{"id":6683,"date":"2018-07-17T18:30:00","date_gmt":"2018-07-17T18:30:00","guid":{"rendered":"https:\/\/www.darkreading.com\/endpoint\/cloud-security-lessons-learned-from-intrusion-prevention-systems\/a\/d-id\/1332300"},"modified":"2018-07-17T18:30:00","modified_gmt":"2018-07-17T18:30:00","slug":"cloud-security-lessons-learned-from-intrusion-prevention-systems","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/cloud-security-lessons-learned-from-intrusion-prevention-systems\/","title":{"rendered":"Cloud Security: Lessons Learned from Intrusion Prevention Systems"},"content":{"rendered":"
\n<\/header>\n

The advancement of AI-driven public cloud technology is changing the game of “protection by default” in the enterprise.<\/span> <\/p>\n

I recently had the opportunity to brief an industry analyst on the rapid advancement of artificial intelligence (AI) in solving public cloud security. Both the analyst and I had navigated the inception and commercialization of intrusion prevention systems (IPS) and have been skeptical for many years that just because a security technology is capable<\/em> of preventing a threat or an active attack, customers won’t necessarily operate the technology in a protection mode.<\/p>\n

Even today, I’d estimate that 80% of network IPS is operated in detection-only mode and, while faring better, host-based IPS is likely deployed in 60% of enterprise environments as detect and alert only.<\/p>\n

During our conversation, a question arose for both of us, two IPS-wary veterans: are customers prepared to turn on protection? Or, more specifically, why would customers enable the protection piece now? Since my initial discussion with the analyst, I’ve been looking for a more complete way to articulate why I think IPS history fails to answer the question of why “protection” will inevitably be enabled by default for businesses operating from the cloud.<\/p>\n

With or without the next generation or NG prefix, IPS is expected to operate in a standalone manner\u00a0\u2014 a bit like a firewall\u00a0\u2014 to independently analyze a local stream of traffic or data, identify specific events or attack techniques, raise an alert, and (if operated in prevention mode) block or terminate that stream. Enterprise security teams are typically reluctant to enable IPS blocking due to three critical objections:<\/p>\n

1. Prevention decisions<\/strong> are made in real-time at the IPS device level, reliant upon inspecting streaming traffic at that precise time and physical location within the network. IPS is therefore not “context aware”\u00a0\u2014 which leads to high levels of false positives if expert environmental tuning is not regularly performed.
2. Prevention actions<\/strong> are performed locally against the stream of traffic and data being inspected. While the IPS may be best placed to detect a particular threat at that physical location within the enterprise, it is often not the optimal place to take a preventative action.
3. The prevention methods<\/strong> available to an IPS are fairly crude, ranging from firewall-level blocking of traffic, to performing TCP Resets for session termination, requiring coarse-grained parameters for response (e.g., IP address, port number, protocol).<\/p>\n

When it comes to enterprise security and threat visibility, public cloud and its wielding of AI are, quite simply, game changers.<\/p>\n

At its core, the requirement to meter and bill customers for compute, storage, or traffic\u00a0\u2014 accompanied with the transparent capability to dynamically balance workloads and elastically scale on demand\u00a0\u2014 afford a level of environmental visibility and control unheard of in traditional enterprise network architectures.<\/p>\n

While most public cloud provider’s built-in security products share the same nomenclature as their enterprise network cousins, they bear little resemblance under the hood as they are architected specifically for that providers’ cloud and benefit from unique environmental visibility, shared logging and alerting management, cross-product analytics, built-in automation and orchestration APIs, and increasingly advanced AI capabilities.<\/p>\n

Few of these advancements are immediately visible to public cloud customers, so why will security teams enable and allow “protection” in the cloud like they never did with IPS? I believe the technical answer lies in a combination of the following:<\/p>\n