This content is part of the Essential Guide: Evaluating intrusion detection and prevention systems and vendors
Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Using intrusion detection systems for incident prevention, improving ROI

Security expert Bill Hayes discusses the top benefits of intrusion detection systems, including identifying and preventing security incidents, protecting vulnerable assets, improving ROI and more.

Intrusion detection and prevention system offerings are effective at stopping many of today's attacks, both at...

the network perimeter and on internal network segments. These extra sets of eyes lead to a reduction in data loss and related collateral damage to the organization, both in money and in reputation.

However, the effec­tiveness of this new light in dark places only works if there is sufficient manpower and training. For organizations that lack those resources, managed security services can provide trained analysts able to recognize network-based attacks. Organizations should realize that intrusion detection and prevention system (IDS/IPS) training at some level is required to be able to interpret and act on reported events.

The business benefits of using IDS/IPS technologies fall in several categories, such as identify­ing the number and type of security incidents; pre­venting security events from becoming security in­cidents; protecting vulnerable assets; improving the ability to identify network devices, their operating systems and software; and using acquired informa­tion to meet various regulatory requirements.

Let's explore each category in depth.

Identifying security incidents

While the logs from a firewall show you the IP ad­dresses and ports used between two hosts, IDS/IPS technologies not only show those, but also can be tuned to specific content in network packets. For instance, they can identify compromised endpoint devices as they report to botnet controllers and can identify distributed denial-of-service attacks. Mod­ern IDS/IPS sensors can help you quantify the num­ber and types of attacks your organization is facing and thus help it alter existing security controls or employ new ones, address host and network device configuration problems and identify software bugs. The metrics gained can be used in ongoing risk assessments.

Security incident prevention

IDS/IPS technology can both report on security incidents and prevent them from occurring by disrupting communication between at­tackers and targets. Modern sensors are able to take the data provided in network packets and examine it within the context of the supported protocol. For instance, HTTP protocol attacks such as cross-site scripting can be detected and blocked, as can SQL injection attacks. Additionally, IDS/IPS sensors can look for anomalous behavior -- such as unexpected outbound traffic -- and block it.

Protecting vulnerable assets

IDS/IPS vendors have touted the ability of their products to be "virtual patches" for known software vulnerabilities. This allows organizations to block attacks until software can be patched without disrupting business processes and the attendant costs in replacing systems and software until patches can be fielded. The ability to identify patch levels also can be used for automated vulnerability assessments and gauging patch deployments.

Identifying network devices and hosts

IDS/IPS sensors can be used passively to detect the presence of network devices and hosts. Based on the data within the network packets, they can in real time -- and with a good degree of certainty -- identify operating systems and services offered by a host or network device. This helps eliminate a good deal of manual work in determining how many systems are available and their current configurations. In addition to helping automate hardware inventories, IDS/IPS sensors can be used to identify rogue devices, such as unauthorized hosts, rogue wireless ac­cess points and hot spots.

Leveraging information gained to meet regulatory requirements

Since IDS/IPS technologies give an organization greater insight into its network and connected resources, you can more easily meet regulatory mandates. For instance, PCI DSS 1.1.6 "documentation and business justifi­cation for use of all services, protocols, and ports allowed" can be researched using reports gleaned from IDS/IPS logs.

Improve ROI

Some improved efficiencies and attendant lower la­bor costs have been identified above. In addition, an organization, using its latest risk assessment, can also determine how much of a return on investment (ROI) IDS/IPS may provide if that system reduces or elimi­nates either (a) a denial or degradation of Internet service and/or internal network service (including the associated business ramifications of network, application or service downtime), or (b) a security breach involving the direct loss of sensitive cus­tomer data or intellectual property.

About the author:
Bill Hayes is a former oceanography student and military veteran, and a journalism school graduate. After flirting with computer game design in the 1980s, Hayes pursued a full-time career in IT support and currently works as a cybersecurity analyst for a Midwestern utility company as well as a freelance expert consultant and writer.

Next Steps

Check out IPS and IDS deployment similarities

Learn how IDS/IPS enables business objectives

This was last published in February 2015

Dig Deeper on Network intrusion detection and prevention (IDS-IPS)