Intrusion Prevention and Detection: Are They Just Missing the Point?
By Jean-Charles Barbou, vice president EMEA, Tripwire

IT security is a maze of theories, solutions and “do’s and don’ts,” where everyone has an opinion about the best product or the essential technology that businesses have to implement to protect their applications, network and critical business information. Nevertheless, despite the consistent visibility that IT security has in the press about the availability and benefits of different security solutions, a lot of companies still rely solely on anti-virus products and firewalls to keep the bad guys out.

Internal vs. external

Two security solutions that have received a lot of coverage in the press are intrusion detection and more recently, intrusion prevention. However, these products primarily tend to focus only on incoming threats, neglecting to take into consideration the increasing internal risks within the organization’s own four walls, from malicious attacks from disgruntled employees to a network administrator simply making a mistake when typing in changes to a configuration file.

It is becoming more and more widely accepted that internal threats pose a significantly greater risk to an organization than external threats. According to recent reports from analyst groups such as Gartner and IDC, up to 80 percent of network failures originate from within the organization, rather than externally. It is these internal errors that can leave an organization wide open to a security breach and intrusion detection and prevention tools can’t stop them.

One significant downside to the increasing reliance within organizations on intrusion detection and prevention is the false sense of security they can provide. There is a big risk with all security products that once the technology is installed businesses assume they are protected and promptly forget about the ongoing risk. Security is something that needs to be constantly monitored and updated, for example downloading patches or updates to anti-virus software. Any company that develops a sense of complacency about their security infrastructure and policy is simply asking for trouble. No system is failsafe, and no intrusion detection or prevention system can guarantee 100 percent accuracy.

What really matters?

Intrusion detection and prevention are all very well and good, but the most important factor for any organization after a security breach is its ability to continue trading and making money. The immediate focus has to be on identifying what has happened and rectifying it, in order to get the system back up and running as soon as possible, rather than how something went wrong - that can wait until later.

Take for example a mistake in a configuration file on a web server that leaves a back door wide open for a security breach, or even a malicious ‘hole’ created by a disgruntled employee trying to hide his tracks - you need to know what happened immediately. Traditionally this would involve shutting down the entire network while the problem is identified and fixed. However if the company has a comprehensive, well-managed change management solution in place they would be able to immediately pinpoint which part of the network has been changed and therefore where the problem lies. This enables them to take action quickly before any real damage can be done.

If you are an online retailer for example, this would prove critical because it would enable the business to continue trading; only the affected part of the network would need to be shut down. System downtime due to any kind of security breach ultimately affects retailers’ ability to take money, tarnishes their reputation and puts off potential customers. It is essential that they have systems in place to immediately identify where a problem lies, enabling the IT department to shut down that area while maintaining business as usual on the other servers. The IT department would then be able to quickly single out the unauthorized change which caused the problem and immediately restore the server, router or any affected network device back to its ‘correct’ state.

This is possible because every time any change is made on the network the IT manager is notified and that change can then be accepted or not depending whether it is correct and authorized. Once a change has been accepted it is incorporated into the established ‘correct’ state for that device, meaning that unauthorized changes can always be undone.

Where do intrusion detection and prevention fit in?

Intrusion prevention and detection only address a small piece of the puzzle and often have some significant failings when it comes to security. Not only do these technologies primarily focus on external threats, but they are often unable to manage the fact that the network itself is constantly changing and the real ‘good’ state of any device can be very different from one that is documented and used as a baseline. Very often, the ongoing changes that are made during the course of day-to-day system maintenance are inadequately recorded and managed - this isn’t something that intrusion detection and prevention systems are designed to do.

Companies need to protect their network from the inside out. They need to know exactly what the configuration of every device on the network should be. Changes and updates should be managed to ensure that they have been rolled out correctly; once changes have been authorized they need to be incorporated into a new ‘baseline’ for the particular device; and every time a change of any sort is made it needs to be flagged up and monitored. This is how organizations will keep their systems secure, whether the threat is internal or external, malicious or accidental, and this is how they will know immediately if any security breach has occurred and be able to fix it.

Acknowledgement - Jean-Charles Barbou is vice president EMEA Tripwire Copyright © West Coast Publishing.