Apr 20 2020

Intrusion Detection Systems: What Are They, and How Do They Work?

Intrusion detection and prevention systems enable federal agencies to identify and block malicious threats.

With hundreds of thousands of federal workers engaged in telework, securing federal IT systems is more important than ever. And critical components of such cybersecurity measures are intrusion detection and prevention systems.

This month, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency released interim guidance on telework for Trusted Internet Connections 3.0 to help agencies enhance network security. The guidance covers not just intrusion detection but also security recommendations for files, email, networking, resiliency, Domain Name System and enterprise security.

Telework environments have different requirements than traditional on-premises IT environments, the CISA guidelines note.

“With access to services primarily coming from external parties, agencies retain much less control over end-user devices, especially in being able to perform post-incident forensics,” the guidelines say. “With less visibility and control in users’ devices, it may be prudent to assume they may end up compromised and to design the intrusion detection and prevention infrastructure accordingly.”

Agencies may need to modify intrusion detection and prevention systems to “tailor access control to services or data based on the visibility and control over the end user’s device, or look for anomalies in accessing data or use of services to detect malicious activity from the server side,” CISA notes.

Understanding how intrusion detection and intrusion prevention systems work is critical to keeping federal workers, data and devices safe in the current telework environment.

What Is an Intrusion Detection System?

Nirav Shah, senior director of products and solutions at Fortinet, notes that intrusion detection systems “monitor network traffic searching for suspicious activity and known threats, sending up alerts when it finds such items.” As a longtime corporate cybersecurity staple, intrusion detection as a function “remains critical in the modern enterprise, but maybe not as a stand-alone solution,” Shaha says.

Intrusion detection and prevention systems “play an extremely important role in the defense of networks against hackers and other security threats,” says Mike Chapple, associate teaching professor of IT, analytics and operations at the University of Notre Dame (and a FedTech contributor).

Intrusion detection systems might notice any of the following behaviors, Chapple says:

  • A request bound for a web server contains a SQL injection attack.
  • A malformed packet is attempting to create a denial of service.
  • A user’s login attempt seems unusual based upon the time of day and past patterns.
  • A system on the internal network is attempting to contact a botnet command and control server.

“All of these situations are examples of security issues that administrators would obviously want to know about,” Chapple says. “Intrusion detection systems identify this type of situation and then alert administrators to the issue for further investigation.”

READ MORE: Discover how to best protect VPNs from major vulnerabilities.

Intrusion Detection Systems vs. Intrusion Prevention Systems

Intrusion prevention systems are related to but different from intrusion detection systems. An intrusion prevention system does everything an intrusion detection system does, says Karen Scarfone, the principal consultant for Scarfone Cybersecurity (also a FedTech contributor).

However, an intrusion prevention system, or IPS, “can also act to try to stop attacks,” Scarfone says.

“Once an intrusion prevention system detects a possible attack, it can do things like block the network connection containing the attack or disable a user account that’s been compromised and is being misused to perform the attack,” she says.

In many cases, IT or security administrators are “not available to immediately review alerts and take action or are simply overwhelmed by the sheer volume of alerts generated by an intrusion detection system,” Chapple says.

An IPS can help in that situation, because it can “take immediate corrective action in response to a detected threat,” Chapple says, which in most cases “means blocking the potentially malicious traffic from entering the network.”

Find out how automation tools can enhance cybersecurity and intrusion detection.

For agencies, an IPS is a “critical component of every network’s core security capabilities,” Shah says. 

“It protects against known threats and zero-day attacks, including malware and underlying vulnerabilities,” he adds. “Deployed inline as a bump in the wire, many IPS solutions perform deep packet inspection of traffic at wire speed, requiring high throughput and low latency.”

An intrusion prevention system is “considered an improvement on the existing intrusion detection system, as it is designed to not only monitor and detect but more importantly respond to attacks by either limiting the attacker’s ability to succeed in the attack or providing threat containment,” says Vic Jayaswal, senior manager of government consulting at FireEye Mandiant.

“An example response that is performed by many intrusion prevention systems is the ability to actively block hostile traffic and also isolate and restrict access to specific machines that are deemed to be compromised,” he says.

Such automated, real-time defensive response can be extremely useful for agencies, but “heavy tuning and monitoring is required to ensure critical communication and systems are not inadvertently stopped,” Jayaswal says.

For example, one FireEye customer was using an IPS to protect key portions of its network but did not configure the policies correctly, Jayaswal says. That configurational error not only caused the IPS to block critical communications between key high-value systems but also disabled several key machines.

MORE FROM FEDTECH: Find out how SIEM tools enhance federal cybersecurity.

What Are Different Types of Intrusion Detection Systems?

At the highest level, there are two types of intrusion detection systems: network-based and host-based.

“Network-based intrusion detection systems monitor activity within network traffic for one or more networks, while host-based intrusion detection systems monitor activity within a single host, like a server,” Scarfone says. A host-based IDS sits on an endpoint machine, analyzing the network traffic coming into the machine and monitoring for files being accessed and modified, Jayaswal says.

Network-based intrusion detection system types include wired, wireless and network behavior analysis, which looks mainly at the network traffic flows and not at the activity within those traffic flows, Scarfone says.

Both network- and host-based intrusion systems can use detection methods ranging from signature- to anomaly-based detection, Jayaswal says. 

“Signature-based detection is based on detecting specific data patterns that are known to be malicious,” he says. “Anomaly-based detection is designed to detect unknown attacks leveraging machine learning and artificial intelligence.”

Signature-based IDS is the most common and effective IDS approach, Chapple says, and is similar to anti-virus software. It uses very large databases containing patterns of data (or signatures) known to be associated with malicious activity, he says.

Anomaly detection “does have the potential to notice new attack types, but it has a high false positive error rate and is not widely used by security administrators,” he says.

READ MORE: Find out how file integrity monitoring can help feds improve cybersecurity.

How Intrusion Detection and Prevention Systems Help Government IT

As agencies move toward more decentralized environments, Shah says, their employees and contractors need to access information that originates outside the traditional federal perimeters.

“Government agency stakeholders need to connect information from various points within the federal system — from employees, contractors and constituents,” he says. “The more potential for this information to be exposed to outside entities, the greater the opportunity for malicious content to infiltrate these systems or for pertinent data to be leaked, intentionally or accidentally.”

Network- and host-based intrusion prevention systems are “an essential part of layered security for organizations and should be leveraged as part of a layered approach to an organization’s overall security posture,” Jayaswal says. 

“When both systems are leveraged together, an organization can gain a much larger and more holistic view of the activities being performed,” he says. “Additionally, organizations should spend an adequate amount of time tuning these devices to ensure the right responses are performed when violations occur.”

IDS and IPS can help agencies “identify suspicious and potentially malicious activity more quickly, which can allow attacks to be stopped sooner,” Scarfone says.

“That will prevent some attacks from being completed and succeeding, while other attacks that still succeed may have less of a negative impact on the organization,” she says. “Intrusion detection and intrusion prevention technologies are an important component of attack detection and incident response for an agency.”

solarseven/Getty Images