NSS Labs, an independent security research and testing organization, recently evaluated the performance of 15 leading network intrusion prevention systems (IPS) from seven vendors. Among the report’s many findings perhaps the most significant was that by tuning an IPS, versus leaving the IPS on default settings, organisations can block an average of 18 percent more threats.
According to Rick Moy, President of NSS Labs, “Tuning the systems almost always provided significant improvements in terms of identifying ‘catchable’ attacks. In addition, the degree to which the user can control the tuning varies widely as does the level of effort and expertise required. Organisations need to plan accordingly to achieve maximum protection against threats. ”
The benefits of tuning are many including increased protection, reduced risk, and optimised resources. Yet the sad truth is that most IPS solutions are rarely tuned or tuned once with a ‘set it and forget it’ approach which doesn’t work in today’s dynamically changing network and threat environment. Federal agencies face even greater challenges managing a range of security requirements and protecting networks from sophisticated state-sponsored attacks.
These talented hackers are motivated and well-resourced with methods that may not even be known by the security community. With advanced persistent threats by nation-states against U.S. government agencies on the rise, placing our national security itself at risk, deploying any technology in default mode is woefully inadequate. So how can governments and enterprise go beyond basic policy settings and make tuning an integral part of their security processes and effectively guard against cyberthreats to agency networks?
Effective IPS tuning requires three steps:
- Know what is on the network: Effective tuning requires visibility into the operating systems, applications and services running on the network. Maintaining an inventory of assets sounds simple enough but expansive and rapidly changing networks make it virtually impossible for IT staff to keep up. A few simple yet all too familiar scenarios bring this home:
- An employee in a remote location operating a new wireless device
- A team using new social media collaboration tools to share information
- A contractor running an unapproved software application
Having visibility into and tracking all of these changes in real-time is essential but difficult for an already strapped IT staff to achieve.
- Know the threats: Threats to our networks are faster, smarter, more prevalent, and more elusive than ever before. Effective tuning requires selecting the IPS rules, or signatures, that will protect your environment against vulnerabilities specific to your infrastructure. IT security administrators can’t simply turn on every rule or IPS performance and IT staff productivity will be greatly compromised.
Physical IPS resources will slow to a crawl spending extra time processing time applying rules that are not required and IT staff will get bogged down responding to irrelevant alerts. For example, if your agency’s web servers are Linux based—as opposed to Windows based—you don’t need to enable rules to defend Windows-based web servers. Likewise, if you’re running Apache you want to make sure you are running rules specific to Apache. Adding to the complexity, continuing to update rules to keep pace with changing network operating systems and services can quickly drain limited IT resources.
- Automate when possible: Given the constraints most agencies face with respect to IT staff, budgets and time, identifying ways to use technology to assist with tuning is essential. Automation is the key to making IPS tuning a reality for government/enterprise today. Minimizing the need for human intervention reduces costs while mitigating risks, increasing security and optimizing the use of highly trained security IT resources. Organisations should closely consider IPS solutions that automatically maintain an inventory of network assets in real-time and automatically recommend rules based on the specific environment.
IPS tuning is not a ‘day one’ exercise. It requires an ongoing commitment to maintain real-time network visibility and an understanding of emerging vulnerabilities. The only way to keep pace with changing networks and threats and realize the full benefits of tuning is through automation. Cyber criminals are using every tool available to threaten security. We must do the same to protect ourselves.