Intrusion prevention systems (IPS) are far from a dead technology, but the industry needs to work them better and push vendors on detection rates.
Speaking at BSides London, chief security officer Arron Finnon cited Gartner’s 2010 analysis that $1 billion will be spent on stand-alone IPS, but the industry “spends billions on products that do not work, and if you don’t detect a compromise immediately it will be between 18-24 months before it is picked up”.
Finnon said: “Half of those network intrusion prevention systems (NIPS) picked up nothing more than user doing ‘the smelling test’. Half of compromises are users saying it doesn’t work. Otherwise it is third parties, but 3.5 per cent of the time an IPS picks up a compromise.
“Vendors don’t talk about detection rates, but this is a multi-billion dollar industry who don’t talk about it, almost a case of the ‘first rule of IPS club is don’t talk about detection rates’. We accept failure and in an IPS context, some stuff is very difficult to detect, how many times have we been asked will we become like anti-virus industry? If we do not verify how effective it is then it will remain a complicated business.”
Finnon cited acquisitions by McAfee/Intel of Stonesoft, and of Sourcefire by Cisco for $2.7 billion. “So is this a dead technology? The problem is faced with a problem, users get a new product. We have issues with companies investing in metal than skin, looking for a one box solution, it is not there,” he said.
“Look at what detection means for you, it was naïve to think it was one size fits all solution, all that matters is your detection rates – not what a vendor means for you. Sometimes it is detection or prevention, but there is no point doing a test if you are only interested in compliance. Work out what it means for me and my company and the core principle that I want to achieve. Also once detect something, you should always be able to detect it.”
Finnon said that in past couple of years, the security industry has seen stuff we never expected to, and it was facing “biblical” challenges. “We are supposed to be an industry and we have got enough challenges, and our enemies are a mile from winning and if we don’t pull together we will be surplus to requirements. This has happened in the past few weeks and if we don’t stop it there will be three letter agencies running everything.”
