This month we are looking at two groups that, at first blush, don't look as if they belong together. However, the idea of managing intrusions is a complicated one that it would be good to simplify if we can. If we think of intrusion management in four (or, sometimes, five) layers we have avoidance, assurance, detection and investigation. Investigation sometimes is subdivided into investigation and recovery. Our two groups this month fall directly into this framework.
Our IDS/IPS group addresses detection and avoidance while vulnerability analysis addresses assurance. So, put simply, IPS is a mechanism for avoiding the consequences of an intrusion, IDS addresses detecting attempts at intrusion, and vulnerability assessment (VA) is what we do to ensure that these other two aspects of the framework are functioning properly.
All of these tools can help us in our investigation and recovery as well. Vulnerability and penetration testing can tell us where weaknesses exist in our enterprise. That would, logically, be the starting point for any intrusion investigation. They also tell us how to remediate. In fact, many of today's vulnerability assessment tools are morphing toward vulnerability management and that is the epitome of the vulnerability aspects of intrusion management.
That thought takes us into the realm of automation of vulnerability assessment. There have been automated VA tools for years. Some of these are tools that one can purchase and some are services. When we talk about vulnerability management, though, we are not talking about these automated tools alone. Managing vulnerabilities is more complicated than just detecting them. Managing vulnerabilities demands that we take some action to remediate the security hole and then test again to ensure that we really did fix the problem.
In the areas of IDS and IPS, we have a similar type of situation. The IDS identifies breach attempts and notifies us. The IPS takes action to fend off the attempt. In both cases – IPS and vulnerability management – the system must be smart enough to know what to do, do it, and then make sure that its actions really did address the issue – whether it be a vulnerability discovered or an attack repulsed.
That brings us to some important questions: Whither the product type? Will the IDS become obsolete, trampled underfoot by the IPS? Will the traditional VA and pen test tools succumb to vulnerability management? The answers this time are somewhat different.
While I doubt that the IDS, as a notify-only tool, has much life left in it, I see no end in sight for traditional vulnerability and penetration testing tools. The reason is simple: response. The IDS, plus human response, is way too slow for today's attacks and nowhere near discriminating enough for subtle attacks that are becoming the rule rather than the exception. An automated system, properly tuned, is going to become – if it hasn't already – the only sane approach to the problem.Not so with VA and pen test tools. What we are most likely to see is VA tools morphing into a combination of vulnerability and penetration testing. There already has been some of that and, in fact, some moves in the other direction as well: pen test tools embracing VA. Sophisticated analysis of exploitable vulnerabilities will always, in my view, require human ingenuity and intervention. Vulnerability management is a necessary function in today's enterprises, just as the IPS is. But unlike the IPS, vulnerability management can't carry the whole load by itself. Yet. – Peter Stephenson, technology editor