New security threats are growing in frequency, sophistication, and danger. While perimeter-focused security can mitigate risk from known attacks, real protection comes from identifying and reacting to any new threat the instant it hits your network.

This article looks at enterprise-wide intrusion prevention, a technology recognized by network and security experts as the smart way to combat the many threats facing security managers every day. We'll show how it replaces outward-focused security products with an approach that embeds security throughout the enterprise network.

What Is Enterprise-wide Intrusion Prevention? Why Do I Need It?
Continued innovation has created many ways to protect against known threats. We evaluate every new attack that hits, spending valuable time analyzing and creating defenses that protect against major worms, viruses, commonly-known hacking vulnerabilities and other threats. Yet a malicious attacker can change only a few lines of code and the same worm, or Trojan will slip right by the reactive signature or patches developed to stop the original. Hackers creatively find new ways to breach traditional signature-based security defenses. Ongoing changes and upgrades in network infrastructures, Web services, and new software continue to create vulnerabilities and opportunities for exploitation.

Perimeter-focused security, which blocks attacks coming from outside, is no longer enough. IT staff really need to understand what constitutes normal network behavior, identify inconsistent behavior, and fix it so business can proceed. Enterprise-wide intrusion prevention profiles network behavior across the extended enterprise, flags anomalies, isolates the source of the issue or attack, and offers a choice of corrective measures to resolve or mitigate the threat. The net gain comes from faster reaction to breaking threats and shortened time to resolution. Business processes suffer little or no impact. That translates into increased uptime and efficiency combined with decreased operational costs and losses.

How Do I Use Surveillance, Analysis, and Control?
Enterprise-wide intrusion prevention technology models traffic flows, transactions, and network activity and analyzes them to learn what normal behavior, including run-rate activity spikes, looks like. It detects aberrations - changes in traffic levels, communication patterns, or other anomalies that serve as an early warning system for malicious activity - whether from an external attack or internal misuse of the network. Pinpointing suspicious behavior, this technology isolates the source of the anomaly and offers several means of resolution to fix the problem before it causes damage.

Successful enterprise-wide intrusion detection requires a three-tiered approach of surveillance, analysis, and control. Surveillance recognizes malicious activity, catching even the most insidious low-and-slow probes of network defenses without sounding false alarms based on every traffic spike. While firewalls and other appliances provide a limited view from a single point in the network, this technology looks across the entire network.

Behavioral analysis is the key to understanding and applying what is learned from network surveillance. Enterprise-wide intrusion prevention taps both real-time and historical views of network activity to model the behavior of users, applications, servers, and network resources. The latest technology includes a classification engine that profiles network behavior and identifies normal behavior over time. It understands the dynamic complexities of modern networks, recognizing normal and acceptable behavioral changes as safe. It raises an alarm when it perceives potential threats based on deviations from the baseline. Unlike traditional IPS, this technology does not rely on a signature to identify a malicious internal user or an evolving worm. Behavioral analysis recognizes everything from the abnormal behavior caused by a new attack or hacking attempt, to internal threats such as insider scams and stealth attacks. It even finds policy violations among network users who use P2P file sharing and instant messaging, as well as any type of network misuse.

The third element, control, empowers security and network professionals to enforce network behavior. Simply identifying an anomaly is not enough; corrective measures must be taken as soon as possible. New attacks and security threats continue to hit every network with increasing sophistication - and far greater danger. The control element offers a variety of mechanisms for fixing or mitigating the problem. With a choice ranging from automatic remediation to full operator intervention, administrators can address the most critical issues first and focus their valuable time where it's needed most. These systems can address different types of activities in different ways, and are flexible enough to enforce network behavior based on unique customer use. After all, some parts of the network are more critical than others, and different types of threats require different approaches to resolution. Advances in enterprise-wide intrusion prevention technology give IT staff options they have never before enjoyed.

Where Does Enterprise-wide Intrusion Prevention Fit In My Security Strategy?
In a crowded security market, every vendor hypes a different technology as the most critical element of a layered security defense. So where does enterprise-wide intrusion prevention fit in your security strategy and network architecture?

This technology incorporates security event feeds and network traffic flows from your existing infrastructure to leverage its data completely. But the most direct value it provides, and the primary reason people choose these systems, is to address the critical flaws of traditional signature-based technologies: addressing internal security concerns and stopping subtle blended threats and zero-day attacks. The bulk of ongoing security expenses, and the biggest nightmare for security and network managers, is identifying, reacting to, and cleaning up damage from the "next big attack." No other technology matches the ability of enterprise-wide intrusion prevention to defend against new attacks that are as unpredictable as they are inevitable. It serves as the first-responder product for identifying, understanding, controlling and fixing any new attack.

SIDEBAR

Top 10 Benefits of Enterprise-wide Intrusion Prevention
1.  Provides an enterprise-wide security system: Holistic enterprise-wide view of security goes beyond segment-based, perimeter-focused point products.

2.  Stops external threats: Provides the first (and often only) defense against the proliferation of zero-day, blended, and internal threats, without the time delays or alarm overload of signature-based systems. This means identifying and locating worms, Trojans, denial of service, and blended/hybrid threats quickly and providing automated resolution.

3.  Enforces internal policies: Exposes and locates internal threats so you can stop them quickly and eliminate future problems, whether from violation of internal policies or intentional misuse. Such misuse wastes resources and exposes enterprises to unnecessary legal and security risk.

4.  Ensures regulatory compliance: Provides monitoring, detection, alerts, and audit trails to comply with new regulations and compliance issues that demand IT participation.

5.  Avoids legal risks and liabilities: Provides the processes and information to protect your organization against risks and liabilities such as lawsuits from illegal file sharing of copyrighted material, lawsuits from accidental disclosure of confidential information, and penalties for noncompliance with regulations.

6.  Improve operational efficiency: Identifies problems quickly, isolating the source of network bandwidth issues or security threats to speed resolution without additional staff.

7.  Secures the "perimeter-free" network: Protects open, distributed networks from potential threats for the most advanced defense of infrastructures that can't rely on perimeter security solutions.

8.  Eliminates breaches from mis-configured systems: Identifies network mis-configurations quickly and effectively, isolating the source to close vulnerabilities and conduits for hackers.

9.  Provides live window of network activity: Gives network and security administrators an instant real-time view into network behavior, along with access to terabytes of data. It identifies issues in real time and archives a complete audit log of activity without costly additional storage requirements.

10.  Combines network and security analysis: Integrating asset discovery, vulnerability data, and observed network profiling provides context-sensitive detection of known events. Pivoting between security and network data simplifies the process of finding, fixing, and preventing threats.