« A weekend on the sidelines | Main | Another rainy night at the airport »

May 30, 2006

Are signature and behavior based IPS on a collision course?

Charlotte Dunlap, an analyst with Current Analysis, recently had an article in SearchSecurity on more security consolidation on the horizon.  While no one I think would argue with that, the real basis of Charlotte's article is, that behavior based IPS (ala Lancope, Arbor, etc.) have never really caught on (I think some of the behavior based companies would argue that).  Charlotte thinks that with the increased pressure on traditional IPS to continue to remain fresh, there is a natural M&A fit between these different types of IPS to make for a more powerful IPS.  Sounds good, but I disgree!

The battle lines between signature based IPS and behavior based IPS were drawn up two years ago or more.  By now, many of the better signature based IPS have incorporated some behavior and protocol anomaly based technology into their products, to offer a blended detection capability.  Many of these detection engines are so different between the signature and behavior based systems and their placement in the networks so different, that you can't just lump them together and get a 1+1=2, let alone a 1+1=3 equation.  I think Charlotte misses the real opportunity in both signature and behavior based IPS.  Namely, post-admission NAC capability.  Many of the post-admission NAC products out today, have their roots in behavior based IPS and vulnerability management.  While I don't think this "technology in search of a solution" is the best way to solve the NAC puzzle, it does offer a piece of the puzzle. I think more and more you will see the behavior-based solutions positioning themselves more and more as post-admission NAC solutions.  In order to make behavior and signature based IPS work together you are going to need a multi-sensor, multi-node IPS.  All of the disparate sensing technologies will have to report into a central manager that will either block traffic, quarantine devices or take some other active or passive action.  Frankly, this is just where we at StillSecure have been working with the integration of our IPS, Strata Guard with our NAC solution, Safe Access.

Posted at 10:33 PM in General Security, NAC, other security companies, StillSecure stuff |

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a00d83451e4d369e200d8352d64c353ef

Listed below are links to weblogs that reference Are signature and behavior based IPS on a collision course?:

Comments

Search

Lijit Search

disclaimer

  • The views and opinions expresed here are those of myself only and in no way represent the views or positions or opinions of my employer, Latis Networks, Inc. d/b/a StillSecure or anyone else.

Blog Networks

  • Find the best blogs at Blogs.com.

StillSecure, After all these years, the podcast

Categories

Track my blog stats

Blog powered by TypePad
Member since 10/2005

About