mation resources have been identified and ranked according to risk, then technical controls can be

used to protect them. No one technical control, such as a perimeter firewall, can thwart cybercrimi-nals. Instead, defenses must be deployed in much the same way as soldiers use obstacles, observers and direct weapons fire to deny enemies access to key terrain. This method of combining defenses is called defense in depth.

Defense-in-depth practices have been codified into compliance regulations with varying success levels. To help address shortcomings, the SANS In-stitute, government agencies and a variety of na-tional and international organizations developed the SANS 20 Critical Security Controls based on recom-mended security practices. IDS/IPS technologies are recognized as very important to the adoption of

ASSESSING THE

BUSINESS ISSUE

BUSINESS BENEFITS

INTRUSION DETECTION AND PREVENTION

3 FROM BUSINESS PROBLEM TO TECHNICAL SOLUTION • SEARCHSECURITY.COM

these new controls. Intrusion detection systems (IDS) and intru-

sion prevention systems (IPS) monitor data flow-ing through corporate networks. IDS technology evolved first from packet sniffers, which were used as a network-troubleshooting tool to locate mal-functioning equipment and software by creating logs showing the activity of network packets.

Prior to the advent of network switches, IDS products could be connected to any port on a net-work hub and had a good chance of monitoring net-work packets on a local area network segment. Net-work switches isolate the network traffic between switch ports, so other approaches have to be used.

In low- to medium-traffic networks, the traffic on switch ports can be copied (also known as being spanned or mirrored) to a designated switch port, where a network cable connects the spanned port to the IDS sensor. In higher-traffic networks, other technologies such as network taps are used. A net-work tap is a passive device that connects between network devices and creates a copy of network pack-ets that can then be routed to a monitoring device, such as an IDS sensor.

Very shortly after IDS was developed, IDS design-

ers incorporated the ability to send Transmission Control Protocol (TCP) reset packets to disrupt TCP traffic between a malicious source and its target des-tination. Since both port spanning and network taps allow only one-way packet flows from the monitor-ing point, IDS products use a second network inter-face card connected to another switch port to issue TCP resets.

As effective as TCP resets are for TCP traffic, IDS sensors cannot reset packets from connectionless protocols like ICMP and UDP. Also, because IDS technology relies on port spans or network taps to monitor network traffic, there is an upper limit to the number of packets that can be monitored based on the capacity of the spanned switch port or the ca-pacity of the network tap.

Intrusion detection and prevention (IPS) tech-nology arose as a response to these shortcomings. Instead of relying on one-way copies of network traf-fic, IPS sensors are inserted between network de-vices, such as between routers or between switches. Since they are inline devices, IPS sensors can block any type of malicious network traffic and can oper-ate at wire speeds. Since they are essentially point-to-point defensive devices, more IPS sensors have

ASSESSING THE

BUSINESS ISSUE

BUSINESS BENEFITS

INTRUSION DETECTION AND PREVENTION

4 FROM BUSINESS PROBLEM TO TECHNICAL SOLUTION • SEARCHSECURITY.COM

to detect a high number of suspicious events. Most of this traffic is explainable and thus IDS and IPS sensors have to be tuned to ignore expected traffic. Even after tuning, there can still be a large number of events to analyze.

Consequently, information from sensors is usually sent to some kind of management server where events are consolidated. This higher-level in-formation can even be sent to a Security Incident and Event Management (SIEM) server, where the events are consolidated even further and then cor-related with other security events. Even after this automated event consolidation and correlation, hu-man eyes will still have to examine the result. So or-ganizations can employ cybersecurity analysts with IDS/IPS training, hire a managed security services firm, or use both approaches to cover events as they occur 24 hours a day, seven days a week.

BUSINESS BENEFITS IDS/IPS offerings are very effective at stopping many of today’s attacks, both at the network perim-eter and on internal network segments. These ex-tra sets of eyes lead to a reduction in data loss and related collateral damage to the organization, both

to be employed than with passive IDS sensors that can use spanned network traffic from a variety of sources. IPS sensor locations in the organization’s network have be determined by risk assessments and also by regulatory requirements.

Both IDS and IPS technologies operate in a simi-lar manner. Based on signatures or network packet behavioral cues representing malicious activity, they can detect pattacks from the packet through to the application level. These systems can then take a variety of actions to defend sensitive data. Typi-cal actions include issuing alerts via SMS, SMNP or SMTP, logging suspicious activities, and automati-cally disrupting malicious activity.

