Friday, May 18, 2007

It's Only a Flesh Wound

The slide above is from Gartner analyst Greg Young's 2006 presentation at the Gartner IT Security Summit 2006, Deconfusicating Network Intrusion Prevention (.pdf). "Deconfusicating" appears to be a fake synonym for simplifying. I bet that was supposed to confuse an IDS, but not an IPS. Funny that stopping an attack requires detecting it, but never mind.

Someone recently recommended I read this presentation, so I took a look. It's basically a push for Gartner's vision of "Next Generation Firewalls" (NGFW), which I agree are do-everything boxes that will eventually collapse into security switches or Steinnon-esque "secure network fabric." The funny thing about all those IPS deployments is that I continue to hear about organizations that utilize only a fraction or none of the IPS blocking capability, and instead use them as -- wait for it -- IDS. Hmm.

That still doesn't account for the major problem with a prevention-only mindset. Let's face the facts: there are events which transpire on the network which worry you, but which you can't reliably make a policy-based allow or deny decision. When business realities rule (which they always do) you let the traffic through. Where's the IPS now? It's an IDS.

There are also events for which you have no idea how to identify them prior to nontechnical incident detection. If you care at all about security you're going to want to keep track of what's happening on the network so you can scope the incident once you know what to look for. I call that one form of Network Security Monitoring (NSM).

At about the same time I saw the 2006 Gartner slides I read IDS in Mid-Morph, an interview with Gene Schultz, long time security veteran. The interview states:

Schultz says there are already signs of new life. For one thing, IDS data is being used as part of intelligence-collection for forensics, he says. "People are gathering a wide range of data about behavior in machines, the state of memory, etc. and combining it to find patterns of attacks.

Intrusion detection is one rendition of going more toward the route of intelligence-collection. Instead of focusing on micro-details like packet dumps, [security analysts] are looking at patterns of activity through intensive system and network analysis on a global scale, to determine what the potential threats are."

Schultz attributes this to a new breed of intrusion detection analyst, "more like an intelligence analyst, especially in the government."

I wonder if Gene read any of my books or articles? For the last five years I've defined NSM as the

collection, analysis, and escalation of indications and warnings to detect and respond to intrusions.

Chapter one from Tao is online and must say the word intelligence a dozen times.

Incidentally, if you're near Sydney I'll be teaching my NSM course on 25 May 2007. If you're near Santa Clara I'll be teaching at on 20 June 2007. Thank you.


Anonymous said...

I agree with you that the blocking capability of an IPS is rarely used. I have yet to see an IPS accurate enough to trust it to block or allow traffic. As Gene Shultz and you note, they are good for gathering I & W data. The down side is they, as Marcus Ranum says, "Enumerate badness" and only the badness they know about. Looking at the top three Tao layers; Alerts, Statistics and Sessions is how I spot odd activity. Then use them in concert with the fourth layer, Full Content, to determine if the activity is benign or not. Good log data also helps in this analysis.

Anonymous said...

I have seen IPS's used successfully as inline blocking at some large organizations, but is generally to prevent known items against policy (use of IM, skype, scans that are as loud as a band...) that could be enforced in other ways. IPSs will not find the intruders that land you front page on the Washington Post, and until we get an IPS that is as wise as Hal from "2001, A Space Odyssey" that will continue to be the case.

Anonymous said...

'Deconfusicating' is a joke, not a fake synonym. Of course IPS contains IDS, IPS is the successor technology to IDS, about 80%+ of IPS deployments employ blocking, and blocking doesn't remove the requirement for analysis of some detected events.