An intrusion prevention system (IPS) is often a vital component of a company’s cybersecurity technology. These solutions, which can be hardware- or software-based, detect suspicious and potentially malicious network activity. They then take various actions, such as alerting a company’s cybersecurity team or blocking the network access attempt or dangerous content.
A poll of IT decision makers shows that 54% considered security and data protection to be significant IT challenges. An IPS solution could help, especially if it picks up on potential threats that human experts would otherwise overlook.
However, it’s often difficult for a company’s representatives to narrow down their options and select the best product for their organization’s needs. These intrusion prevention system case studies should help them become familiar with what’s available and how it could help:
1. Omada Health
Omada Health previously handled IPS through a provider that primarily examined log files. However, according to the company’s information security leader, Bill Dougherty, that method became insufficient.
This was mainly due to the strict data-handling regulations in the healthcare sector and a lack of actionable insights. Omada Health now uses Threat Stack, a host-based solution that looks at running processes.
“A log file is only as good as what’s written to it, but the running processes give you much better insight into what is happening in the host and, from that, you can profile what’s normal versus what’s abnormal,” said Dougherty.
Dougherty also spoke highly of specific product details from Threat Stack, saying it has a “really nice technology stack for solving intrusion detection that filters down to actionable information quickly and is backed by a security operations center that I can depend on.”
He also liked the user interface, describing it as “clean and easy to understand, pushing the right information to my fingertips, so I get an actionable snapshot of where I’m at with the ability to dig down.”
Another advantage is that Threat Stack saves two to four hours for at least one security analyst daily. That’s because those professionals only get high-quality information they can trust. If a cybersecurity expert sees that the Threat Stack system has escalated a threat, they know to take it seriously.
Industry: Health care
Use case: Moving away from a network-based approach to a host-based one
Outcomes: A reduction in false positives and time spent reviewing log files
Corix previously relied on products from numerous cybersecurity providers to take care of its IT and OT (operational technology) security needs. However, Carol Vorster, the company’s chief information officer, explained why that approach no longer worked.
“It became very apparent how incredibly difficult it would be for our small team to respond to a major incident at Corix,” said Vorster. “We have a profound commitment to the people and the communities we serve.
“Preventing an attacker from exploiting plant operations to instigate an environment-harming spill or contaminate drinking water is paramount.”
Vorster continued by explaining what caused her company to choose solutions from FireEye. “We wanted a strategic partnership with a single provider that offered an end-to-end solution and a managed detection and response (MDR) service. Our team needed a more efficient way to manage alerts and analyze threats and their potential movement through the environment quickly and efficiently.”
She clarified what’s different now, saying, “Deploying FireEye was more cost-effective than paying for the eight separate, independent security products we had deployed at the time. Plus, we added a managed service component on top of the technologies, further enriching the new capabilities and visibility established across the environment and providing for full 24/7 visibility. This was important, as Corix’s operations span five time zones.”
Use case: Unifying the company’s IT OT environments to provide better visibility and remediation capabilities
Outcomes: Saved money while streamlining security efforts and achieving a stronger security posture
3. AB Bank
Aegean Baltic Bank, more commonly known as AB Bank, is a financial institution based in Greece. Since AB Bank operates in a heavily regulated industry, decision-makers realized there was room for improvement in the organization’s intrusion prevention system. The organization’s leaders relied on a Check Point solution for help.
“AB Bank has deployed Check Point’s security solution, acknowledging the efficiency and trustworthiness of Check Point, who is one of the top vendors for cybersecurity in the market,” said Antonis Hassiotis, a senior network engineer at AB Bank. “The versatile solutions provide maximum protection against unknown threats and zero-day attacks. A full array of integrated security features allows the bank to tailor its security capabilities to its specific needs.”
According to Yiannis Kanonis, an information security officer at the bank, spoke of enhanced administrative efficiency. “Check Point offers centralized management to the administrators, giving them the ability to identify blocked traffic and investigate suspicious events. Its support for concurrent administration helps make our day-to-day work more efficient.”
Industry: Financial services
Use case: Helps employees access the workplace infrastructure remotely while maintaining the protection of sensitive financial information and streamlining the usage of the organization’s IT resources
Outcomes: Improved protection against advanced and zero-day cyberattacks, plus better administrative and managerial efficiency
4. The City of Bryan, Texas and Bryan Texas Utilities
Scott Smith is the chief information security officer for Bryan, Texas, as well as the city-owned Bryan Texas Utilities. For the past 10 years, he has used a Sentinel solution to keep them safe against cybersecurity threats.
“It is a wonderful fit for cities or businesses that don’t have the resources to manage a super-complex intrusion prevention system that requires a lot of care and feeding,” he said. “They do all of the security updates for you. You literally can set it and forget it.”
Smith also discussed a proprietary network-cloaking feature offered by Sentinel. It hides the city’s IP address from known threats. “If [hackers] are trying to do some sort of reconnaissance, Sentinel picks up on that and blocks them immediately. I can’t say that I know what the secret sauce is that makes network cloaking work, but what I know is that it does work.”
Smith uses one Sentinel device for the city’s network and another for the utility provider. From January to August 2018, the systems halted 2.1 million unwanted events. Moreover, Smith says the technology rarely blocks legitimate traffic, making false positives unlikely.
Industry: Local government/utilities
Use case: Managing cybersecurity needs for a local government and a city-owned utility provider, despite having limited personnel and financial resources
Outcomes: Keeping the entities well-protected on a modest budget with a user-friendly solution
5. Cisco Data Centers
One of the issues Cisco faced in their perimeter-based IPS was that its representatives failed to detect most malicious events before they reached the wider world. Instead, these malicious events were flagged by users or external agencies, which was not ideal. Cisco needed an IPS strategy that would help them detect and mitigate threats immediately.
“Network-based IPS enables us to detect and mitigate internal security events before users experience a secondary impact, such as a Cisco server attacking an outside server, service disruption, loss of intellectual property, or infection,” said Gavin Reid, manager of the Cisco computer security incident response team (CSIRT).
Jeff Bollinger, an IT security engineer at Cisco, also liked how the IPS allowed making adjustments to meet the network’s unique needs. He explained, “Cisco IPS is not something to set up and forget. Its value is proportionate to the time that we spend customizing it to our unique network environment. It is critical to dedicate a resource to tuning at least part time, to help ensure the data that the sensor provides is useful.”
Use case: Supplementing an existing perimeter-based IPS with a network-based one across the company’s data centers
Outcomes: Achieved visibility into security events happening inside data centers rather than just at their borders, which caused fewer service interruptions and enhanced the protection of critical information.