Given the staggering number of network packets that flow through an organization, it is not unusual

Based on behavioral cues representing malicious activity, IDS and IPS technologies can detect attacks from the packet through to the application level.

ASSESSING THE

BUSINESS ISSUE

BUSINESS BENEFITS

INTRUSION DETECTION AND PREVENTION

5 FROM BUSINESS PROBLEM TO TECHNICAL SOLUTION • SEARCHSECURITY.COM

identify distributed denial-of-service attacks. Mod-ern IDS/IPS sensors can help you quantify the num-ber and types of attacks your organization is facing and thus help you alter existing security controls or employ new ones, address host and network device configuration problems and identify software bugs. The metrics gained can be used in ongoing risk assessments.

n Prevent Security IncidentsIDS/IPS technology can report on security incidents and they also can prevent security incidents from occurring by disrupting communication between at-tackers and targets. Modern sensors are able to take the data provided in network packets and examine it within the context of the supported protocol. For instance, HTTP protocol attacks such as cross-site scripting can be detected and blocked, as can SQL injection attacks. Additionally, IDS/IPS sensors can look for anomalous behavior, such as unexpected outbound traffic, and block it.

n Protect Vulnerable AssetsIDS/IPS vendors have touted the ability of their products to be “virtual patches” for known software

in money and in reputation. However, the effec-tiveness of this new light in dark places only works if there are sufficient manpower and training. For organizations that lack those resources, managed security services can provide trained analysts able to recognize network-based attacks. Organizations should realize that IDS/IPS training at some level is required to be able to interpret and act on reported events.

The business benefits of using IDS/IPS tech- nologies fall in several categories, such as identify-ing the number and type of security incidents; pre-venting security events from becoming security in-cidents; protecting vulnerable assets; improving the ability to identify network devices, their operating systems and software; and using acquired informa-tion to meet various regulatory requirements.

n Identifying Security IncidentsWhile the logs from a firewall shows you the IP ad-dresses and ports used between two hosts, IDS/IPS technology shows not only those, but also can be tuned to specific content in network packets; for instance, they can identify compromised end-point devices as they report to botnet controllers and can

ASSESSING THE

BUSINESS ISSUE

BUSINESS BENEFITS

INTRUSION DETECTION AND PREVENTION

6 FROM BUSINESS PROBLEM TO TECHNICAL SOLUTION • SEARCHSECURITY.COM

into your network and connected resources, you can more easily meet regulatory mandates. For instance, PCI DSS 1.1.6 “documentation and business justifi-cation for use of all services, protocols, and ports allowed” can be researched using reports gleaned from IDS/IPS logs.

n Return on InvestmentSome improved efficiencies and attendant lower la-bor costs have been identified above. In addition, an organization, using its latest risk assessment, can also determine how much of a return on investment IDS/IPS may provide if that system reduces or elimi-nates either (a) a denial or degradation of Internet service and/or internal network service (including the associated business ramifications of network, application or service downtime) or (b) a security breach involving the direct loss of sensitive cus-tomer data or intellectual property. n

BILL HAYES is a former oceanography student and military veteran, and a journalism school graduate. After flirting with computer game design in the 1980s, Hayes pursued a full-time career in IT support and currently works as a cybersecurity analyst for a Midwestern util-ity company, as well as a freelance expert consultant and writer.

vulnerabilities. This allows organizations to block attacks until software can be patched without dis-rupting business processes and the attendant costs in replacing systems and software until patches can be fielded. The ability to identify patch levels also can be used for automated vulnerability assessments and gauging patch deployments.

n Identify Network Devices and HostsIDS/IPS sensor can be used passively, to detect the presence of network devices and hosts. Based on the data within the network packets, they can in real-time, and with a good degree of certainty, identify operating systems and services offered by a host or network device. This helps eliminate a good deal of manual work in determining how many systems are available and their current configurations. In ad-dition to helping automate hardware inventories, IDS/IPS sensors can be used to identify rogue de-vices, such as unauthorized hosts, rogue wireless ac-cess points and hot spots.

n Leverage Information Gained to Meet Regulatory RequirementsSince IDS/IPS technologies give you greater insight

Decision CenterIT

n INTRUSION DETECTION AND PREVENTION

RFP Technology DecisionsEvaluating IDS/IPS technology requires that you understand its capabilities and how these might complement your existing security infrastructure. Learn the options available, and what to ask vendors, in order to select the best strategy for your situation.

