How HP Implemented the TippingPoint Intrusion Prevention System Across its Security Infrastructure
1. How HP Implemented the TippingPoint Intrusion
Prevention System Across its Security Infrastructure
Transcript of a BriefingsDirect podcast on how the strategy of dealing with malware is shifting
from reaction to prevention.
Listen to the podcast. Find it on iTunes. Sponsor: HP
Dana Gardner: Hello, and welcome to the next edition of the HP Discover Podcast Series. I’m
Dana Gardner, Principal Analyst at Interarbor Solutions, your co-host and moderator for this
ongoing discussion of IT innovation and how it’s making an impact on people’s
lives.
Once again, we’re focusing on how IT leaders are improving the security and
availability of services to deliver better experiences and payoffs for businesses
and end users alike.
We have a fascinating show today. We’re going to be exploring the ins and outs of improving
enterprise intrusion-prevention systems (IPSs), and we will see how HP and its global cyber
security partners have made the HP Global Network more resilient and safe. We’ll will hear how
a vision for security has been effectively translated into actual implementation.
To learn more about how HP itself has created well-based and granular access control benefits
amid real-time, yet intelligent, intrusion protection, please join me in welcoming our guest.
We’re here with Jim O'Shea, Network Security Architect for HP Cyber Security Strategy and
Infrastructure Engagement. Welcome to the show, Jim.
Jim O’Shea: Hello, Dana. Thank you.
Gardner: Before we get into the nitty-gritty, what do you think are some of the major trends that
are driving the need for better intrusion prevention systems nowadays?
O’Shea: If you look at the past, it was about detection, and you had reaction technologies. We
had firewalls that blocked and looked at the port level. Then, we evolved to trying to detect
things that were malicious with intent by using intrusion detection systems (IDSs). But that was a
reactionary type thing. It was a nice approach, but we were reacting. Something happened, you
reacted, but if you knew it was bad, why did we let it in in the first place?
The evolution was the IPS, the prevention. If you know it's bad, why do you even want to see it?
Why do you want to try to react to it? Just block it. That’s the trend that we’ve been following.
2. Gardner: But we can’t just have a black-and-white situation. It’s much more gray. There are
sorts of intrusion, I suppose, that we want. We want access control, rather than just a firewall. So
is there a new thinking, a new vision, that’s been developed over the past several years about
these networks and what should or shouldn't be allowed through them?
O’Shea: You’re talking about letting the good in. Those are the evolutions and
the trends that we are all trying to strive for. Get the good traffic in. Get who you
are in. Maybe look at what you have. You can explore the health of your device.
Those are all trends that we’re all striving for now.
Gardner: I recall Jim, that there was a Ponemon Institute report about a year or so ago that
really outlined some of the issues here. Do you recall that? Were there any issues in there that
illustrate this trend towards a different type of network and a different approach to protection?
Number of attacks
O’Shea: I don’t recall the details, but the Ponemon was illustrating the vast number of attacks
and the trend toward the costs for intrusion. It was highlighting those type of trends, all of which
we’re trying to head off. But yes, those type of reports are guiding factors in taking a more
proactive, automated-type response.
Gardner: Yeah. I suppose what’s also different nowadays is that we’re not only concerned with
outside issues in terms of risk, but insider attacks. It’s being able to detect behaviors and things
that occur that data can detect. The analysis can then provide perhaps a heads-up across the
network, regardless of whether they have access or not. What are the risk issues now when we
think about insider attacks, rather than just outside penetration?
O’Shea: You’re exactly right. Are you hiring the right people? That’s a big issue. Are they being
influenced? Those are all huge issues. Big data can handle some of that and pull that in. Our
approach on intrusion prevention wasn’t to just look at what’s coming from the outside, but it
was also look at data traversing the network.
When we deployed the TippingPoint, we didn’t change our policies or profiles that we were
deploying based on whether it’s starting on the inside or is it starting on the outside. It was an
equal deployment.
An insider attack could also be somebody who walks into a facility, gains physical access, and
connects to your network. You have a whole rogue wireless-type approach in which people can
gain access and can they probe and poke around. And if it’s mal traffic from our perspective,
with the IPS, we took the approach, inside or outside, doesn’t matter, if we can detect it, if we
can be in the path, it’s a block.
Gardner: For those of our listeners who might not be familiar with the term “intrusion
prevention systems,” maybe you could illustrate and flesh that out a bit. What do we mean? What
3. are we talking about? Are these technologies? Are these processes, methodologies, or all of the
above?
