Signature-based detection, protection systems ineffective

COMMUNICASIA, SINGAPORE--Companies should focus on addressing weaknesses in their networks rather than relying on signature-based intrusion detection (IDS) and protection systems (IPS) which are no longer adequate to combat today's cyberthreats.

Brian Tan, a technical consultant with network security specialist SourceFire, said signatures are preconfigured to identify network exploits, which is a "good thing" because it is technically more accurate. However, because there are preset fields that will have to be met before an exploit is identified, this method creates "a lot of false positives", he noted.

Furthermore, cybercriminals can easily change their exploits to bypass the preconfigured fields, making such IDS and IPS methods retroactive--rather than proactive--solutions, Tan said during a security workshop held here Friday at the CommunicAsia tradeshow.

To better address today's cyber threats, he suggested IT professionals implement a system that actively protects against vulnerabilities instead.

"We research on the vulnerability before writing any protection software," he explained. "If I work on the basis of weakness, I wouldn't need to do reverse engineering because regardless of the type of exploit, it's going after the same source and weakness.

"So with one rule or one protection, I can cover every single exploit."

Tan also revealed that security vendors are now relooking their existing strategies, with many starting to adopt an approach of "protecting weaknesses" to avoid getting caught in the "endless catching game" of the signature-based IPS and IDS systems.

Finetune security policies
He also urged IT managers to "adapt" their IDS and IPS deployments within enterprise networks to better cope with the dynamically changing threats.

The number of personal devices accessing the corporate network, as well as the introduction of non-traditional Web-enabled devices such as point-of-sale devices and medical equipment which often go unsecured, are examples of the increasing security risks IT professionals today face, he noted.

Most of these IT managers, however, simply implement the detection and prevention systems as recommended by vendors without finetuning security policies and guidelines according to their company's requirements, he said.

This process of finetuning is admittedly painful and could take as long as more than six months, but Tan stressed that it is an essential step toward safeguarding a company's data assets.

He also pointed to virtualization as another cause of network vulnerability.

While the technology brings about cost savings and is beneficial from a commercial standpoint, it creates a weak link as IT departments are no longer able to keep track of the traffic, he said.

"A lot of companies have jumped onto the virtualization bandwagon but, two years on, they're finding it very difficult to maintain as there are too many 'blind spots' and it's difficult to see what's happening on the networks," Tan elaborated.

For a more holistic network protection regime, he recommended a three-pronged approach: awareness of the network's activities through regular monitoring; enforcement of signature policies; and automating IPS to make it run on updated IT policies and network behavior.