Security Experts:

Four Things to Consider When Evaluating IPS Solutions

The volume of successful cyberattacks continues to grow at an alarming pace. According to a report from Risk Base Security the number of breached data records has grown from about 4 million in 2010 to a jaw-dropping 7.89 billion information records compromised just last year. There are a number of reasons for this alarming trend.

First, the rapid adoption of IoT has introduced highly vulnerable devices, many of which are headless, that are difficult or impossible to update or patch. As a result, attacks targeting IoT devices have escalated over the past few years.

Second, things like the cyberskills gap and the drive toward digital transformation has dropped security hygiene best practices such as patching and updating to the bottom of the to-do list. Many of the most successful exploits of the past few years successfully exploited vulnerabilities for which patches had been available for months and even years.

Another reason for this spike is that malware sophistication is outpacing the development of effective security counter-measures. During Q2 2018, Fortinet saw a steady increase in the volume of new malware, with W32/StartPage—a class of information-stealing Trojans capable of harvesting credentials from browsers, FTP clients, and email clients—capturing the lead position for the quarter. 

Meanwhile, the vast majority of security solutions in place were deployed long before the adoption of IoT or multi-cloud, or a growing array of BYOD devices that combine work and personal data. Likewise, digital transformation has led to the creation of complex workflows, on-demand applications and services, and agile development strategies that preclude effective testing before deployment. Combining the growing cybercrime landscape with highly distributed and elastic network environments is overwhelming the legacy security systems that have been in place for years. 

Selecting an IPS solution

In today’s digital marketplace, Intrusion Prevention Systems (IPS) with advanced threat detection and mitigation capabilities not only detect and respond to sophisticated threats, they also provide essential protections for critical resources that can’t be patched, updated, or replaced, closing a critical hole. This is the only approach that is able to provide organizations with the real-time visibility they need to protect the users, devices, endpoints, and applications deployed across the distributed and elastic network of physical and virtual ecosystems. 

While there are a wide number of IPS solutions available today, selecting a solution that can effectively secure your digital business from today’s cyberthreats can still be challenging. 

Here are four things to consider when looking for an IPS solution.

1. Broad – Today’s networks span a variety of ecosystems, including physical networks, branch offices, private clouds, and multi-cloud environments. In fact, 81% of enterprises today have a multi-cloud strategy. Securing these distributed environments requires consistency, which means that your IPS solution needs to be available in a wide variety of form factors, including running on as many different hypervisors and major cloud providers as possible as well as natively consume cloud services.

2. Powerful – IPS inspection requires a significant amount of CPU. When looking at IPS solutions, especially when part of an NGFW package, look for real performance numbers with all IPS services turned on. Most NGFW vendors don’t publish actual numbers because IPS inspection often drives an NGFW solution to its knees. While IPS protection isn’t just about power—it needs to detect and thwart the most sophisticated threats—it still needs to do those things at digital speeds.

3. Integrated – IPS systems are less effective when they operate in isolation. Even when positioned as part of a security platform, they need to be able to see more than the information right in front of them. To be truly effective, IPS systems need to be connected to a broader security fabric that can span today’s distributed networks, from remote offices to the core network and out to the cloud. To do this, IPS systems need to support common communications standards and open APIs. This allows them to participate as part of a coordinated threat response so that detected threats occurring anywhere can be seen and appropriate countermeasures can be applied.

4. Validated – Organizations like NSS Labs and ICSA labs provide effective and neutral testing that allow you to see how IPS solutions from different vendors operate in a real-world environment. When evaluating these results, look for the following information:

• Does the vendor consistently participate in testing? Gaps in testing usually reflect up and down cycles of engineering, which may mean that security effectiveness may only be intermittent. Likewise, scores over time can reveal a lot about the reliability of the vendor as well as the solution.

• What sorts of tests did this evaluation include? Important test results should provide critical insights into:

Security effectiveness – This includes the ability to detect advanced threats as well as evasion techniques. Evasion strategies seem to trip up many vendors, which underscores a subtle yet critical difference between the different IPS technologies available in the market today.

Real world functionality – The test bed should include current exploits and threats, such as drive-by exploits, which is one of the top web security threats you should be worried about. Performance under real world traffic loads are also critical to review.

Total cost of ownership – TCO is a combination of security effectiveness, real world performance, and the time required to deploy, manage, and integrate a solution across a distributed network. Other issues—such as false positives—that require human intervention can also significantly impact TCO.

Conclusion

In today’s continuously evolving threat landscape, evaluation criteria for security solutions can change rapidly. To ensure that your existing IPS solution doesn’t become a weak link in your security strategy, you should be constantly tracking and evaluating its effectiveness—especially older, legacy solutions. 

Because IPS solutions play a critical, linchpin role in defending networks and resources, vendor loyalty may actually lead to increased risk. When evaluating IPS technologies, remember to not only look for outstanding performance, highly rated effectiveness, and a compelling total cost of ownership. You also need to consider deep integration with other security solutions for comprehensive visibility and response, and consistent coverage across today’s distributed network environments. 

view counter
John Maddison is Sr. Vice President, Products and Solutions at Fortinet. He has more than 20 years of experience in the telecommunications, IT Infrastructure, and security industries. Previously he held positions as general manager data center division and senior vice president core technology at Trend Micro. Before that John was senior director of product management at Lucent Technologies. He has lived and worked in Europe, Asia, and the United States. John graduated with a bachelor of telecommunications engineering degree from Plymouth University, United Kingdom.