O’Shea: TippingPoint technology is an appliance-based technology. It’s an inline device. We
deploy it inline. It sits in the network, and the traffic is flowing through it. It’s looking for
characteristics or reputation on the type of traffic, and reputation is a more real-time change in
the system. This network, IP address, or URL is known for malware, etc. That’s a dynamic
update, but the static updates are signature-type, and the detection of vulnerability or a specific
exploit aimed at an operating system.
So intrusion prevention is the detection of that and blocking and preventing that from completing
its communication to the end node.
Gardner: And these work in conjunction with other approaches, such as security information,
event management, and network-based anomaly detection. Is that correct? How do they work
together?
Bigger picture
O’Shea: All the events get logged into HP ArcSight to create the bigger picture. Are you
seeing these type of events occurring other places? So you have the bigger picture correlation.
Network-based anomaly detection is the ability to detect something that is occurring in the
network and it's based on an IP address or it’s based on a flow. Taking advantage of reputation
we can insert those IP addresses, detected based on flow, that are doing something anomalous.
It could be that they’re beaconing out, spreading a worm. If they look like they’re causing
concerns with a high degree of accuracy, then we can put that into the reputation and take
advantage of moving blocks.
So reputation is a self-deploying feature. You insert an IP address into it and it can self-update.
We haven’t taken the automated step yet, although that’s in the plan. Today, it’s a manual process
for us, but ideally, through application programming interfaces (APIs), we can automate all that.
It works in a lab, but we haven’t deployed it on our production that way.
Gardner: Clearly HP is a good example of a large enterprise, one of the largest in the world,
with global presence, with a lot of technology, a lot of intellectual property, and a lot to protect.
Let’s look at how you approached protecting the HP network.
What’s the vision, if you will, for HP's Global Cyber Security, when it comes to these newer
approaches? Do you have an overarching vision that then you can implement? How do we begin
to think about chunking out the problem in order to then solve it effectively?
4. O’Shea: You want to be able to detect, block, and prevent as an overarching strategy. We also
wanted to take advantage of inserting a giant filter inline on all data that’s going into the data
center. We wanted to prevent mal traffic, mal-formed traffic, malware -- any traffic with the mal
intent of reaching the data center.
So why make that an application decision to block and rely on host-level defenses, when we
have the opportunity to do it at the network? So it made the network more hygienically clean,
blocking traffic that you don’t want to see.
We wrapped it around the data center, so all traffic going into our data centers goes through that
type of filter.
Gardner: You’ve mentioned a few HP products: TippingPoint and ArcSight, for example, but
this is a larger ecosystem approach and play. Tell us a little bit about partnerships, other
technologies, and even the partnerships for implementation, not just the technology, but the
process and methodologies as well.
Key to deployment
O’Shea: That was key to our deployment, because it is an inline technology and you are going
inline in the network. You’re changing flows, where it could be mal traffic, but yet maybe a
researcher is trying to do something. So we need to have the ability to have that level of
partnership with the network team. They have to see it. They have to understand what it is. It has
to be manageable.
When we deployed it, we looked at what could go wrong and we designed around that. What
could go wrong? A device failed. So we have an N+1 type installation. If a single device fails,
we’re not down, we are not blocking traffic. We have the ability to handle the capacity of our
network, which grows, and we are growing, and so it has to be built for the now and the future. It
has to be manageable.
It has to be able to be understood by “first responders,” the people that get called first. Everybody
blames the network first, and then it's the application afterwards. So the network team gets pulled
in on many calls, at all types of hours, and they have to be able to get that view.
That was key to get them broad-based training, so that the technology was there. Get a process
integrated into how you’re going to handle updates and how you’re going to add beyond what
TippingPoint recommended. TippingPoint makes a recommendation on profiles and new
settings. If we take that, do we want to add other things? So we have to have a global cybersecurity view and a global cyber-security input and have that all vetted.
The application team had to be onboard and aware, so that everybody understands. Finally,
because we were going into a very large installed network that was handling a lot of different
types of traffic, we brought in TippingPoint Professional Services and had everything looked at,
5. relooked at, and signed off on, so that what we’re doing is a best practice. We looked at it from
multiple angles and took a lot of things into consideration.
Gardner: Now, we have different groups of people that need to work in concert to a larger
degree than in the past. We have application folks, network folks, outside service providers, and
network providers. It seems that we are asking for a complete view of security, which means
people need to be coordinated and cooperative in ways that they hadn’t had to be before.
