top of page
Search

Intrusion Detection Systems

Updated: Sep 29, 2023


Image showing hands coming out of computers.

In this blog:

What are intrusion detection systems?


Implementing technology that assists security administrators can be as or more important than hiring SOC analysts or incident responders at all.


Intrusion detection systems (IDS) are upgraded versions of open-source IDS software such as Snort and can be installed directly onto existing hardware as OS components or separately as a stand-alone hardware appliance.


There are two variants of an IDS. Host-based (HIDS) and network-based intrusion detection system (NIDS).


An IDS is a visibility tool on the network to monitor traffic. HIDS use sensors called HIDS agent which function on the operating system and utilises anomaly and signature-based detection.


The system compares files to a malicious signature database and notifies the administrator if it finds a match.


Like firewalls, anomaly-based detection examines event logs and compares data with known standard system behaviour.


Image showing the inner workings of an IDS.
Inner workings of an IDS.

Why use it?


Maintaining security posture is critical for both customers and the future of a company. Data breaches must be reported to the ICO within 72 hours of being aware of it.


The PCI council states, any company or vendor which accepts, or processes payment cards is obliged to comply with the PCI data security standards.


The UK has various rules which can relate directly or indirectly to cybersecurity – where public companies must adhere to the Companies Act 2006, the Disclosure Guidance and Transparency Rules, and the risk management and control provisions in the UK Corporate Governance Code.


An IDS allows organisations to maintain transparency and keep on top of risk assessment protocols.

Image showing webpage.
Click to see more about ICO.

When monitoring and logging events, the PCI emphasises the importance of relevant data logging and system and that correct logging is critical for monitoring teams.


IDS’s are used widely in the E-Commerce businesses including companies that handle online payment details and other forms of personal information that can link directly back to a customer.


However, an IDS cannot explicitly prevent attacks and so should be used in conjunction with a host of security measures and staff that are trained to react appropriately to alerts.

Image showing NIDS system.
NIDS in a network.

NIDS’s trace live data in real time for signs of tampering, whereas HIDS are more informed on incoming attacks using system file and integrity monitoring, supervising the host’s files and commonly targeted processes.

Image showing HIDS system.
HIDS in a network.

IDS alternatives

Firewalls


Although not a complete alternative, firewalls are often implemented individually and in partnership with intrusion detection systems to analyse traffic seeking entry into a network.


The stateful characteristic of firewalls mean that the network security solution analyses data packets in context rather than in isolation; in other words, they can integrate encryption/ tunnels (which an IDS would struggle to), identify TCP conversation stages, packet state and status updates.

Image showing firewall.
Interaction between firewall and VPN service.

Next Generation Firewalls (NGFW)


On the other hand, next generation firewalls, as described by Cisco, offer features of a traditional firewall and adds application visibility and control (AVC), using application layer data to identify the application rather than its port number, allowing for defence against port randomization attacks.

Image showing webpage.
Click to see more about NGFW's on Cisco's website.

NGFW’s also block file transfers that could install malware and saves malware copies for later analysis which is crucial when reporting potential data breaches under the GDPR 2016 and DPA 2018.


These laws are put in place to provide security and assurance to customers that their personal information is stored and processed fairly by following guidelines.


Additionally, NGFW’s examine URLs, categorize them, and filter or limit the rate of data transfer from certain URLs that may seem illegitimate.


Firewalls can discern the ports and IP addresses used between two hosts, but a NIDS can also be altered to display explicit information within packets.


An advantage of this is uncovering exploitation attacks or compromised endpoint devices that form botnets.

Next Generation Intrusion Prevention Sytems (NGIPS)


Finally, another slightly overpriced alternative, becoming more popular is Next Generation IPS (NGIPS).

Image showing webpage.
Click to see more about Cisco's NGIPS.

The main advantage of using a NGIPS is the reputation-based filtering which means it looks at threat scores and other sources using contextual awareness. The scores can be updated by tools such as CISCO Talos.


NGIPS can also assess event impact levels, giving professionals increased awareness into the potential consequences of an event taking place and so make it easier to provide assessments for certain events to meet for example, the DPA 2018.

What's next?


See my blog on Attacks that IDS's can/cannot stop and implementing one within a company.


Comments

Rated 0 out of 5 stars.
No ratings yet
Add a rating
  • GitHub
  • Twitter
  • LinkedIn
bottom of page