TECHNICAL OVERVIEW

QUESTIONS TO ASK

VENDORS AT A GLANCE

INTRUSION DETECTION AND PREVENTION

2 RFP TECHNOLOGY DECISIONS • SEARCHSECURITY.COM

RFP Technology Decisions by Bill Hayes

TECHNICAL OVERVIEW

Intrusion detection and prevention system (IDS/IPS) technology evolved out of real-time network packet inspection, or packet sniffing as it’s known. In packet sniffing, network packets are captured and exam-ined later for encapsulated data content as well as the packet’s protocol settings.

IDS/IPS technology captures packets based on pre-defined parameters: either using packets that are different from expected traffic or using packets that match predefined attack signatures. IDS/IPS tech-nology also performs predefined actions once anom-alous packet is detected. Those actions can include sending alerts of various types as well as blocking or

resetting malicious packets. Each device that acts as an IDS/IPS is called a sensor, and sensors usually re-port to a management system responsible for config-uring sensors and updating their attack signatures.

Intrusion detection systems are passive devices that monitor network packets through mirrored network switch ports or network taps that make copies of network packets and pass them on to the IDS for analysis. A separate network interface card in the IDS can issue TCP reset packets to disrupt the TCP connection between a malicious device and the targeted system. An IDS product cannot block mali-cious ICMP or UDP traffic. An IDS can collect net-work packets from a variety of network segments connected to a network aggregator appliance that

TECHNICAL OVERVIEW

QUESTIONS TO ASK

VENDORS AT A GLANCE

INTRUSION DETECTION AND PREVENTION

3 RFP TECHNOLOGY DECISIONS • SEARCHSECURITY.COM

passes the packets on to the IDS.Intrusion prevention systems are active devices

that monitor and block network packets by being connected between network segments. IPS devices take network packets in, inspect, block and pass on “good” network packets to the downstream devices. By their nature, they can stop any kind of network packet. Since they are inline devices, they can be set to either fail in an open or closed state, depend-ing on the level of accepted risk security adminis-trators set. Because an IPS sensor can only address the incoming network packets for its network seg-ment, more than one IPS sensor is needed to pro-tect sensitive network assets, such as Web and data-base servers.

Use of IDS or IPS sensors are not an either/or prospect. They can be used together, with IDS sen-sors monitoring network segments of lower risk, while inline IPS sensors can be used to protect higher risk targets. Additionally, both can be used with host-based IPS software called HIPS. This soft-ware is designed to protect endpoints from net-work-based attacks and may even report to the same management console.

Proper design and deployment of IDS/IPS prod-

ucts will require three-fold work with vendor or VAR (value-added reseller) engineers, the cybersecurity project team and networking staff. Most network engineers understand the value of IDS/IPS technol-ogy but will want to ensure that the implementa-tion is properly sized, configured and deployed to

provide as little disruption as possible, especially on high-availability networks. They will favor a phased rollout, with plenty of time to evaluate possible ef-fects on network throughput.

The first step in the IDS project design is to de-termine the scope of the IDS/IPS implementation. Using the organization’s annual risk assessment re-port, pertinent regulatory compliance directives, and security incident after action reports, planners should establish a prioritized list of network re-sources to monitor and protect. The organization

HIPS soft ware is designed to protect endpoints from net work- based attacks and may even report to the same management console.

TECHNICAL OVERVIEW

QUESTIONS TO ASK

VENDORS AT A GLANCE

INTRUSION DETECTION AND PREVENTION

4 RFP TECHNOLOGY DECISIONS • SEARCHSECURITY.COM

existing network maps to identify likely spots where IDS/IPS sensors can be placed. The organization’s networking staff will be instrumental in helping the planners understand the organization’s network de-sign on many levels and even point out monitoring points based on their extensive knowledge of net-working hardware and the network topography.

At the outset, the project team should decide if an open source product—such as Snort, along with one of its many supporting IDS management proj-ects—could be use as the primary IDS/IPS technol-ogy. Since IDS/IPS sensors can be pricey, using an open source tool or service can offer a lower upfront cost by using open source software on either already owned hardware or virtual machines. Such an ap-proach will require the long-term retention of sub-ject matter experts in these open source technolo-gies and require more hands-on administration of the sensor’s operating system as well as the installed IDS/IPS software.

