It’s a funny thing. Your signature uniquely identifies you as you. The last thing you’d want is to have dozens of signatures; it would make identity theft that much simpler. But when it comes to an IPS, many assume the more signatures, the better. The FortiGuard IPS service is marketed as inspecting “Over 8,000 signatures consisting of 15,649 rules.” Checkpoint notes that it delivers “1,000s of signature, behavioral and preemptive protections.” All of which begs the question, is the sheer quantity of signatures the right way to measure the effectiveness of an IPS?
Signatures: Quality Not Quantity is the Key
Traditional IPS appliances remain limited in many ways. An IPS is only effective at protecting devices on its network; it cannot protect cloud and mobile traffic. Security appliances must be carefully “cared for,” constantly requiring new signatures and software patches. The result of which is a big time-sink for IT teams. And with HTTPS traffic now the norm, SSL or TLS inspection is essential for any IPS. Yet, decrypting encrypted traffic is processing-intensive, exacting a heavy toll on IPS performance.
Against this backdrop we need to consider the value of additional threat signatures. Every signature applied by an IPS requires additional processing. As a result, IT managers find themselves in the unenviable position of weighing security protection against operational efficiencies and hardware constraints. On the one hand, they can run all IPS signatures for maximum protection, ultimately forcing an expensive hardware upgrade when the number of signatures start to exceed IPS processing capacity. On the other hand, IT managers run select IPS signatures and significantly complicate IPS deployments, requiring the evaluation and assessment of every signature’s severity, performance impact, and ability to accurately identify a threat.
The reality is that all too many threats detected by IPS signatures are either irrelevant or can be defended against more efficiently with other security systems. Our security researchers recently completed an analysis of signatures supplied for the open source Snort IPS. They found that many of its signatures block attacks against outdated applications while many other signatures identified the same attack using different IP addresses or domain names. Attackers often jump between domains and IP addresses faster than Snort updates, making many of these signatures irrelevant.
The truly accurate measure of an IPS’ effectiveness should be less about the quantity of signatures and more about the impact of those signatures. Like an Aikido master deflecting attacks with the most economical movement, the successful IPS stops the greatest number of serious threats with the least number of signatures.
How do we gain this Aikido-like efficiencies from our IPS systems? First, rather than trying to create IPS signatures for every attack, we need to start relying on other security engines to do their jobs. Security engines with reputation data are a far better way to block threats from rapidly changing domains or IPs, for example, than dozens of specific, hardwired IPS rules. The fact that this isn’t happening reflects a deep architectural flaw within traditional IPS architecture.
Even when they are packaged with other tools or share common management consoles, legacy IPS operation remains siloed. The pattern-matching language used to build IPS signatures cannot utilize information from other security modules, such as application control, antivirus, and URL categorization and reputation. The lack of interaction between security components is intentional. IPS was designed to work at wire speed. Integrating its real-time processing with other security products adds too much delay into the session. However, without the context from other security sources, IPS signatures could erroneously block good traffic flows or too few threats.
The Solution is Context-Aware Protection
The second way to improve IPS efficiencies then is to build signatures based on the symptoms of an attack and not its details. By replacing the traditional signature with context-aware signatures, the IPS can identify often-missed attacks, such as vulnerability exploits and malware command and control communication, or only detected with many false positives or negatives.
Essential to building context-aware signatures is integration with other security systems. The signature’s pattern-matching language should tap the full context of networking and security attributes associated with each session, flow and packet including:
- Application and Identity context: The IPS should be identity- as well as application-aware, understanding who is initiating access and what they are trying to do.
- Reputation context: By integrating intelligence feeds from internal and external sources, the IPS can detect and prevent communications with compromised or malicious resources.
- Geolocation context: The IPS should enforce a customer-specific, geo-protection policy and optionally stop traffic based on the source country as well as the destination country.
- Known vulnerabilities context: Along with behavioral signatures, the IPS should protect against known CVEs, and rapidly incorporate new vulnerabilities into the IPS DPI engine.
- Network behavior context: The IPS should detect as well as prevent “dark behavior” such as inbound network scans.
To do this, the IPS provider needs a deep understanding of real-world traffic patterns. This can often be gained by discerning big data insights derived from monitoring the large volumes of traffic across global backbones. With that insight, the IPS provider can optimize IPS signatures for maximum effectiveness, test them on real-world data before releasing to customers. And when delivered as a service, the IPS provider can monitor and tweak those context-aware signatures for maximum effectiveness.
The Cato IPS
It’s for those reasons, Cato Networks recently introduced a context-aware Intrusion Prevention System (IPS) as part of its Cato Cloud secure SD-WAN service. Cato’s cloud-based IPS is fully converged with the rest of Cato’s security services, which include next generation firewall (NGFW), secure web gateway (SWG), URL filtering, and malware protection.
Cato IPS is also the first to be integrated with a global SD-WAN service, allowing Cato security researchers to test, modify and perfect IPS signatures using live traffic from Cato’s backbone. “With Cato IPS, our customers gain richer defense through an always current IPS, smarter signature with contextual awareness, incredible scalability that covers SSL encrypted traffic, and the insight of our world-class security research team,” says Gur Shatz, co-founder and CTO of Cato Networks.
To illustrate, the impact of context awareness consider how a traditional IPS might block suspicious IPs and URLs. Hundreds of signatures around specific domains or IP addresses is one approach, but a wasteful one. A context-aware IPS, such as Cato IPS, can block suspicious locations by leveraging geolocation restrictions:
The recent WannaCry outbreak, for example, can also be stopped with Cato IPS by detecting the EternalBlue exploit used by WannaCry:
Rich context also helps with IPS performance. Normally an IPS lacks visibility into the user’s environment and must run all signatures on traffic from all clients. Not only does this generate false positives, but wastes processing inspecting irrelevant traffic, looking for Android-based threats for example, on iPhone or Windows machines. With deeper visibility into the packet stream, the Cato IPS can be more intelligent in selecting the rules to be activated. Knowing a device is an Android means that the IPS can safely skip signatures specific to Windows devices or iPhones
With mobile devices, IoT, and the cloud our IT environments are becoming only more complex. We face an ever greater range of threats, which cannot be stopped with a traditional IPS. Context-awareness gives the IPS substantial stopping power using fewer signatures, which are better tuned to today’s rapidly shifting threat landscape.