Is there something about TippingPoint and ArcSight that provides data, views, and analytics in
such a way that it's easier for these groups to work together in ways that they hadn’t before? We
know that they have to work together, but is there something about the technology that helps
them work together, or gives them common views or inputs that grease the skids to
collaboration?
O’Shea: One of the nice things about the way the TippingPoint events occur is that you have a
choice. You can send them from an individual IPS units themselves or you can proxy them from
the management console. Again, the ability to manage was critical to us, so we chose to do it
from the console.
We proxy the events. That gives us the ability to have multiple ArcSight instances and also to
evolve. ArcSight evolves. When they’re changing, evolving, and growing, and they want to bring
up a new collector, we’re able to send very rapidly to the new collector.
ArcSight pulls in firewall logs. You can get proxy events and events from antivirus. You can pull
in that whole view and get a bigger picture at the ArcSight console. The TippingPoint view is of
what’s happening from the inline TippingPoint and what's traversing it. Then, the ArcSight view
adds a lot of depth to that.
Very flexible
So it gives a very broad picture, but from the TippingPoint view, we’re very flexible and able to
add and stay in step with ArcSight growth quickly. It's kind of a concert. That includes sending
events on different ports. You’re not restricted to one port. If you want to create a secure port or a
unique port for your events to go on to ArcSight, you have that ability.
Gardner: We’ve heard, of course, how important real-time reaction is, and even gaining insights
to be able to anticipate and be proactive. What is it that you learned through this process that
allowed you to make that latency reduced or eliminated so that the amount of time that things go
on is cut. I’ve heard that a lot of times you can't prevent intrusion, but you can prevent the
damage of intrusion. So how does it work in terms of this low latency time element?
O’Shea: With TippingPoint, you get to see when an exploit is triggered, TippingPoint has a
concept of Zero Days and it has a concept of Reputation. Reputation is an ongoing change, and
6. Zero Day is a deployment of a profile. Think of Reputation as a constant updating of signatures
as sites change and how the industry is recognizing them. So that gives you an ability to have a
view of a site that people frequented and may now be compromised. You have that ability to see
that because the Reputation of the site changed.
With TippingPoint being a block technology, you have the low latency. The latency is being
detected and blocked, but now, when you pull it back into ArcSight, you have the ability to see a
holistic view. We’re seeing these events or something that looks similar. The network-based
anomaly detection is reporting some strange things happening, or you have some antivirus things
that are reporting.
That’s a different type of reaction. You can react and deploy and say that you want to take action
against whatever it is you are seeing. Maybe you need to put up a new firewall block to alleviate
something.
Or on the other hand, if TippingPoint is not seeing it, maybe you have the opportunity to activate
this new signature more rapidly and deploy new profile. This is something new, and you can take
action right away.
Gardner: Jim, let's talk a bit about what you get when you do this correctly. So using HP’s
example, what were some of the paybacks, both in technical terms, maybe metrics of success
technically, but then also business results? What happens when you can deploy these systems,
develop those partnerships, and get cooperation? How can we measure what we have done here?
O’Shea: One of the things that we did wrong in our deployment is that we didn’t have a baseline
of what is mal or what is bad. So, as it was a moving deployment, we don’t have hard and fast
metrics of a before and after view. But again, you don’t know what's bad until you start trying to
detect it. It might not have been for us to even take that type of view.
We deployed TippingPoint. After the deployment we’ve had some DoS attacks against us, and
they have been blocked and deflected. We’ve had some other events that we have been able to
block and defend rapidly.
If you think back historically of how we dealt with them, those were kind of a Whac-A-Moletype of defenses. Something happened, and you reacted. So I guess the metric would be that
we’re not as reactionary, but do we have hard metrics to prove that? I don’t have those.
How much volume?
Gardner: We can appreciate the scale of what the systems are capable of. Do we have a
number of events detected or that sort of thing, blocks per month, any sense of how much
volume we can handle?
7. O’Shea: We took a month’s sample. I’m trying to recall the exact number, but it was 100 million
events in one month that were detected as mal events. That’s including Internet-facing events.
That’s why the volume is high, but it was 100 million events that were automatically blocked and
that were flagged as mal events.
Gardner: How do you now take this out to the market? Is there a cyber-security platform? Do
you have a services component? You’ve done this internally, but how do you take this out to the
market, combining the products, the services, and the methodologies?
