Published On: May 14th, 2015/Categories: Cognition/4.3 min read/

Is IPS Dead?

Within the Infosec community, the role and value of IPS (Intrusion Prevention Systems) has been widely debated for a long time. What was originally seen as a brilliant new technology, coming along to bolster the ever weakening perimeter, is swiftly becoming the preserve of a compliance tickbox.

Hence we often hear the question, is IPS dead? In my view…….. YES.

The main problem with IPS is that it’s a technology based on the premise of single functions within a layered defense in depth approach. This premise of detecting the bad stuff that falls through the cracks is naive and easy to subvert. It’s just too simple. IDS is particularly limited since it is based predominantly on signature based detection, trying to recognise the “bad” by comparing against static lists of known attacks. Modifying and masking an attack to appear genuine is worryingly easy, rendering these signature based controls impotent.

In the real world, the attack isn’t the real problem, it’s the attacker. And the attacker has unlimited time, sophistication and desire to compromise the target, utilising multiple stages of scanning, probing and active connections. So when an attack is launched, it is the combined threat that needs to be handled with a combined system of defence. Every variable and metric of the attack has value and in unison brings greater intelligence to each security control. And by unifying the controls the control itself becomes exponentially stronger. Take for example the lowly URL, its control relegated to the dusty Web Filtering box you deployed 10 years ago. But there’s so much value we can gain from really taking hold of this information and actively (and proactively) using it. Knowing who went to this URL, what traffic was processed and when, should determine what wider defences should be performed and further intelligence gathered. Understanding that a URL looks malicious could trigger higher levels of protection for inbound SMTP and HTTP traffic from that matching IP subnet. Isolated controls just can’t cope with this level of sophistication.

Don’t get me wrong, IPS is great at what it does, and nothing more. But it just needs to be absorbed into a much better solution such as a next generation firewall. That’s why if anyone asks me to recommend an IPS solution, I’ll always spend some time looking at their actual requirements, what threats they’re trying to mitigate and whether we can come up with a smarter and more cost effective solution.

The post Is IPS Dead? appeared first on Cognition.

Cognition Logo

About Cognition

Cognition is a Specialist Cyber Security Integrator, focused on delivering the very best security guidance and providing an unprecedented level of service. The team is comprised solely of industry experts with each providing the best intelligence with a real world approach. It is this philosophy that enables Cognition to cut through the complexity of today’s threat landscape and provide the latest innovative security solutions that deliver true business value. Learn more about Cognition at https://cognitionsecure.com.

 

Share This Post!

About the Author: Carl Gottlieb
I'm the trusted privacy advisor to leading tech companies, helping them gain maximum advantage through the right privacy strategy. My consultancy company Cognition provides a range of privacy and security services including Data Protection Officers, in-depth assessments and virtual security engineers. Get in touch if you'd like to learn more.

Related articles