Once the deployment scope has been worked out, project planners can consult the technical spec-ifications of candidate IDS/IPS sensors to determine if a sensor’s throughput is adequate to protect the resources behind it. Of importance are the number

should also consult industry-specific cybersecurity information sources that can help quantify external threats that every part of the industry faces.

Typical external threats can range from denial-of-service attacks for e-commerce and financial or-ganizations to intellectual property attacks using

advanced persistent threat (APT) attacks against engineering and research firms, to industrial con-trol attacks and denial-of-service attacks for criti-cal infrastructure organizations like power and gas utilities. Resources at risk should be identified by IP ranges, virtual LANS, protocols, applications, op-erating systems, and any service-level agreements both with the organization’s business units as well as external entities.

This information should be mapped at a high level using network schematics and overlays for

A business should consult industry-specific cybersecurity information sources that can help quantify external threats.

TECHNICAL OVERVIEW

QUESTIONS TO ASK

VENDORS AT A GLANCE

INTRUSION DETECTION AND PREVENTION

5 RFP TECHNOLOGY DECISIONS • SEARCHSECURITY.COM

devices are designed, so security features are not of-ten in the forefront of manufacturers’ minds. Take for instance the compromised IoT “smart” refriger-ator hosting a spambot, which was discovered by cy-bersecurity researchers. The cybercriminals had not reverse engineered some exotic technology. Rather, cybercriminals found that the operating system for the smart fridge was a Linux-derived embedded sys-tem that had not been patched and they exploited it.

The malicious uses of the IoT are not game-over moments. Using the network maps and diagrams created as part of the planning process, IDS/IPS project planners can consider the risks that new technologies like the IoT and cloud SaaS represent, and place their sensors accordingly. The key is to understand where an organization’s “crown jewels” are located and how cybercriminals might access, disrupt or corrupt them. Once these data flows are mapped out, sensors can be placed to monitor and protect those flows in concert with other security measures, such as network segmentation and access control lists.

The same can be said of multipath TCP, which arguably has good benefits by providing multiple communication paths between endpoints. While

and type of interfaces in the sensor, be it copper or fiber. Also the processing power of the sensor should be gauged against the anticipated traffic level, the protocols, and applications data packets monitored by the sensor.

While these choices sound mundane, the devil is in the details, so working with VAR engineers and manufacturers’ representatives can really help, es-pecially with new features or capabilities that may not be documented in sales materials.

Much has been made of breaching the net-work perimeter with technologies like the Inter-net of Things (IoT), cloud-based software as a ser-vice (SaaS), bring your own devices, the smart grid and the “consumerization of the Internet” by intro-ducing consumer products to the workplace. While each of these adds complexity to cybersecurity ar-chitecture, all are based on existing operating sys-tems and network protocols. Hence, no matter what direction the packets come from they are all going to act according to the rules of Internet-based pro-tocols or they won’t be able to be on the Internet. From the engineering perspective, these technolo-gies are evolutionary and not revolutionary.

Security practitioners can’t dictate how various

TECHNICAL OVERVIEW

QUESTIONS TO ASK

VENDORS AT A GLANCE

INTRUSION DETECTION AND PREVENTION

6 RFP TECHNOLOGY DECISIONS • SEARCHSECURITY.COM

by a central software-based controller. Using this approach it is possible to create an out-of-band net-work connected to the production network. This out-of-band network serves as the monitoring con-nection points for the production network while not affecting the production network throughput.

Players in the SDN field include Arista Networks, Big Switch, Cisco and Microsoft. Network aggrega-tor manufacturers such as Gigamon and VSS Moni-toring are said to be interested in the SDN market.

The project team will have to determine the scope of the project, based on available resources. Very rarely do project teams get budgets big enough to handle the project, so a phased multi-year rollout is often used.

Once the number of sensors has been deter-

multipath TCP packets may fly hither and yon across the Internet on separate paths, at some point they must converge to deliver the data. These points can be dictated by network design and consequently IDS/IPS systems can be there to monitor the con-verging stream. Security issues for multipath TCP are not a mystery and can be found described in RFC 6181 (“Threat Analysis for TCP Extensions for Mul-tipath Operation with Multiple Addresses”) and in RFC 6824 (“TCP Extensions for Multipath Opera-tion with Multiple Addresses”).

