Evaluating intrusion detection and prevention systems and vendors
A comprehensive collection of articles, videos and more, hand-picked by our editors
Intrusion detection and prevention system offerings are effective at stopping many of today's attacks, both at...
the network perimeter and on internal network segments. These extra sets of eyes lead to a reduction in data loss and related collateral damage to the organization, both in money and in reputation.
However, the effectiveness of this new light in dark places only works if there is sufficient manpower and training. For organizations that lack those resources, managed security services can provide trained analysts able to recognize network-based attacks. Organizations should realize that intrusion detection and prevention system (IDS/IPS) training at some level is required to be able to interpret and act on reported events.
The business benefits of using IDS/IPS technologies fall in several categories, such as identifying the number and type of security incidents; preventing security events from becoming security incidents; protecting vulnerable assets; improving the ability to identify network devices, their operating systems and software; and using acquired information to meet various regulatory requirements.
Let's explore each category in depth.
Identifying security incidents
While the logs from a firewall show you the IP addresses and ports used between two hosts, IDS/IPS technologies not only show those, but also can be tuned to specific content in network packets. For instance, they can identify compromised endpoint devices as they report to botnet controllers and can identify distributed denial-of-service attacks. Modern IDS/IPS sensors can help you quantify the number and types of attacks your organization is facing and thus help it alter existing security controls or employ new ones, address host and network device configuration problems and identify software bugs. The metrics gained can be used in ongoing risk assessments.
Security incident prevention
IDS/IPS technology can both report on security incidents and prevent them from occurring by disrupting communication between attackers and targets. Modern sensors are able to take the data provided in network packets and examine it within the context of the supported protocol. For instance, HTTP protocol attacks such as cross-site scripting can be detected and blocked, as can SQL injection attacks. Additionally, IDS/IPS sensors can look for anomalous behavior -- such as unexpected outbound traffic -- and block it.
Protecting vulnerable assets
IDS/IPS vendors have touted the ability of their products to be "virtual patches" for known software vulnerabilities. This allows organizations to block attacks until software can be patched without disrupting business processes and the attendant costs in replacing systems and software until patches can be fielded. The ability to identify patch levels also can be used for automated vulnerability assessments and gauging patch deployments.
Identifying network devices and hosts
IDS/IPS sensors can be used passively to detect the presence of network devices and hosts. Based on the data within the network packets, they can in real time -- and with a good degree of certainty -- identify operating systems and services offered by a host or network device. This helps eliminate a good deal of manual work in determining how many systems are available and their current configurations. In addition to helping automate hardware inventories, IDS/IPS sensors can be used to identify rogue devices, such as unauthorized hosts, rogue wireless access points and hot spots.
Leveraging information gained to meet regulatory requirements
Since IDS/IPS technologies give an organization greater insight into its network and connected resources, you can more easily meet regulatory mandates. For instance, PCI DSS 1.1.6 "documentation and business justification for use of all services, protocols, and ports allowed" can be researched using reports gleaned from IDS/IPS logs.
Some improved efficiencies and attendant lower labor costs have been identified above. In addition, an organization, using its latest risk assessment, can also determine how much of a return on investment (ROI) IDS/IPS may provide if that system reduces or eliminates either (a) a denial or degradation of Internet service and/or internal network service (including the associated business ramifications of network, application or service downtime), or (b) a security breach involving the direct loss of sensitive customer data or intellectual property.
About the author:
Bill Hayes is a former oceanography student and military veteran, and a journalism school graduate. After flirting with computer game design in the 1980s, Hayes pursued a full-time career in IT support and currently works as a cybersecurity analyst for a Midwestern utility company as well as a freelance expert consultant and writer.
Check out IPS and IDS deployment similarities
Learn how IDS/IPS enables business objectives