The Future of IPS and NAC
Last week I attended the Boston SecureWorld Expo (http://www.secureworldexpo.com/). I found it to be a worthwhile event with some good sessions and a chance to meet up with some of my colleagues of the IT Security Profession.
One of the sessions I attended was a panel discussion with various IPS and NAC vendors such as Tipping Point, ForeScout and TopLayer. At the beginning, it was fairly embarrassing as each of the vendors introduced themselves, each one espousing why their product was better. After the initial boasts, the questions got down to the nitty gritty of the subject area of where an enterprise should leverage IPS and/or NAC.
All of this discussion, got my mind going and a question formulated itself in my mind.
We have had IPS for a while now, even though I have not seen many instances where they really leveraged the IPS attack blocking functionality and basically used the technology as an “out of line” IDS device. IPS has not really evolved. It is still stuck in the IT network and with all of the focus on moving security into the business world; IPS seems to have been left behind. Many organizations are still not leveraging IDS and IPS to their fullest extent and it remains a security geek tool. For many, IPS is implemented, not because it can help the business, but that it is required to pass a “check list”! And this doesn’t help the many CISOs and CSOs I know who are continually challenged with cost justifying security. The banner of regulations and compliancy threats is becoming worn out and thread bare. Security needs to move off the FUD platform and into really helping improve an organizations performance.
So I asked the question of the panel “What is next for IPS?”. No really firm re-assuring answer came back.
So I pushed a bit further and asked if any of the vendors had any plans to move up the IT stack, i.e. beyond the network layer and into application transaction intelligence. This time, some of the vendors got it and Tipping Point even talked about a new solution that would track activities at the user level. The example given was that of an employee in accounting that normally transferred 10MB of data during a normal day, but tripped an alarm when 20Mb of data was transferred.
I think this is where we have to take security. Yes, there will be better DRM but this is not going to happen overnight and I can see in ten years time that there will still be applications and users and servers transferring non-DRM’d data. Security has to move out of the safety of IT geekdom and has to, at least, start talking about the world in terms of business transactions.
Security professional should be one of the best candidates for this, since we already think about business impact, protecting people, and data, and we understand the bigger world of processes, procedures and the entire IT infrastructure. This means that we have to start talking, thinking, and leveraging security technologies for business. If we keep articulating security as some arcane art that is mysterious and dangerous, then we will alienate ourselves.
Going back to the technology, IPS could be the answer. It deals with not just a single event, but can handle sequences of events to detect anomalies, why can’t we take the same technology and point it at business transactions.
Just a thought.
If comments, please add them here but if you wanted a threaded discussion, go to our Forums sections and participate. I am “off the ball” or do you agree, let me hear your thoughts.