Issues with IDS/IPS technologies are discussed in RFC 6824, which describes how multipath TCP is intended to behave with “middle boxes” like fire-walls and IDS. RFC 6824 states that a multipath TCP aware IDS/IPS will be able to correlate mul-tiple sub-flows and reassemble them for analysis. So again, multipath TCP is not a game-over moment for IDS/IPS.

Granted, these new technologies may require new adaptable ways to provide monitoring points beyond the conventional SPANs and network taps. Software-defined networking (SDN) promises to of-fer an abstract way to configure and control a net-work using inexpensive network switches managed

SDN promises to offer an abstract way to configure and control a net- work using inexpensive network switches man aged by a central software-based controller.

TECHNICAL OVERVIEW

QUESTIONS TO ASK

VENDORS AT A GLANCE

INTRUSION DETECTION AND PREVENTION

7 RFP TECHNOLOGY DECISIONS • SEARCHSECURITY.COM

mined, a rollout plan should be developed based on the importance of the to-be-protected resources and the importance of any disruptions to the net-work during installation. The deployment should go in phases as recommended by the networking group so as to minimize downtime and to see if over time there are any unforeseen side effects, such as dropped packets and degraded SLA levels.

In any rollout plan, an organization should have a back out plan in order to regroup and try a sensor deployment again. Generally, sensor deployments do go well.

Finally, as part of any project rollout, the persons charged with administering sensors and analyzing the IDS/IPS reports should be trained in advance of a project rollout. In addition to vendor train-ing, third-party training such as the SANS Institute course “Security 503: SEC503: Intrusion Detection In-Depth” helps prepare staff for the challenges of IDS/IPS work.

QUESTIONS TO ASK YOUR VENDORn Given the assets that require IDS/IPS protection, the current network configuration and the proj-ect budget, where would the primary components

of your IDS/IPS product or service typically be lo-cated? For example, does IDS/IPS sensor sit directly behind the firewall or between the DMZ and the internal network? Are IDS/IPS sensors deployed inside the internal network? If so, how many and where?

n If the IDS/IPS project is part of a managed security service, how will IPS/IDS sensors be maintained and what level of access will managed security ser-vice employees need to the customer’s IDS/IPS sys-tem? Given compliance directives such as PCI DSS, which authentication methods, network traffic en-cryption methods and administrative audit controls are compatible with the managed security service?

n In a managed security service scenario, does the vendor, through packet captures or other means, have access to the network traffic flowing through the IDS/IPS sensor? Can this capability be disabled by the customer? Is the customer’s network traffic routed through any of the vendor’s networks or sys-tems other than the IDS/IPS?

n What kind of network events can be detected by

TECHNICAL OVERVIEW

QUESTIONS TO ASK

VENDORS AT A GLANCE

INTRUSION DETECTION AND PREVENTION

8 RFP TECHNOLOGY DECISIONS • SEARCHSECURITY.COM

the IDS/IPS product? What is the effectiveness of the system in detecting attacks like distributed de-nial-of-service attacks, network-based buffer over-flow attacks, network scans and botnet communica-tions? Does the system have DLP, advanced malware detection and operating system vulnerability-assess-ment capabilities? Is packet capture an option?

n What kind of sensor management is necessary for the IDS/IPS sensors? Is it an appliance, software for a physical server, or a virtual machine? Can an ex-isting management product such as McAfee ePol-icy Orchestrator work in place of a new manage-ment console? What are the limitations of these approaches, in terms of reporting options and the number of sensors that they support? How will sen-sor management be updated and configured? Will it automatically detect sensor failure and how will these failures be handled? Are these sensors true high-availability products that automatically fail over? How will the network be affected should these sensors fail?

n Given the network throughput, how many and what kind of supporting devices, such as network

Vendors at a GlanceThis is a representative list of IDS/IPS vendors.

n Check Pointn Cisco IPSn Core Security n Corero Network

Security (previously Top Layer Security)

n Dell SecureWorks n Extreme Networks

(acquired Enterasys)n F5 Networksn FireEyen Fortinet n Gigamon GigaVue n GuidePoint Security n HP TippingPoint n IBM Security

