Security Experts:

Double-Down on Security Intrusions with Snort Plus IPS

It’s no surprise to anyone reading this that advanced malware is destructive, deceitful and resource-draining. But, what was a surprise to me was that the average cost of an attack for U.S. businesses in 2013 was a mind-boggling $11.6 million. Equally disturbing was the fact that 67 percent of security professionals in the U.S. do not have technology to fight advanced malware. I am convinced that the only way to combat the influx and ever-evolving malware sophistication is through layered and connected security solutions.

So You Say You Use Snort and Open Source Signatures?

 At the risk of giving hackers and bad guys undue attention, I’m amazed at how effortless it is for advanced malware to sneak into a network and remain undetected regardless of what security measures are in place. The community of security experts using “Snort” and Open Source signatures are likely feeling pretty good right now – thinking that they have ultimate visibility into these threats. But, I’m not so sure that is true these days.

To refresh our memories, Snort is a free open source network intrusion detection and prevention system that performs signature based real-time traffic analysis and packet logging on IP networks. It’s been around since 1998 and is considered the world’s most widely deployed technology for network traffic visibility and security. Snort has certainly flexed its muscles, but it may need some reinforcements to maintain its security longevity.

Don’t Scoff at Snort

With a community of nearly 400,000 registered users, Snort remains a valuable tool for security organizations looking to share security data and signature protections. It’s a pretty remarkable community if you think about it. Unfortunately, malware isn’t what it used to be; therefore, enterprise security needs aren’t either. In fact, the volume of stealthy, targeted zero-day attacks that are successfully bypassing signature-based defenses is skyrocketing.

I’m not suggesting that the massive global community of Snort users and contributing developers are resting on their laurels. What I am saying is its effectiveness is reduced when resource-rich adversaries have access to the same signatures many Snort deployments use today – providing them with an effective method to craft techniques that avoid detection. This is where the value of a commercial Intrusion Prevention System (IPS) – one that uses technologies beyond signatures – comes in.

Here’s the Challenge

As you can see and probably have experienced, the need for true network inspection visibility is at an all-time high. Even with the best signature-based Snort technology in place, enterprises need more to stay fully protected from the most advanced malware solutions. Signature-based technology is a viable solution for detection and reporting on known attacks, but therein lies today’s problem:  we are now up against the unknown.

As security solutions providers, our challenge is to develop and deploy technology that can prevent the spread of unknown malware – bridging the gap between simple detection and automatic blocking. Open Source in general tends to raise concerns around transparency, where accessibility to patched versions of the same code can lead to road maps on how to leverage potential flaws.

Is there an IPS in the House?

I believe the best security is layered security. In the case of protection against advanced malware, a layered defense-in-depth solution is essential. The best IPS excels at blocking the known and unknown attack. Signature-based detection is an essential IPS capability, but also insufficient on its own. The system must also be able to find and stop the growing volume of attacks for which no signature is available. Since individual signature-less detection methods are inevitably less reliable than high-probability pattern-matching, an IPS solution should layer multiple techniques to maximize effectiveness, including behavioral- and heuristics-based. Those organizations currently using Snort signature-based technology are one step ahead of the game, but are not fully protected without a blended solution that layers signature and signature-less technologies to create a multi-detection capable solution.

Choosing the Right IPS for your Organization

Looking back at the cost of an average security breach and the rising number of those breaches worldwide, it seems only prudent to layer on an IPS that supports multiple detection capabilities, along with an already-implemented signature-based solution. This type of solution is the answer to protecting against unknown threats and helping to reduce the noise that can result from Snort’s inherent alert-overload. The primary goal is to implement a powerful development path for security teams seeking to extend the capabilities of an existing Snort deployment, increase their ability to quickly find and block previously unknown attacks, and dramatically reduce the administrative workloads associated with sensor tuning and maintenance.

Regardless of your philosophical stance on open-source versus commercial technology, an IPS solution really should be part of the equation when determining the best course of action against advanced attacks and unknown malware.

view counter
Pat Calhoun is Senior Vice President & General Manager, Network Security at McAfee and responsible for defining and executing the strategic direction for McAfee’s Network Security business. Calhoun leads the engineering, marketing, and sales functions that drive worldwide growth for this area of the business. Calhoun was most recently at Cisco where he led the Secure Network Services business unit. Also while at Cisco, he served as Chief Technology Officer for Wireless Networking and Access Network & Services. Prior to Cisco, Pat held various CTO and senior engineering roles at US Robotics, Sun Microsystems, and Airespace, where he was a co-founder before an acquisition by Cisco. Calhoun studied Computer Science at Algonquin College of Applied Arts and Technology.