First, What is IDPS and Why Do We Care?
Intrusion Prevention Systems (IPS) emerged as an improvement on Intrusion Detection Systems (IDS). IDS are out-of-band collectors of network traffic that analyze the information and provide alerts. The “eureka” of IPS was that instead of just alerting, why not block what is a known attack? IPS moved in-line in order to do this. Being in-line forced a revolution in IDS/IPS signature quality. Signature quality didn’t have to be good if alerts are generated, whereas the decision to block traffic took network security meant that it had to be a known attack and false-positives (mistaken blocks) were anathema, but if there was doubt it could still be an alert. The bottom line was that the obvious attacks were blocked because they had no business being on the network. “Block what you can and detect the rest” became the theme and value of IPS. IPS is an unsung hero of enterprise security. When functioning correctly it is invisible, and stops the majority of attacks. Many host-centric security folks can be lured into thinking the internet is not so bad a place, not knowing that before their traffic reaches them it has been scrubbed of most of the nasties by network IPS.
The firewall market wised up late to the game and started including IPS in firewalls, creating Next Generation Firewalls. However the best quality of IPS is in the stand-alone products: it is a function of focus, with firewalls being compliance-focused (traffic X is allowed) and IPS is threat-focused (traffic Y is known to be bad). Security foundations geeks (full disclosure: I am one!) will comment that this is the fundamental difference between Positive and Negative Security Models.
What’s New In the 2018 IDPS Magic Quadrant
I and a colleague commissioned the first Gartner IPS Magic Quadrant in 2005, and I was the lead author for that one and quite a few years after that so I’m a keen observer on the evolution of this market.
Here is the blog entry linking to the specifics of Trend Micro in the Magic Quadrant.
The biggest change this year is the name and scope of the market: IDPS versus IPS. There has been an unproductive debate in recent years in security that detection trumps prevention and vice versa. One of the arguments was that because IPS can’t be everywhere that means an attack will eventually succeed and post-attack detection is the best mechanism. The alternative argument was that why allow known attack traffic to proceed if it can be stopped. The answer, like a lot of things in life and security, is nuanced but only a little. IPS always had IDS as its core. But instead of just more of the same, IDPS recognizes some important changes.
The first change is that although IPS has gone about as deep as it can on a single packet stream, there is highly valuable security context in patterns across streams. Network traffic behavior and anomaly detection always overlapped a little with IPS but not enough. I believe that the addition of some new vendors into the lower half of the MQ acknowledges that more advanced analytics are the future. Threat Intelligence (TI) is a factor making for a smarter real-time analysis of packet flow. However the quality of that TI matters when operating at wire-speeds. That TI must be optimized for IDPS and not just a repackaging of web URLs.
By expanding beyond the mostly static signatures of IPS, IDPS needs even higher quality vulnerability research and TI to avoid false-positives and false-negatives. Detection alone had the luxury of being noisy and lobbing alerts to humans to resolve, but IDPS brings us full circle back to the importance of quality. That quality is required in IDPS for the vulnerability research and TI.
Another advance is the integration of IPS with sandboxing, or Advanced Threat Detection (ATD). IPS was never able to inspect attachments at wire-speed, and it relied historically on other products to do that because network packet inspection has to be fast otherwise it can break communications through latency, whereas anti-malware inspection on attachments can take a while. Having separate and unconnected products doing these inspections was a stop-gap, but they needed to be linked but not merged. Linking or integrating ATD means a new valuable source of correlation, and fills a potential gap, and gaps are what attackers try and exploit. This link is also an advantage to produce faster and more accurate event resolution by security analysts and SOCs who otherwise had to do the correlation manually.
Figure 1 – The 5 Qualities of IDPS (TrendMicro)
Why Stand-Alone IDPS Matters More than Ever
“But I use the cloud – I don’t need network security.” Virtualized data centers and hybrid cloud mean that IDPS is more important than ever. Infrastructure has never been self-defending, because, the sad and continuously proven reality is, features trump security when selling non-security products. Data center architectures are written on an Etch-A-Sketch: they are virtual and can be constantly changing and mutating. The public clouds and virtualization providers don’t have an optional IDPS, let alone a lower-featured IPS. We blocked threats from our non-virtual data centers and we shouldn’t stop doing that because we’ve gone virtual, hybrid cloud, or multi-cloud. Data centers are undergoing incredible architectural changes. It turns out that in-line IDPS is a new architectural tool to allow for a changing architecture but one provided with a clean flow of traffic, and one that can’t ‘un-orchestrated’ or bypassed.