Network Intrusion Prevention System

n Juniper Networks n ManageEngine n McAfee IntruShield n NitroSecurity

(acquired by McAfee)

n Palo Alto Networks n Radware n Snort

(Sourcefire/Cisco) n Solutionary

(acquired by NTT) n Sourcefire

(acquired by Cisco) n Splunk

Splunk App for Enterprise Security

n StoneSoft (McAfee)n Trend Micro

TECHNICAL OVERVIEW

QUESTIONS TO ASK

VENDORS AT A GLANCE

INTRUSION DETECTION AND PREVENTION

9 RFP TECHNOLOGY DECISIONS • SEARCHSECURITY.COM

or pulled? Is this a manual process and how much downtime is required to restart a sensor after an op-erating system update? Can attack signature updates be applied automatically, and if so, how frequently can this occur? How often are these signatures up-dated? How are the sensor OS and attack signature updates protected from man-in-the-middle attacks? Are any special firewall rules required for the up-dates to be received?

n How does the IDS/IPS architecture balance high network throughput, high availability and accur- ate detection of network-based threats? How are the intrusion detection and prevention systems’ sen-sors tuned? Can they automatically adjust to new types of attacks without affecting network through-put? n

BILL HAYES is a former oceanography student and military veteran, and a journalism school graduate. After flirting with computer game design in the 1980s, Hayes pursued a full-time career in IT support and currently works as a cybersecurity analyst for a Midwestern util-ity company, as well as a freelance expert consultant and writer.

aggregators and IDS/IPS load balancers, will be re-quired? Are these true high-availability products that automatically fail over? How will the network be affected should these devices fail? How will these supporting devices be managed?

n Can the proposed IDS/IPS product integrate with existing customer security controls, such as end-point HIPS, UTM-based IDS/IPS, or existing open source IDS/IPS products like Snort?

n How will sensor data be correlated and analyzed? Will the product or service be reporting incidents to a third-party data aggregation platform, such as Splunk, or a Security Incident Event Management (SIEM) product such as LogRhythm, HP ArcSight, McAfee NitroSecurity or Splunk Enterprise Secu-rity? How much human effort is required for analy-sis of the IDS/IPS data? How much analysis can be automated?

n How are IDS/IPS sensor operating system up-dates handled? Can they be automatically pushed

Decision CenterIT

n INTRUSION DETECTION AND PREVENTION

Decision Time To protect your system, it’s essential to select an IDS/IPS offering that effectively blocks attacks and complements your existing security controls.

PRODUCT BENEFITS AND

TRADEOFFS

SEALING THE DEAL

INTRUSION DETECTION AND PREVENTION

2 DECISION TIME • SEARCHSECURITY.COM

Decision Time by Bill Hayes

PRODUCT BENEFITS AND TRADEOFFS

IDS/IPS products and services are in use in a variety of organizations where they are primarily employed to detect and sty-mie network-based attacks ranging from single network packet attacks to sophis-ticated application-level attacks. IDS/IPS sensors must have enough processing

power to detect these attacks as they occur and, in the case of IPS sensors, block these attacks at wire speeds.

While IDS sensors can issue TCP resets for TCP attacks, only IPS sensors can block attacks based on other network protocols, such as UDP and ICMP. IPS sensors are able to block attacks because they

are inline devices and therefore can detect and dis-rupt attacks that flow through their particular net-work segment. Consequently, an organization must determine early in the IDS/IPS project how many sensors to deploy and where.

IDS/IPS products are indeed capable, essential elements of an enterprise security architecture, like firewalls, but they are not the ultimate security panacea. Instead, IDS/IPS technology should be re-garded as a complementary cybersecurity technical control that can work with firewalls, spam filters, antimalware and data loss prevention (DLP) prod-ucts. Therefore, organizations should have a good idea of what IDS/IPS features complement its exist-ing security controls.

PRODUCT BENEFITS AND

TRADEOFFS

SEALING THE DEAL

INTRUSION DETECTION AND PREVENTION

3 DECISION TIME • SEARCHSECURITY.COM

Early in your planning, assess if your organiza-tion can benefit most from a best-of-breed or a suite-based product. Security practitioners periodically flip flop on which tack to follow, but ultimately you should follow what best works for your organization with the least drain on your budget.

If you have in-house expertise, best-of-breed IDS/IPS can work well if sized properly for your or-ganization. Examples of this would be using open source projects for IDS/IPS sensors and support-ing technologies such as load balancers and security incident and event management servers (SIEMs), or using commercial products like Sourcefire IDS/IPS sensors and Splunk Enterprise Security or Log-Rhythm as SIEMs.

