igor - Fotolia

Get started Bring yourself up to speed with our introductory content.

When is a breach detection system better than an IDS or NGFW?

Breach detection systems are gaining steam, but when would they be more appropriate to use than an IDS or NGFW? Expert Kevin Beaver explains.

How would you describe the difference between a breach-detection system and a traditional intrusion detection/prevention...

system or next-generation firewall, particularly from the perspective of how each type of device interacts with network traffic? In which enterprise settings would a breach-detection system be more appropriate to leverage?

There's definitely a difference between traditional network security controls such as intrusion prevention systems or next-generation firewalls and actual breach detection. The former security controls can provide information and insight (oftentimes too much) into what's taking place on the network such as network scans, denial-of-service attacks and blocked intrusions. Breach detection systems can go a step further and actually confirm that a breach has occurred by using things like heuristics, traffic analysis and predefined security policies.

The interesting thing I have found over the years is that many network admins and even executives that are privy to what's happening on the network are quick to quote how many times their network is attacked or "hacked" every single day. It's usually a number in the thousands or tens of thousands range. However, this does not paint an accurate picture of actual information risk. In the end, what matters the most is actual detection/confirmation of security breaches and, of course, the prevention of such incidents.

It seems that breach detection is the new "cybersecurity" -- yet another vendor-born rebranding to stir up interest in the market. There's no doubt to the validity of "response is the new prevention" approach to breach detection. I'm just not convinced it's another technology we must layer on to fix our security woes, especially given how much we're overlooking the simple stuff.

When it comes to deciding where a breach detection system may be appropriate to deploy (and likely used in conjunction with an IPS or NGFW), I suggest:

  1. In complex IT environments, namely large enterprise business and government agencies; and
  2. Small and medium-sized environments where little to no security technologies are in place to detect such security incidents.

In the end, the enterprise that blocks all attacks is not the one that wins because that's an impossible feat. Instead, the enterprise that wins is the one that has a technical and operational environment that facilitates the prompt response to security breaches to help minimize the impact to the organization.

Ask the Expert:
Want to ask Kevin Beaver a question about network security? Submit your question now via email. (All questions are anonymous.)

Next Steps

Beyond the Page: Learn more about breach detection systems

This was last published in May 2015

Dig Deeper on Information Security Incident Response-Information