Security Experts:

Connect with us

Hi, what are you looking for?


Network Security

Double-Down on Security Intrusions with Snort Plus IPS

It’s no surprise to anyone reading this that advanced malware is destructive, deceitful and resource-draining. But, what was a surprise to me was that the average cost of an attack for U.S. businesses in 2013 was a mind-boggling $11.6 million. Equally disturbing was the fact that 67 percent of security professionals in the U.S. do not have technology to fight advanced malware.

It’s no surprise to anyone reading this that advanced malware is destructive, deceitful and resource-draining. But, what was a surprise to me was that the average cost of an attack for U.S. businesses in 2013 was a mind-boggling $11.6 million. Equally disturbing was the fact that 67 percent of security professionals in the U.S. do not have technology to fight advanced malware. I am convinced that the only way to combat the influx and ever-evolving malware sophistication is through layered and connected security solutions.

So You Say You Use Snort and Open Source Signatures?

 At the risk of giving hackers and bad guys undue attention, I’m amazed at how effortless it is for advanced malware to sneak into a network and remain undetected regardless of what security measures are in place. The community of security experts using “Snort” and Open Source signatures are likely feeling pretty good right now – thinking that they have ultimate visibility into these threats. But, I’m not so sure that is true these days.

To refresh our memories, Snort is a free open source network intrusion detection and prevention system that performs signature based real-time traffic analysis and packet logging on IP networks. It’s been around since 1998 and is considered the world’s most widely deployed technology for network traffic visibility and security. Snort has certainly flexed its muscles, but it may need some reinforcements to maintain its security longevity.

Don’t Scoff at Snort

With a community of nearly 400,000 registered users, Snort remains a valuable tool for security organizations looking to share security data and signature protections. It’s a pretty remarkable community if you think about it. Unfortunately, malware isn’t what it used to be; therefore, enterprise security needs aren’t either. In fact, the volume of stealthy, targeted zero-day attacks that are successfully bypassing signature-based defenses is skyrocketing.

I’m not suggesting that the massive global community of Snort users and contributing developers are resting on their laurels. What I am saying is its effectiveness is reduced when resource-rich adversaries have access to the same signatures many Snort deployments use today – providing them with an effective method to craft techniques that avoid detection. This is where the value of a commercial Intrusion Prevention System (IPS) – one that uses technologies beyond signatures – comes in.

Here’s the Challenge

As you can see and probably have experienced, the need for true network inspection visibility is at an all-time high. Even with the best signature-based Snort technology in place, enterprises need more to stay fully protected from the most advanced malware solutions. Signature-based technology is a viable solution for detection and reporting on known attacks, but therein lies today’s problem:  we are now up against the unknown.

As security solutions providers, our challenge is to develop and deploy technology that can prevent the spread of unknown malware – bridging the gap between simple detection and automatic blocking. Open Source in general tends to raise concerns around transparency, where accessibility to patched versions of the same code can lead to road maps on how to leverage potential flaws.

Is there an IPS in the House?

I believe the best security is layered security. In the case of protection against advanced malware, a layered defense-in-depth solution is essential. The best IPS excels at blocking the known and unknown attack. Signature-based detection is an essential IPS capability, but also insufficient on its own. The system must also be able to find and stop the growing volume of attacks for which no signature is available. Since individual signature-less detection methods are inevitably less reliable than high-probability pattern-matching, an IPS solution should layer multiple techniques to maximize effectiveness, including behavioral- and heuristics-based. Those organizations currently using Snort signature-based technology are one step ahead of the game, but are not fully protected without a blended solution that layers signature and signature-less technologies to create a multi-detection capable solution.

Choosing the Right IPS for your Organization

Looking back at the cost of an average security breach and the rising number of those breaches worldwide, it seems only prudent to layer on an IPS that supports multiple detection capabilities, along with an already-implemented signature-based solution. This type of solution is the answer to protecting against unknown threats and helping to reduce the noise that can result from Snort’s inherent alert-overload. The primary goal is to implement a powerful development path for security teams seeking to extend the capabilities of an existing Snort deployment, increase their ability to quickly find and block previously unknown attacks, and dramatically reduce the administrative workloads associated with sensor tuning and maintenance.

Regardless of your philosophical stance on open-source versus commercial technology, an IPS solution really should be part of the equation when determining the best course of action against advanced attacks and unknown malware.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...

Cybersecurity Funding

Network security provider Corsa Security last week announced that it has raised $10 million from Roadmap Capital. To date, the company has raised $50...

Network Security

Our networks have become atomized which, for starters, means they’re highly dispersed. Not just in terms of the infrastructure – legacy, on-premises, hybrid, multi-cloud,...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...