If you are using several products from the same

security vendor, it might make sense to follow the suite approach. Examples of this would include us-ing McAfee Network Security Platform IDS/IPS with McAfee ePolicy Orchestrator, or HP Tipping-Point IDS/IPS sensors with HP ArcSight ESM.

SEALING THE DEAL: FACTORS TO CONSIDER1. Have you done your homework?There can be a significant learning curve in assessing the existing IDS/IPS technologies. Consequently, make use of regional value-added resellers to help connect you with their subject matter experts as well as manufacturers’ representatives and independent consultants. The best VARs are willing to spend the time with an organization, knowing that it will pay off for them in the long run. They do not want to sell you technology that is a bad fit, and they want some form of return business for other projects. They can help you form the questions you need to ask vendors based your organization’s needs.

As previously mentioned, a risk assessment cou-pled with your industry’s compliance regulations helps identify what resources need to be protected and to what degree. Ensure you have a good un-derstanding of the perceived risks and attendant

A risk assessment cou pled with your industry’s compliance regulations helps identify what resources need to be protected and to what degree.

PRODUCT BENEFITS AND

TRADEOFFS

SEALING THE DEAL

INTRUSION DETECTION AND PREVENTION

4 DECISION TIME • SEARCHSECURITY.COM

to be detected. The networking staff can help de-termine if specialized equipment, such as load bal-ancers or network aggregators, are needed to help detect network attacks while maintaining high net-work availability.

3. Does your project plan consider cost-based alternatives? Network speeds will also affect how many IDS/IPS sensors can be deployed. Generally speaking, the faster the network segment, the more costly the sensor. In today’s market, a 10 GB sensor is three to four times more expensive than a 1 GB sensor.

To address this issue, organizations can adopt several approaches, the first being to adopt a phased deployment and spread out the capital expense over several budget years. Another approach is to use net-work aggregation technology to allow a single IDS sensor to monitor multiple network segments. Still another would be to use the IPS feature in already-deployed UTM firewalls to monitor some network segments. Finally, if the organization has good open source skills, Snort IDS sensors could be deployed using existing hardware to cover lower-risk areas the commercial IDS/IPS product does not address.

metrics to help you in your project planning.When selection time comes, make your decision

based on the desired features that address your or-ganization’s risks. Use a feature matrix to compare competing products. This can be simply built in a word-processing table or a spreadsheet. Depending on your selection process, the feature matrix will have simple check boxes (go/no go) for mandatory features and a weighted numerical range according to desirability for optional features.

2. Do you have the support of your organization’s networking group?The IDS/IPS technology is best deployed with the active participation of the organization’s network-ing staff. A good many tasks, such as configuring network switch span ports or installing a network tap, should be done by networking specialists. Since IDS/IPS technology is disruptive in nature, the net-work staff has to understand how this technology works and the attendant benefits.

By working with the networking staff to identify monitoring points, both the cybersecurity and net-working staffs can get a better idea of how the net-work really works and what kinds of traffic needs

PRODUCT BENEFITS AND

TRADEOFFS

SEALING THE DEAL

INTRUSION DETECTION AND PREVENTION

5 DECISION TIME • SEARCHSECURITY.COM

properly tuned sensors, means that some method must be used to correlate and consolidate multiple IDS/IPS events. Many IDS/IPS products offer some kind of management server and console, but these events may also be best interpreted using a security incident and event management platform. A SIEM

is especially useful when correlating IDS/IPS events and events from separate security technologies such as UTM, endpoint host-based IDS and endpoint anti- virus software.

In addition to training costs and the cost of a SIEM system, the continual nature of automated network-based attacks means that organizations are subject to attacks at any time, so staffing is-sues should be addressed during project planning. A managed security service provider (MSSP) can offer an alternative to 24/7 staffing. The scope and

4. Does your project address the wireless threat?The networking and cybersecurity staff will also need to determine if separate wireless IDS/IPS sen-sors are required or if the proposed systems can ad-dress wireless security issues. Some wireless access-point controllers do have built-in IDS/IPS features, so it may simply be a matter of enabling it in exist-ing equipment. The two technologies are comple-mentary, as wireless IDS/IPS sensors primarily look for spoofed MAC addresses and rogue access points while conventional IDS/IPS technology addresses many other forms of network-based attacks. This can be especially useful in detecting malicious ac-tivity through privately owned mobile devices rid-ing an organization’s access points.

