Intrusion prevention systems (IPSs) have been with us for some time. Over the decades, the technology has evolved. A big distinction was once made about IPS versus intrusion detection systems (IDSs). These days, both tend to be included within the same product.
IPS, then, relates to software or hardware that offers network security by preventing hackers from intruding. Such tools monitor network activity continuously. They search for suspicious and malicious activity and take action to detect and prevent incursion or damage. As such, there are different ways of implementing IPS technology.
Here are five of the top trends in the IPS market:
1. Incorporation of AI
Artificial intelligence (AI) is seeping into all aspects of life. And it is filtering into a wide array of security tools too. This includes IPS.
AI takes much of the drudgery out of IPS, as it automates many of the detection steps by being able to pick up anomalous network behavior and save time trawling through logs.
“AI has an important role to play in cybersecurity, because it builds on the expertise of its designers to generalize their knowledge and automates decision making,” said Adam Spotton, head of data science, DNSFilter.
“However, AI is not something that can be easily deployed as an off-the-shelf solution. Careful consideration must be given to each step of the data collection and training process, so that the model is effective and reliable once it’s released from the laboratory into a real-world setting. These considerations include framing the threat identification problem, collecting the data to be able to train it properly, iterative testing and refinement, and interpreting its findings.”
When done correctly, AI is a powerful tool that can be used to detect not only existing threats, but new and constantly evolving threats as well.
For instance, AI-powered threat detection has demonstrated that it can catch over 60% more domain threats compared to traditional and manual static threat feeds. IPS vendors are gradually incorporating AI into their tools.
2. Incorporation into larger suites
Just as IPS is incorporating more AI features, there is a growing trend for IPS tools themselves to be packaged into larger all-encompassing security suites.
This is part of a larger trend within security. Instead of having separate products for antivirus, anti-malware, spam detection, IPS, IDS, ransomware prevention, firewalls, threat monitoring, and security analytics, vendors are packing them into larger suites. Security information and event management (SIEM) tools, for example, often have added IPS features.
“With more abnormal behavior due to the move to remote work environments, companies need expertise in optimizing and tuning SIEM platforms to leverage their advanced capabilities,” said Paul Caiazzo, strategic adviser at Avertium, a company offering managed SIEM services that include IPS functions.
3. Ransomware prevention
With ransomware becoming such a threat, organizations are beginning to realize that they must have tools in place to prevent ransomware incursion. But if they do suffer an attack, they must be able to detect the incursion as fast as possible and take remedial action.
“The cost of an attack increases with the duration, so identifying threats as soon as possible is within an organization’s best interests,” said Caiazzo with Avertium.
“Minimizing the impact of a successful ransomware attack requires detecting it as early in the attack as possible.”
That’s why there is no time to be jumping from console to console trying to find out what is going on. IPS functions, then, can be found within a variety of tools being marketed as ransomware prevention and detection suites.
Data supplied from SIEM, IPS, and other systems can be united to play a part in threat hunting to get in front of an attack, by identifying potential attack vectors before they’re exploited or identifying a subtle attack in its early stages.
4. Extended perimeter
Perimeter defenses were the norm in the heyday of single-function IPS tools. As long as you kept watch at the network edge and prevented anything from penetrating, you could be secure. Those days are long gone.
“Many organizations use a perimeter-focused cybersecurity strategy that has limited-to-no visibility or control over potential malicious traffic inside the network perimeter, a single layer of defense,” said Caiazzo with Avertium. “That single layer ultimately can become a single point of failure in a security strategy.”
The IPS function surrounding the corporate headquarters or data center remains vital. But it needs to be supported by a broader set of capabilities that can deal with an increasingly remote and dispersed perimeter. Thus, defense in depth has become the new norm. It requires multiple layers of security controls that improve the probability that if one layer is defeated, another will identify and block the attack.
5. Cloud vs. on-premises IPS
IPS used to be installed on-premises. It was then maintained and managed by internal IT resources. There is still some of that around.
However, cloud tools have largely taken over.
Extended detection and response (XDR) suites offer broad cloud-based endpoint protection and include IPS capabilities.