O’Shea: I’m not on the product marketing side, but TippingPoint has learned from us and we’ve
partnered with them. We’re constantly sharing back with them. So the give-back to TippingPoint,
as a product division, is that they can see real traffic, in a real high-volume network, and they can
pretest their signatures.
There are active lighthouse-type installs, lighthouse meaning that they’re not actively blocking.
They’re just observing, and they are testing their next iteration of software and the next group of
profiles. They’re able to do that for themselves, and it's a give back that has worked. What we
receive is a better product, and what everybody else receives is a better product.
The Professional Services teams have been able to deploy in a very large network and have
worked with the requirements that a large enterprise has. That includes standard deployment,
how things are connected and what the drawings are going to look like, as well as how are you
going to cable it up.
A large enterprise has different standards than a small business would have, and that was a give
back to the Professional Services to be able to deploy it in a large enterprise. It has been a good
relationship, and there is always opportunity for improvement, but it certainly has helped.
Current trends
Gardner: Jim, looking to the future a little bit, we know that there’s going to be more and
more cloud and hybrid-cloud types of activities. We’re certainly seeing already a huge uptick in
mobile device and tablet use on corporate networks. This is also part of the bring-your-owndevice (BYOD) trend that we’re seeing.
So should we expect a higher degree of risk and more variables and complication, and what does
that portend for the use of these types of technologies going forward? How much gain do you get
by getting on the IPS bandwagon sooner rather than later?
O’Shea: BYOD is a new twist on things and it means something different to everybody, because
it's an acronym term, but let's take the view of you bringing in a product you buy.
We’re coming up to Christmas. Somebody is going to get a new device, they are going to bring
in it, they are going to try it out, and they are going to connect it to the corporate network, if they
8. can. And because they are coming from a different environment and they’re not necessarily to
corporate standards, they may bring unwanted guests into the network, in terms of malware.
Now, we have the opportunity, because we are inline, to detect and block that right away.
Because we are an integrated ecosystem, they will show up as anomalous events. ArcSight and
our cyber defense center will be able to see those events. So you get a bigger picture.
Those events can be then translated into removing that node from the network. We have that
opportunity to do that. BYOD not only brings your own device, but it also brings things you
don’t know that are going to happen, and the only way to block that is prevention and anomalous
type detection, and then try to bring it altogether in a bigger picture.
Gardner: Well, great. I’m afraid we will have to leave it there. We’ve been learning about the
modern ins and outs of improving enterprise intrusion prevention systems, and we’ve heard
about how HP itself has created more of a granular access control benefit amid real-time, yet
intelligent, intrusion protection.
I’d like to thank the supporter for this series, HP Software, and remind our audience to carry on
the dialogue through the Discover Group on LinkedIn. And of course, a big thank you to our
guest, Jim O'Shea, Network Security Architect for HP Cyber Security Strategy and Infrastructure
Engagement. Thanks so much, Jim.
O’Shea: Thank you.
Gardner: And lastly, our appreciation goes out to our global audience for joining us once again
for this HP Discover Podcast discussion.
I’m Dana Gardner, Principal Analyst at Interarbor Solutions, your host for this ongoing series of
HP Sponsored Business Success Stories. Thanks again for listening, and come back next time.
Listen to the podcast. Find it on iTunes. Sponsor: HP
Transcript of a BriefingsDirect podcast on how the strategy of dealing with malware is shifting
from reaction to prevention. Copyright Interarbor Solutions, LLC, 2005-2014. All rights
reserved.
You may also be interested in:
•
•
•
•
Healthcare Turns to Big Data Analytics Platform to Gain Insight and Awareness for
Improved Patient Outcomes
In remaking itself, HP delivers the IT means for struggling enterprises to remake
themselves
Service virtualization solves bottlenecks amid complex billing process for German telco
Cardlytics on HP Vertica Powers Millions of Swiftly Tailored Marketing Offers to Bank
Card Consumers
9. •
•
•
•
•
•
•
Efficient big data capabilities help Cerner drive needed improvements into healthcare
outcomes
Learn how Visible Measures tracks an expanding universe of video and viewer use big
data
Using Vertica, Empirix delivers complex carrier network performance data
With big data, the DNC turns politics into political science
Need for quality and speed powers Sentara's applications modernization journey
Big data changes the customer analysis game for Yammer, Spil Games, Jobrapido
Application development efficiencies drive Agile payoffs for healthcare tech provider
TriZetto