Can IPS Counter the Patch-Lag Window?


Historically, IDSs could be unmanageable. They tracked and logged network activity, but they generated too many false alarms and too much information to be useful.

Next-generation IPSs are said to remedy these problems, but before you run out to buy one for your company, you should realize that IPSs themselves are already evolving into very different products.

“What we do is analyze root-cause vulnerability,” said Shively of PivX. “Our IPS looks at critical functions and literally blocks or shuts down an infection vector.”

In developing their product, Shively says that PivX looked at security from a hacker’s perspective. For instance, how would a hacker gain control of a PC? As opposed to signature approach, they came up with as many answers to that question as possible and built the responses into their IPS.

“An example is RPC-DCOM,” Shively said. “It is enabled by default in 100% of Microsoft operating systems, but only about one-tenth-of-one-percent of users need the feature enabled. And an RPC-DCOM vulnerability is what led to Blaster. What our system does is go in and disable this by default. The small percentage of users who need RPC-DCOM enabled can go in later and enable it.”

Shively refers to this approach as “active system hardening,” and he believes that it plugs many of the holes that firewalls, anti-virus systems, patching, and older IDSs leave open.

Martin Roesch, one of the heavy hitters in the IDS world, has a similar take. One of the most widely used IDSs is the open-source Snort software, which Roesch created. Now, he’s the CTO of Sourcefire, a provider of IPS and “real-time network awareness” (RNA) products.

Roesch argues that IDSs have not really evolved at all, and he predicts that many IPS products will soon to fall victim to the same old problems that IDSs faced.

“Most IPSs don’t do anything differently than IDSs did,” he said. “They’re only sitting on a different place in the network.”

He argues that they’ve solved the problem of information overload and false alarms by ignoring much of the data they previously collected. In other words, they’ve simply become a different kind of firewall.

“Enterprises need firewalls, certainly, but firewalls don’t ‘prevent’ unknown attacks,” Roesch added.

Roesch believes that before IPSs can be successful, organizations must understand the nature of their networks and the behavior of acceptable traffic. But perhaps Roesch’s most interesting point about how the IPS segment is evolving, is one about interoperability.

“If security products don’t work together, you’re bound to have problems,” Roesch said. “However, if you can use your various security products holistically to better see and understand your network, you are better off.

“Attacks will always evolve, but change in a network is hard to mask, and if you can identify and act on change, your organization will be much better protected.”

It’s a pitch for more open products and an old developer’s argument that, unfortunately, usually falls on deaf ears.