This balanced approach is the security posture that IT security platforms need to adopt when dealing with modern high-speed network data streams - reject or slow down undesirable traffic or connections and then inspect the remaining traffic for malicious code.
Whilst a sizeable proportion of traffic can be analysed and different categories of streamed data handled appropriately, there will always be an underlying risk that evaded, hybridised and zero-day threats will pass across the IDS battlefront unchecked.
To counter this, there must be a number of additional stages in threat detection that are carried out. In addition, an understanding of the 'vulnerability' and the exploit is crucial, as well as the difference between security signatures able to recognise vulnerabilities (which may have thousands of variant exploits) and audit and vulnerability testing. The latter requires actual exploits to test that the signature really does do what it is supposed to.
The recognition that an intrusion detection/prevention device cannot possibly examine all traffic against all known exploits is key to understanding the need for constant auditing and testing of security devices.
The audit must identify malicious code that is not mitigated under test; provide information to 'tune' the configuration and the signatures being used; and where required it should devise additional rules that are applied to fix the issue. The tuning process will take account of the corresponding, acceptable level of performance, namely the throughput. This audit and test of vulnerability has to be individual to your network, your equipment and finally to management's risk appetite.
The potential for false positives and false negatives is growing - therefore, the ability to audit and test using real threat traffic in the live environment is essential. Ever-increasing volumes of traffic mean that the IPS/IDS has to be left to accept or reject traffic automatically. The secret is for this to happen 'effectively' and 'in a timely manner'. Then, when suspect data is not immediately recognisable as good or bad, it can be quarantined. The ability to audit your live environment with real traffic is capable of increasing the ability to mitigate and reduce the number of manual interventions.
High level of resources
These approaches generally involve a high level of resources and possible delay being applied to what may be important data. Therefore, our approach here at Idappcom is to raise the bar on the IDS process by providing the tools to regularly audit and analyse the efficiency of the devices under test.
It is essential to have a constantly updated library of traffic files consisting of recordings of real live exploits attacking vulnerable machines as well as good traffic that should be allowed through. By playing this traffic in and out of a network security device there can be no doubt about the effectiveness or performance of the firewall/IDS/IPS.
Sign up for Computerworld eNewsletters.