5. Does your project address how security events will be managed?Organizations must realize that IDS/IPS sensors do require specialized training to operate. Sensors must be properly tuned to eliminate false positives and alerting has to be pertinent to the actual threat. Cybersecurity staff must be trained to be able to in-terpret and act on the reported events.

The large volume of detected events, even on

IDS/IPS sensors must be properly tuned to eliminate false positives and alerting has to be pertinent to the actual threat.

PRODUCT BENEFITS AND

TRADEOFFS

SEALING THE DEAL

INTRUSION DETECTION AND PREVENTION

6 DECISION TIME • SEARCHSECURITY.COM

network and existing security controls. Successful project planning and implementation will need the support of key players both in business units and IT staff. The result will illuminate your network as

never before, providing insight into further under-standing the effectiveness of security controls and helping to identify and remediate previously un-known security issues. Properly fielded intrusion detection and prevention system technology truly shines light into dark places. n

BILL HAYES is a former oceanography student and military veteran, and a journalism school graduate. After flirting with computer game design in the 1980s, Hayes pursued a full-time career in IT support and currently works as a cybersecurity analyst for a Midwestern util-ity company, as well as a freelance expert consultant and writer.

expected duties of an MSSP should be understood before engagement. Another factor to consider is that an MSSP can provide basic incident identifi-cation while an organization’s in-house experts can handle incident investigation and remediation, thus extending the capabilities of your organization’s cy-bersecurity staff.

Shortcomings of an MSSP can include the re-liance on canned reporting that doesn’t meet the needs of the organization and a superficial under-standing of the organization’s infrastructure and IT services. Organizations can avoid this by en-suring that MSSPs provide the pertinent reports and that the organization’s network and services are adequately understood within the scope of the engagement.

CONCLUSION In-house experts and the willingness of the organi-zation’s leadership to make the investment in capi-tal and labor ultimately determine the best fit for an organization. This requires a thorough knowledge of the risks the organization is trying to address as well as a thorough knowledge of the organization’s

Managed security service provider shortcomings include the re liance on canned reporting that doesn’t meet the needs of the organization.

PRODUCT BENEFITS AND

TRADEOFFS

SEALING THE DEAL

© 2014 TechTarget Inc. No part of this publication may be transmitted or reproduced in any form or byany means without written permission from the publisher. TechTarget reprints are available through The YGS Group.

About TechTarget: TechTarget publishes media for information technology professionals. More than 100 focused websites enable quick access to a deep store of news, advice and analysis about the technologies, products and processes crucial to your job. Our live and virtual events give you direct access to independent expert commentary and advice. At IT Knowledge Exchange, our social community, you can get advice and share solutions with peers and experts.

TechTarget 275 Grove Street, Newton, MA 02466www.techtarget.com

TechTarget Security Media Group

7 DECISION TIME • SEARCHSECURITY.COM

EDITORIAL DIRECTOR Robert Richardson

FEATURES EDITOR Kathleen Richards

EXECUTIVE EDITOR Eric Parizo

EXECUTIVE MANAGING EDITOR Kara Gattine

NEWS WRITER Brandan Blevins

ASSOCIATE MANAGING EDITOR Brenda L. Horrigan

DIRECTOR OF ONLINE DESIGN Linda Koury

COLUMNISTS Marcus Ranum, Gary McGraw, Peter Lindstrom

CONTRIBUTING EDITORS Kevin Beaver, Crystal Bedell, Mike Chapple, Michele Chubirka, Michael Cobb, Scott Crawford, Peter Giannou-lis, Francoise Gilbert, Joseph Granneman, Ernest N. Hayden, David Jacobs, Nick Lewis, Kevin McDonald, Sandra Kay Miller, Ed Moyle, Lisa Phifer, Ben Rothke, Mike Rothman, Karen Scarfone, Dave Shackleford, Joel Snyder, Steven Weil, Ravila Helen White, Lenny Zeltser

USER ADVISORY BOARD

Phil Agcaoili, Cox CommunicationsSeth Bromberger, Energy Sector ConsortiumMike Chapple, Notre DameBrian Engle, Health and Human Services Commission, TexasMike Hamilton, MK Hamilton and AssociatesChris Ipsen, State of NevadaNick Lewis, Saint Louis UniversityRich Mogull, SecurosisTony Spinelli, EquifaxMatthew Todd, Financial EnginesMacDonnell Ulsch, ZeroPoint Risk Research

VICE PRESIDENT/GROUP PUBLISHER Doug Olenderdolender@techtarget.com