Tomorrow evening I will be moving an IPS 4240 appliance to the new version 7.0.1. Global Correlation seems like a huge benefit as long as it does not produce a swarm of false positives.
Will there still be a need to implement signature updates on the IPS once we are on the new 7.0.1?
Global Correlation is not a replacement for traditional signature analysis, and is instead just an enhancement to it.
There are 2 aspects to Global Correlation.
The first is what we internally refer to as Reputation. IP Address known to be origins of attacks receive a negative Reputation Score.
When a signature is triggered, the source of the signature is compared against the Reputation database. If that source address has a negative reputation score then the Risk Rating for that alert is increased. With the increased Risk the sensor may make a decision to go ahead and Deny that traffic.
BUT because it is all based on that initial triggering of the signature, this means that you still need to keep your signatures up to date.
The second part of Global Correlation is the Reputation Filter.
With the Reputation Filter the worst offending IP Addresses from the Internet are placed into a special list.
The worst offending IP Addresses are automatically filtered at the sensor without the need for a signature to ever be triggered. These packets are Denied by the sensor during early processing, and works in a similar manner as the Deny Attacker InLine event action.
So the Reputation Filter does Not need signatures in order to work properly and Deny traffic. However, the Reputation Filter is only for the worst known IP Addresses, and only a small subset of attackers wind up in the Reputation Filter list.