Intrusion Prevention Systems: Definition, Types, IDS vs IPS

Every organization with a cybersecurity strategy has the goal of stopping cyber threats before they become real attacks and cause damage. Because of this, most cybersecurity strategies have turned to more proactive approaches, rather than relying only on reactive security measures. Vulnerability assessment, the use of cyber intelligence feeds, attack surface management and other processes are all used to prevent threats from becoming security breaches. Organizations have also turned to solutions that detect and prevent cyberattacks by monitoring early indicators of attack in network traffic. After all, nearly all types of cyber threats use network communications as part of the attack. The concept of monitoring network traffic to detect anomalous activity has been around for decades, with intrusion detection systems (IDS), the go-to solution for this purpose. As networks and their threats advanced, so did the need for a solution that can combine detection and threat response. The technology that resulted from this are intrusion prevention systems. What are intrusion prevention systems (IPS)? If we go back to the analogy of an IDS being a security system in your house, then IPS would be the security guard who can actively put a halt to incoming threats. While the security system is important in that it can alert the guard of a potential threat, it can't take any action against it. An intrusion prevention system (IPS) is a network security solution that continuously monitors the traffic going in and out of an organization's network. It looks for potentially malicious activity and takes action against any such wrongdoing by alerting, stopping or dropping it from continuing. Since exploits can be executed rather quickly after a malicious actor gains initial access to a network, intrusion prevention systems carry out an automated response to a suspected threat, based on pre-established rules. IPS is used as one of the measures in an incident response plan, and in terms of technology, organizations use IPS for identifying insider threats that can result in internal security policy issues or compliance violations. IPS solutions shine the most, though, when it comes to preventing external cyber threats. Some of the most common network threats IPS is designed to prevent are: DDoS attacks. Computer viruses. Brute force attacks. Zeroday exploits. Buffer overflow attacks. ARP spoofing. IPS has become one of the founding blocks of many organizations' security strategies and infrastructures. Evolution of IPS In the early days of IPS technology, few organizations used it due to different concerns. IPS sat in line between an organization's network and the internet, and because early IPS systems relied on using a signature database against which they would match observed network traffic, the process had the potential to actually slow down network traffic—which certainly isn't ideal. Additionally, there were concerns over IPS blocking potentially harmless traffic; at that time, IPS would immediately block anomalous traffic whenever it was detected. Organizations would then run the risk of blocking traffic from actual prospects (also not ideal). The developing advancements in IPS, which led to what is commonly referred to as next-generation IPS, helped bridge these holes in functionality with faster deep-packet inspection, machine learning for detection and sandboxing and/or emulation capabilities. Today, we commonly see IPS as part of next-generation firewalls (NGFW). This gives IPS more advanced abilities to take action and block malicious traffic and malware, and reconfigure the firewall itself to block future traffic of the same kind. How does an intrusion prevention system work? The main goal of intrusion prevention systems is to quickly identify suspicious activity, log relevant information and attempt to block that activity while it reports it to the security team. IPS stands on the perimeter of the network and provides active scanning ...