Cybersecurity may not be on everyone's mind at every waking moment, but that doesn't stop the evolution of defensive measures.
Intrusion prevention technologies are the latest outgrowth of attempts to thwart those bent on subverting -- or at least disabling
-- enterprise networks.
Test
Center
Technical Director Tom Yager and Senior Analyst P.J. Connolly square off over the value of intrusion prevention systems.
TY: At a time when a desktop PC can outsmart a human chess master, it seems ludicrous that network security remains a largely
manual endeavor. Systems, software, and appliances are getting smarter by the day at spotting patterns of access that point
to the risk of intrusion. Yet IT seems reluctant to take the next step and grant intelligent assets the right to protect themselves.
Instead, the intrusion prevention system in place at most companies is flesh and blood, not silicon. It no longer makes economic
sense to pay someone to sift through access logs and shag pager alerts.
Outsourcing isn’t the answer here. Automation is. I realize, P.J., that you’re part of the cadre of warlocks that has an interest
in keeping security mysterious. But your secret is out: Much of what consultants, in-house security teams, and outsourcing
firms do can -- and should -- be automated. Having your router page you at
3 a.m. to ask, “Someone’s pointing a gun at my head -- is that bad?” might feel like job security. In reality, it’s no kind of security.
I’m not saying that companies don’t need security brains, I just think they’re too often wasted fighting fires that could put themselves out.
PJ: Tom, I think all the extra travel you've been doing lately has softened your brain. The way networks are built and applications
are designed means that it's impossible to prevent intruders from entering. Well, there is one way -- unplug your WAN link.
I know that sounds like a joke, but I'm dead serious. In the event of a network penetration, the single most effective countermeasure
is to apply wire cutters to all data cables entering the facility. Unfortunately, that's a hard pill to swallow.
But there's not much else that one can do to "prevent" a networked intruder. Data networks aren't like physical structures
that can be defended with a big dog, razor wire, and a shotgun. Even the most restrictive firewall policy is going to let
some kinds of traffic through, and intruders simply have to disguise their packets as valid ones. After all, it's not as though
businesses can block ports 80 and 443 -- those reserved for HTTP and HTTPS -- for any length of time, no matter what the threat
may be.
TY: We agree on that point: Every asset on the Internet will get hacked or at least sniffed. But that fact leads too many
IT people to make the illogical leap that they should focus their efforts on post-mortem dissection. In other words, identify
the door through which the network has been already breached and close it.
The fear is that an automated intrusion prevention system will inconvenience users. Humans are in the loop precisely because
a company can’t afford to take its entire Web, e-mail, or file/print operation offline in response to a suspected attack.
But it isn’t an all-or-nothing deal. An automated security system needn’t shut down all traffic on a given port every time
it senses trouble. It can selectively cut off only vulnerable services such as Web-based administration and remote database
access.
And in extreme cases, why not let the system pull the plug on everything? I’m sure students and faculty at the
University of
Texas
would rather have suffered a few hours without online class registration than have their identities swiped. We accept the
inconvenience caused by false positives in automated anti-virus and spam-blocking solutions. What makes this any different?
E-mail
Printer Friendly
Reprints
(InfoWorld) - In the litigious world we live in, deploying a unified communications platform in your enterprise could...
