Modern Malware and the Balance Between IDS and IPS

Information security is a job that requires the ability to recognize change and adapt, whether that be adapting to changing threats, regulatory and business requirements or advances in information technology itself. Yet, the flipside of that coin is that often our latest, insoluble challenge is simply a new instance of a problem we have already confronted before. This seems particularly true in the case of threat prevention today, where in many ways we are seeing the industry revert from a threat prevention strategy to a threat detection strategy when dealing with modern malware and advanced persistent threats (APTs).

Today, the threats are new, the solutions are new and often it feels like the best that a security team can hope for is to simply identify that an attack has occurred and begin remediation. Of course, many in IT security have seen this dynamic before in the evolution of IDS (intrusion detection) to IPS (intrusion prevention).

In the early days of threat prevention, intrusion detection was all that was possible. The detection of exploits required a deeper analysis than the industry had performed in the past, which meant it was often too slow to be placed in line where prevention could occur. Secondly, false positives were common, so security teams were reluctant to block a threat without doing some investigation first. Of course, over time these solutions matured to be faster and more accurate to the point that the vast majority of enterprises use an IPS or prevention approach today.

The benefits to prevention are pretty obvious. Threats are blocked before they ever reach the target, and the systems are automated so that staff doesn’t have to manually investigate each event. In short, with prevention, we get better protection while requiring less human intervention.

In the fight against malware and APTs, we are in large part being forced to regress to the threat detection phase of the game, where many security teams are only able to detect when they are hit and can do very little about it. It is critical that when we regress from prevention to detection that we understand why, and how we can respond. For instance, what is the path for returning to an automated approach of threat prevention? Is it even possible? How do we get there from here and what can we do in the mean time?

These are the important questions that we need to answer if we are going to actually make use of the lessons that we learned in the past, instead of simply reliving them in our present.

That’s why I chose to focus on this topic in my SecurityWeek column this week. In the article I cover off on some important “need to knows,” such as understanding the issue that not all advanced threats are created equal, that understanding context is the key and why network chops are a must, all keeping in mind how we can learn from the past to live in the present.