intrusion-prevention ZSCALER INTRUSION PREVENTION Advanced Threat Detection Methods Signature-based detection (IPS) An IPS primarily detects malicious traffic based on signatures. Signatures are a set of patterns that identify a vulnerability being triggered or an exploit being used. Signatures represent elements of a vulnerability or malware that must be present in an attack seen on the network. Signatures must be specific enough to avoid triggering false positives, in which legitimate traffic is incorrectly identified as malicious. But signatures must also be broad enough to stop variants of a known attack to ensure that a real attack does not get through. Network traffic is parsed and pre-processed in order to make signature-based detection more efficient and more accurate. With HTTP traffic, for example, signatures can be applied on specific headers, on decoded content, on the request or on the server response. The IPS vendor must monitor and research known vulnerabilities and exploits in order to write new signatures. Typical IPS vendors update their signature database daily. Anomaly detection (IPS) As Intrusion Prevention Systems have become more widely used, attackers have found ways to evade signature-based detection. If the attacker can break the traffic pre-processing by generating traffic that will be parsed incorrectly by the IPS, but that will be handled correctly by the target, signatures are applied to the wrong part of the network traffic and may not trigger an action by the IPS. Common evasion techniques include multiple-encoding of the URL, using unusual white spaces to separate HTTP headers, or using unusual encoding techniques (7-bitASCII). IPS technology detects anomalies to prevent such evasion techniques. Anomalous traffic can then be flagged and blocked inline. Behavior Analysis (Sandboxing) While an IPS system can provide a strong defense for inbound threats, attackers have found ways to circumvent their detection. By weaponizing a file, and constantly changing the file slightly, a hacker can circumvent both signature and anomaly based IPS detection. Because the file that carries the malicious payload has been slightly changed, the resulting hash of the file changes. The file hash is a mathematical computation against a known file an IPS uses to confirm if the file has been seen before. Behavior analysis, which is common in Sandboxing technology, can perform in-depth analysis on a file’s behavior to confirm if the resulting behavior associated with running that file on the target system will be malicious. While outside the scope of this paper, sandboxing is technology you will want to layer into your defense strategy in order to plug existing security gaps. ©2018 Zscaler, Inc. All rights reserved. 3 ZSCALER INTRUSION PREVENTION Form Follows Function While the basics of IDS/IPS functionality are widely used, the manner in which that functionality is enabled, the place where it is deployed, and the way the information is used can be very different. There are still “pure play” IDS/IPS vendors, which are typically deployed in data centers to protect servers or to protect aggregated user traffic going out to the internet. In many cases, however, IDS/IPS technology has been absorbed into other products. Unified Threat Management Appliances One of the first product categories to incorporate IDS/IPS functionality was Unified Threat Management (UTM), which combines firewalling, IDS/IDP functionality, and gateway antivirus into a single appliance. Gartner defines the UTM market as multifunctional network security products used by small or midsize businesses1; When enterprises consider how to protect remote or branch offices, UTMs are often their first thought, since a single appliance appears to be fairly affordable. Unfortunately, looks can be deceiving, and the cost of purchasing UTM devices across several branch offices can be dauntingly high. When you add in the cost to install and deploy the appliances, ensure that policies interact with devices up and downstream, ascertain that policies are consistent across branches, handle updates and maintenance, and then correlate logs for a complete, company-wide picture, even the lowest-priced single UTM becomes exorbitant. “Next-Generation” Appliances IDS/IPS functionality is often discussed as a component of a Next Gen Firewall (NGFW). While the term remains somewhat nebulous, most agree that an NGFW is a device that enforces policy unilaterally and its inspection encompasses more than just the network packet header information of “traditional” firewalls. NGFWs can be set up in front of company servers to protect against illegitimate access to company assets. They are particularly useful in the case of the data center, where inbound or internal attacks are possible. NGFW appliances can also be set up inside the LAN to protect clients and servers against internal attacks, and can be placed at egress points to protect users accessing the Internet. But because NGFW appliances must cover all ports and protocols, their deployment in branch offices is generally unnecessary and definitely too costly, since the vast majority of traffic at the branch is HTTP/HTTPS. 1 Gartner Magic Quadrant for Unified Threat Management Devices ©2018 Zscaler, Inc. All rights reserved. 4 Please complete the form to gain access to this content Access Now Related Resources Accelerating Secure Digital Transformation Busque estas diez capacidades imprescindibles Ricerca queste 10 funzionalità indispensabili Recherchez ces 10 caractéristiques indispensables Look for these 10 Must-Have Capabilities 10 unverzichtbare Merkmale einer unternehmenstauglichen ZTNA-Lösung Informe de riesgos de VPN de 2023 por Cybersecurity Insiders Report 2023 sui rischi della VPN di Cybersecurity Insiders Rapport 2023 sur les risques liés aux VPN par Cybersecurity Insiders 2023 Cybersecurity Insiders VPN Risk Report Report zu VPN-Risiken 2023 von Cybersecurity Insiders Cómo Zscaler cumple la promesa de la confianza cero en su arquitectura In che modo Zscaler onora la promessa dell’architettura Zero Trust Comment Zscaler honore la promesse de l’architecture Zero Trust How Zscaler Delivers on the Promise of the Zero Trust Architecture Zscaler: eine Lösung, die hält, was Zero Trust verspricht Ofrecer una seguridad incomparable y un valor económico superior con Zscaler Zero Trust Exchange Zscaler Zero Trust Exchange: una sicurezza ineguagliabile con un valore economico superiore Garantir une sécurité inégalée et une rentabilité optimale avec Zscaler Zero Trust Exchange Delivering Unparalleled Security with Superior Economic Value Erstklassige Sicherheit und überdurchschnittlicher wirtschaftlicher Nutzen mit der Zscaler Zero Trust Exchange
