IPS - to buy or not to buy

There’s been some debate about whether or not to purchase an IPS device to put in front a new online service. Some of you might be reading this and thinking “why wouldn’t you?” Well, granted, if it was a military system or an online banking service then I suppose it would be a no-brainer. Here in the security-suburbs, the answers are not so clear cut. Actually, neither are the questions.

<img alt="tippingpoint.jpg" src="https://cdn.ttgtmedia.com/ITKE/cwblogs/stuart_king/tippingpoint.jpg" width="300" height="100"

It’s not so much a question of “is an IPS required?” rather, does the loss impact potential warrant spending the money? We need to decide the point at which it becomes a necessity as opposed to an expensive but “nice to have” option. Here are some questions I’ll be asking:

  • Is the service strategically important to the business?
  • Are there high revenue expectations?
  • What are the regulatory requirements?

We should also revise the benefits of an IPS device. This is fundamentally detecting the presence of unwanted network traffic in three main categories:

1. Signatures

2. Traffic rates

3. Anomaly detection

There is also the promise of the holy grail of network defence: zero-day attack protection. I don’t really believe that any IPS truely has this capability, if it were true then there would be no need for signature and rule updates.

There are some downsides to IPS. They generate a high number of alerts and tuning the device requires skill. Resource is required to review logs and react to alerts. The devices are also expensive to buy.

What other defences are already in place? In this particular instance the network architecture includes redundancy, well configured devices, and a well designed architecture. IPS would be an additional layer of defence on a well defended network. So, it comes down to how comfortable the business feels by not having the control. There may be other factors to take into account such as future strategic plans or issues of credibility specific to the business that might not usually figure in the risk analysis. Clearly, this is much more complex an issue than it might first appear to be.

The answer must come from the business once armed with the right information.

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

I think you have answered your own question and one that applies to all forms of technology. Is the investment likely to lead to any tangible benefit that can justify the cost? If the answer is yes then to use your term - it is a no brainer. Perhaps a better question to try to answer might be what do we mean by Intrusion? When the network is quiet it dosen't really matter unless it is also carrying a malicious payload, but then we probably have an AV system and Firewall in place to deal with the nasties. The problem comes when the network is busy and expensive bandwidth and processing resources needed for critical tasks is being consumed by non-essential (malicious or otherwise)traffic. What is needed then is a system that can can dynamically distingusih between what is important and what is not, which in my experience is not a feature that IPS solutions typically include and where the Webscreen WS appliance comes into its own. In this scenario the system becomes a business enabler rather than just a security/prevention technology; guaranteeing availability and QoS as a performance and productivty enhancer, which is a much easier pill to swallow for the C-level team.
Stephen - one of the difficulties is proving "tangible benefit." Traditional ROI models simply aren't applicable so it's down to making subjective risk assessments. In fact we have chosen to get the device but it's not because we can prove the benefits. The best we can do is suggest that, given the assessed risks, the possible event costs, and the affinity of the control against those risks (in association with the other controls) that we should buy the device. Good plug for Webscreen - I'll have a closer look when I get a chance.
Why not consider using a managed intrusion detection service? You get the benefit without a lot of the upfront costs. Just a thought.
I agree that it is not easy to establish RoI unless the device is deployed to deal with a very specific financial problem. This happens often in a DDoS situation where an e-commerce based company can do a direct before and after comparison of their revenue take. When a company is loosing real money it seems to bring the investment rationale into sharp focus. (Thanks for the plug for my plug!)