Security Intelligence Brings Out the Best in IPS
Bryan Casey 270003BSJV BFCASEY@US.IBM.COM | | Tags:  ips system prevention security network intelligence intrusion ibm nips
0 Comments | 4,492 Visits
Guest post by Matt Ward, Sr. Product Manager
If you’ve spent any amount of time in IT, you are probably familiar with Intrusion Prevention Systems (IPS) and their role in identifying and stopping attacks. Now that Q1 Labs is part of IBM, let’s talk about how SIEM and Security Intelligence solutions work with IPS solutions, and why IBM's IPS solution shines when coupled with the QRadar Security Intelligence Platform.
IPS technology has traditionally been a black box. We know what it does - everything from matching data patterns to identifying a potentially damaging anomaly - but it's tough to decipher how it gets the job done. When trying to detect attacks, it really doesn't matter how you detect it, as long as the detection process is accurate and efficient. Where trouble can arise – and where you can judge the true value of an IPS solution – is in identifying and protecting against attacks never seen before, ones that use so-called zero-day exploits.
It’s common for IPS vendors to find a new attack hours after release, by looking for a specific pattern in the malicious data, and then release an update covering that exploit 15 minutes later. Then the vendors claim to offer support for zero-day exploits. But is that kind of soon-after-the-fact protection good enough? While it’s a good start, the highest profile customers will already have been targeted by this time, or even attacked in the months before the exploit was known. This is why IBM has invested heavily to build the IBM X-Force Research organization, whose work supports advanced inspection technologies capable of detecting these types of threats.
True Zero-Day Protection
One way True Zero-Day Protection is accomplished is through a protocol analysis (PA) approach to protect enterprises against unreleased exploits. This involves re-combining network traffic into meaningful application data, and analyzing the re-combined data at each step, which lets the IPS detect attacks by looking for strange anomalies in sensitive areas of a transaction. This can not only be used to accurately find and name released exploits, but can also be used to find anomalies that are new and never-before-seen attacks such as zero-day threats.
IBM utilizes a protocol analysis approach through its extensible Protocol Analysis Module (PAM). This enables IBM IPS solutions to detect an extremely wide range of attacks including zero-day exploits. PAM is also fed ongoing updates from IBM X-Force, including protections for vulnerabilities discovered via expert security research. Since PAM is an extensible module, security protections can be easily added. Technologies such as “Shell-code Heuristics” have been built into PAM to increase its ability to detect zero-day threats.
IBM IPS and QRadar
IBM IPS and QRadar SIEM are a powerful combination. How? Let’s review a generalized scenario. QRadar SIEM identifies anomalies in network data at the same time the IPS sees something odd. The IPS sees strange data or state at a certain point in the transaction, while QRadar notices a difference in who that source system communicates with, how much data is sent, and what ports and applications are active. Concurrently, QRadar is looking for anomalies on the host – for example, an account created during "off hours" or an application crashing.
All of this data is analyzed in QRadar in real-time, where advanced analytics applied to numerous categories of data provides validation of an attack. This is true for attacks where tight decodes (pattern specifications) exist in the IPS, as well as attacks where only loosely written decodes are available. QRadar validates or disproves the presence and priority of an attack based on:
1. Traffic history (using deep packet inspection and layer 7 flow data)
2. Source host behavior
3. Previously seen false positives based on improperly firing “loose decode” alerts
These are important because zero-day attacks (and variants of existing attacks) have a unique targeting method. At the same time, the IPS does not have the luxury of a decode written too loosely. If the IPS signature triggers on 1 in 100,000 transactions on a critical server, that could easily be a false alert once every few minutes! When the true threat comes, it will likely be ignored because the IPS cried wolf too many times.
But when the IPS alerts are collected and correlated by QRadar SIEM, even medium-risk alerts can be raised to high-priority events based on added intelligence from various sources including network flow data, host logs, application logs, network architecture, network vulnerability scans, application (code) scan data and more.
When it comes to zero-day attacks, an IPS alone can only go so far when analyzing network data to validate a potentially serious issue. But when a Security Intelligence solution based on next-generation SIEM is involved, with its extensive data sources for analytics and real-time correlation, it can provide the context and validity checks needed to confidently raise or lower the priority of an anomalous event. QRadar automates this process with sophisticated correlation of events/logs, flows, assets, user activity, devices (IPS and others), and external threat data to identify and prioritize attacks that could otherwise go undetected.
To learn more about IBM IPS solutions, please visit this page.