I heard a question the other day that caught me off guard. “Why do you guys even sell IPS (Intrusion Prevention Systems), is there even value in that anymore? Shouldn’t you just recommend patching vulnerable systems?”
Let’s start with the second question, yes we do recommend patching. But the reality is that not every system has a patch available as soon as a vulnerability is released. And even if it did, most systems cannot be taken out of service and patched as soon as the fix is released. I think we can all agree that patch management should be taken more seriously, and I am not just talking about Windows updates. But we have to work within real-world constraints and do our best to protect what we can, as best we can.
So what do you do to protect those systems that cannot be patched right away or at all (we will save that rant for another time)? Enter an IPS. IPS security solutions can be used to protect systems that are vulnerable and provide us with some breathing room to get them up to date.
Let’s walk through a real scenario that I saw in my own test network last April. Within a few days of the Heartbleed disclosure, I saw my IPS blocking Heartbleed attacks aimed at my servers. So in a matter of hours and days the following happened.
- Heartbleed was announced, cool logo and all.
- Cisco Sourcefire created signatures to identify and stop Heartbleed attacks.
- My FireSIGHT Manager received this update and automatically pushed it to the sensors.
- Utilities and malicious tools were created to test for and exploit Heartbleed.
- Something found my Internet facing servers and began to run a Heartbleed attack to pump it for information.
- I saw email alerts notifying me that Heartbleed attacks against my servers were blocked. Hats off to the security vendors for the quick responses!
It is not going to be easy to beat that turnaround time with any patch management strategy.
We only looked at one use case here and I think that displays value enough. But no single security product or strategy is going to fix everything. There are many good approaches and multiple solutions that can be effective, but nothing is 100% perfect. We need to approach the problem from different directions and use the best tools that we can. Finally, when we have issues, because everyone will, we need to respond appropriately and quickly to minimize the impact.
Learn more about security and the advantages of “Defense in Depth.” Reach out below for more information or to weigh in on the IPS topic.