ZSCALER INTRUSION PREVENTION Advanced Threat Detection Methods Signature-based detection (IPS) An IPS primarily detects malicious traffic based on signatures. Signatures are a set of patterns that identify a vulnerability being triggered or an exploit being used. Signatures represent elements of a vulnerability or malware that must be present in an attack seen on the network. Signatures must be specific enough to avoid triggering false positives, in which legitimate traffic is incorrectly identified as malicious. But signatures must also be broad enough to stop variants of a known attack to ensure that a real attack does not get through. Network traffic is parsed and pre-processed in order to make signature-based detection more efficient and more accurate. With HTTP traffic, for example, signatures can be applied on specific headers, on decoded content, on the request or on the server response. The IPS vendor must monitor and research known vulnerabilities and exploits in order to write new signatures. Typical IPS vendors update their signature database daily. Anomaly detection (IPS) As Intrusion Prevention Systems have become more widely used, attackers have found ways to evade signature-based detection. If the attacker can break the traffic pre-processing by generating traffic that will be parsed incorrectly by the IPS, but that will be handled correctly by the target, signatures are applied to the wrong part of the network traffic and may not trigger an action by the IPS. Common evasion techniques include multiple-encoding of the URL, using unusual white spaces to separate HTTP headers, or using unusual encoding techniques (7-bitASCII). IPS technology detects anomalies to prevent such evasion techniques. Anomalous traffic can then be flagged and blocked inline. Behavior Analysis (Sandboxing) While an IPS system can provide a strong defense for inbound threats, attackers have found ways to circumvent their detection. By weaponizing a file, and constantly changing the file slightly, a hacker can circumvent both signature and anomaly based IPS detection. Because the file that carries the malicious payload has been slightly changed, the resulting hash of the file changes. The file hash is a mathematical computation against a known file an IPS uses to confirm if the file has been seen before. Behavior analysis, which is common in Sandboxing technology, can perform in-depth analysis on a file’s behavior to confirm if the resulting behavior associated with running that file on the target system will be malicious. While outside the scope of this paper, sandboxing is technology you will want to layer into your defense strategy in order to plug existing security gaps. ©2018 Zscaler, Inc. All rights reserved. 3 ZSCALER INTRUSION PREVENTION Form Follows Function While the basics of IDS/IPS functionality are widely used, the manner in which that functionality is enabled, the place where it is deployed, and the way the information is used can be very different. There are still “pure play” IDS/IPS vendors, which are typically deployed in data centers to protect servers or to protect aggregated user traffic going out to the internet. In many cases, however, IDS/IPS technology has been absorbed into other products. Unified Threat Management Appliances One of the first product categories to incorporate IDS/IPS functionality was Unified Threat Management (UTM), which combines firewalling, IDS/IDP functionality, and gateway antivirus into a single appliance. Gartner defines the UTM market as multifunctional network security products used by small or midsize businesses1; When enterprises consider how to protect remote or branch offices, UTMs are often their first thought, since a single appliance appears to be fairly affordable. Unfortunately, looks can be deceiving, and the cost of purchasing UTM devices across several branch offices can be dauntingly high. When you add in the cost to install and deploy the appliances, ensure that policies interact with devices up and downstream, ascertain that policies are consistent across branches, handle updates and maintenance, and then correlate logs for a complete, company-wide picture, even the lowest-priced single UTM becomes exorbitant. “Next-Generation” Appliances IDS/IPS functionality is often discussed as a component of a Next Gen Firewall (NGFW). While the term remains somewhat nebulous, most agree that an NGFW is a device that enforces policy unilaterally and its inspection encompasses more than just the network packet header information of “traditional” firewalls. NGFWs can be set up in front of company servers to protect against illegitimate access to company assets. They are particularly useful in the case of the data center, where inbound or internal attacks are possible. NGFW appliances can also be set up inside the LAN to protect clients and servers against internal attacks, and can be placed at egress points to protect users accessing the Internet. But because NGFW appliances must cover all ports and protocols, their deployment in branch offices is generally unnecessary and definitely too costly, since the vast majority of traffic at the branch is HTTP/HTTPS. 1 Gartner Magic Quadrant for Unified Threat Management Devices ©2018 Zscaler, Inc. All rights reserved. 4
