Who Keeps Your IPS Up To Date?

August 21, 2012 - 1 Comment

The realm of Network security encompasses many perspectives and interests as is evident from the wealth of articles prevalent across the media and availability of various proactive protection measures. One particular technology recognized as integral to securing a network is the Intrusion Prevention System (IPS), which is used to detect and prevent suspected malicious network traffic or behavior. However, an IPS is not just a ‘set-it-and-forget-it’ type of solution. This is because of the necessity of employing current Cisco IPS signatures, which are the lifeblood of the IPS and are essential for it to identify and block attacks against specific vulnerabilities or certain types of threats. Because new threats and vulnerabilities are constantly being discovered, the IPS signature database for an IPS-capable device needs to be kept current to maximize the level of protection that it can provide. If you already use Cisco IPS technology, then you might already be familiar how crucial it is to use the most current IPS signatures. Otherwise, the IPS solution cannot provide optimal protection against new threats and attacks. Cisco IPS owners with a Cisco IPS Services License understand this fact and can receive signature updates as they become available. Signature updates can be installed manually or downloaded and installed automatically using native Cisco IPS capabilities or management tools such as Cisco Security Manager. For those inclined to write their own signatures, Cisco has published documentation on how to write customer signatures for the IPS.

And while the signatures are the “lifeblood” of the IPS and keeping them current is paramount, it is also important to make sure that the underlying operating system is kept up to date on the sensor as well. The underlying operating system and engines decompose and analyze the traffic as it passes through the device. Things like protocol decoding, features, and evasion resistance are handled here. The engines work but do not alert without the signature set as the signatures provide the matching framework for an alert to fire. The same can be said about the signatures. They do not work without the engines. Each requires the other to function and therefore keeping them both current is important.

So who at Cisco is responsible for developing these IPS signatures that you can update your IPS with? Well, Security Intelligence Operations has a full-time highly trained team of IPS Signature Developers dedicated to developing IPS signatures. For Cisco IPS signature service customers, it is like having their own virtual cyber threat defense team. This team investigates and creates signatures for new threats as they are discovered and publishes them thereby enabling maximum efficacy to the IPS.  To give you an idea of the effort involved in creating an IPS signature, the signature development lifecycle follows these steps:

  • Research the vulnerability
  • Develop the signature
  • Test the signature
  • Packaging and release of a signature

It might be easy to take for granted such a service where the delivery standards are high, but you might find it interesting to get to know the Cisco Signature Developer team role and also gain a deeper appreciation of how they operate at Cisco. As a continuation of my previous series of ‘day in the life’ blog articles on security roles at Cisco, the following section is taken from an interview that I conducted with the goal of providing a closer look into a day in the life of a Cisco IPS Signature Developer and also helping those of you considering this type of career in the information security field.

What range of background does an IPS Signature Developer role have?

In general, most people have a computer science degree or programming background, since you need to understand how software works. That background is needed 100% of the time in order to be successful. In addition, being able to understand from a holistic perspective and relating to how the data travels and ends up at its destination is essential as an IPS Signature Developer needs the aptitude to analyze a problem and figure out its solution.

What does an IPS Signature Developer do to come up to speed?

You must have a strong grasp of the technologies we have and use, understanding the strengths and limitations of what you can and cannot do with the software, hardware and internal development tools.  You are normally paired up with a senior developer to come up to speed. A good deal of ramping up activities in this role are on-job-the-experience and training. This activity covers learning how to recognize and catch an attempted exploit of a vulnerability that can be made more pervasive over a network and being able to take the next step of consistently detecting that type of malicious activity.

What do you like most about your role? (i.e. Why would you want to do this)?

The responsibilities that come with this role are very challenging. There are a variety of areas we cover (i.e. operating systems, protocols, applications, etc.) and it is always changing which tends to keep you on your toes. Therefore, you get the opportunity to gain a deeper understanding of a broad range of associated technologies (web, e-mail, telephony etc.).

Can you share some insights on what your day-to-day core activities involve?

There is a lot reading and scouring of the news lists such as MITRE’s CVE feeds and other publicly disclosed vulnerabilities (similar to those provided by the IntelliShield Security Analysts). Then after digesting all of this information, you get to go try to break stuff (i.e. an application).  Sometimes a proof of concept  exists and works. Sometimes they kind of work and need fixing. Other times you write your own proof of concept code to exploit the vulnerability.

How does your day usually begin?

We review and research intelligence feeds (i.e. Internet Storm Center).  As appropriate, we continue projects from the previous day. You need to be self-driven and self-directed to do that on your  own (from research to solution and ultimately on to testing and integration). In other words, you have to learn and want to learn and dig up information in order to perform your job.

What is a key aspect (i.e. qualitative or quantitative) of being successful?

You need to be able to do multiple things at the same time, jump back to correct things, desire to do things outside of your comfort zone, be hungry to learn new things (curiosity) and have initiative. You should also be comfortable working in non-structured situations, being autonomous and taking responsibility to own a problem end-to-end.

Are there any other aspects of your job that are especially essential as you work with your team members or others that depend on your work?

Everyone has there own style of carrying out their responsibilities. You need to understand how they work including both their strengths and weaknesses.  For example you need to ensure that you have done your due diligence which enables you to structure your interactions with peers and creatively collaborate with a diverse group of experts.

What else can you recommend to others regarding optimizing their practices based on your experience?

Do not be afraid to tell people you do not know something and ask questions. You absolutely cannot keep yourself isolated. You have to be willing to put the time in and do due diligence so you can ask better questions to interact with you peers. Do not expect people to do your work for you and at least be considerate of people’s time by doing your research in advance before asking for help. You really need to self-motivate yourself and put in the legwork. You will be more respected for it.

What do you like to do for fun when your are not a practicing IPS Signature Developer?

I take a break from anything to do with the job or technology. I enjoy photography as well as anything else removed from the security rat race such as run, shoot and spend time with family. This allows me to cut the cord and detach from the office.

Meanwhile, I encourage you to check out the wealth information and resources available at SIO as well as the related security blog articles covering several other roles behind the scenes which are dedicated to delivering early-warning intelligence, threat and vulnerability analysis, and proven Cisco mitigation solutions to help protect networks. I welcome your questions, suggestions and comments on this or any other product security role at Cisco.

In an effort to keep conversations fresh, Cisco Blogs closes comments after 60 days. Please visit the Cisco Blogs hub page for the latest content.


  1. It’s very important to hardened and properly patch the OS, as well as keeping the IPS signatures current.