A Guide to Intrusion Detection and Prevention Systems (IDS/IPS)

A Guide to Intrusion Detection and Prevention Systems (IDS/IPS)

Intrusion detection and prevention systems detect the threats that are trying to access your network and then prevent these threats from achieving their goal. These systems are among the first defenses from a cyber attack, and both detection and prevention play a key role in that defense.

Defining Intrusion Detection and Prevention

Intrusion detection systems and intrusion prevention systems are typically abbreviated as IDS and IPS, respectively. They monitor the events that take place within your network, performing analysis to look for any indication of an imminent threat, violation, or incident to your security policy. Intrusion prevention systems build on intrusion detection by stopping the incidents that the IDS discover.

Why Does IDS and IPS Matter?

Before getting into best practices surrounding IDS and IPS, you need to have a better understanding of why these systems matter. This knowledge will inspire you to take appropriate precautions and follow the recommendations to keep your system safe. Keep in mind that most business networks have both public and private access points for other networks. You need to be sure that these networks are secure, but keep them open for your customers. Unfortunately, firewalls and encryption are not enough to keep your network safe.

To make up for this, IDS and IPS will constantly watch the network with the goal of identifying any possible incidents. Together, the systems will record information about the incidents, stop them, and then make a report. You can also use IDS and IPS to identify issues with your security policies or as a way to prevent violations of those policies.

Choose a Manageable System

When selecting your IDS and IPS systems, opt for ones that provide you with the management tools you need. This includes security policies and configurations that you can leverage across various applications and user groups. By choosing systems with this ability, you will be able to reduce the time spent and cost associated with installing as well as maintaining larger security deployments.

Choose a Scalable System

Another factor to consider when choosing your intrusion prevention and detection systems is scalability. You need to be aware of the current and future size of your company and ensure that the solution you select can scale up to work for the entire network. Scalable systems will support a higher number of protected servers as well as significant event traffic.

Set Up the System and Access Correctly

The task of setting up your IDS and IPS programs is crucial to their overall functionality. As you set up the intrusion detection system, make a separate account for every user and administrator that will have access to the system. Take the time to confirm that there is minimal network access to the IDS components, preferably only a few administrators have access. Ensure that any communication regarding IDS management is encrypted or has another form of protection in place.

In addition to setting it up correctly with the ideal configurations, make sure that you periodically back up those configuration settings. This is particularly important to do before you apply any updates as it is the best method of ensuring you do not lose any existing settings.

Have a Patch Management Policy

As is the case with every other aspect of your cybersecurity policies, you should ensure that you complement your IPS and IDS policies with patch management. Patch management is complex since smart hackers can compromise your server between the time when the software company develops the patch and deploys it. Minimize the risk by installing patches as soon as they become available. You should also factor patch latency into your policies to help provide protection during this time.

Have a Signature Update Policy

Before you set up your intrusion prevention and detection systems, make sure that you have a signature update policy in place. In addition to creating policy, know the right way to test the new signatures as they arrive. You should never apply a new signature update without any testing since this can lead to false positives. On a related note, choose a manageable subset of the signatures that you wish to block. Only enable those signatures for blocking follow thorough testing and select the ones that have a low chance of false positives and indicate the most dangerous attacks.

Ideally, you will use a hybrid approach that combines behavioral rules with these attack-specific signatures. This type of solution allows for the detection and prevention of unknown as well as known attacks.

Fine-Tune Incident Management and Response Procedures

Simply installing an intrusion detection system and an accompanying intrusion prevention system will not be enough if you do not have the proper procedures in place. The system should ensure that any alerts from the IDS and IPS are monitored and addressed promptly with an equally quick response. That type of procedure requires robust management infrastructure.

As you set up the procedures, monitor the IPS alert feed constantly so that you can respond appropriately. This is not the type of system that you just set up and let it run by itself. In situations where you feel that this is too much of an undertaking for your company, availing of managed services is an option.

Consider a Host-Based IDS

Depending on your business, you may also want to consider a host-based IDS, known as a HIDS. This can complement the network-based IDS program from your ISP by enhancing the detection capabilities. It does so thanks to the system’s access to the file structure and the local operating system. You can get the extra detection from HIDS by letting the software install agents on the systems it monitors, with that agent software controlled via a central management server.

Overall, host-based IDS enhances the detection abilities of IDS via file level detection, including file access attempts, file attribute checking, and file integrity checking, plus with code analysis, including library and application lists and system call monitoring. HIDS can also detect incidents related to configuration monitoring depending on the agents used. While HIDS is not ideal for everyone, it can provide additional security in specific situations.