What Is an Intrusion Detection System?
Nirav Shah, senior director of products and solutions at Fortinet, notes that intrusion detection systems “monitor network traffic searching for suspicious activity and known threats, sending up alerts when it finds such items.” As a longtime corporate cybersecurity staple, intrusion detection as a function “remains critical in the modern enterprise, but maybe not as a stand-alone solution,” Shaha says.
Intrusion detection and prevention systems “play an extremely important role in the defense of networks against hackers and other security threats,” says Mike Chapple, associate teaching professor of IT, analytics and operations at the University of Notre Dame (and a FedTech contributor).
Intrusion detection systems might notice any of the following behaviors, Chapple says:
- A request bound for a web server contains a SQL injection attack.
- A malformed packet is attempting to create a denial of service.
- A user’s login attempt seems unusual based upon the time of day and past patterns.
- A system on the internal network is attempting to contact a botnet command and control server.
“All of these situations are examples of security issues that administrators would obviously want to know about,” Chapple says. “Intrusion detection systems identify this type of situation and then alert administrators to the issue for further investigation.”
Intrusion Detection Systems vs. Intrusion Prevention Systems
Intrusion prevention systems are related to but different from intrusion detection systems. An intrusion prevention system does everything an intrusion detection system does, says Karen Scarfone, the principal consultant for Scarfone Cybersecurity (also a FedTech contributor).
However, an intrusion prevention system, or IPS, “can also act to try to stop attacks,” Scarfone says.
“Once an intrusion prevention system detects a possible attack, it can do things like block the network connection containing the attack or disable a user account that’s been compromised and is being misused to perform the attack,” she says.
In many cases, IT or security administrators are “not available to immediately review alerts and take action or are simply overwhelmed by the sheer volume of alerts generated by an intrusion detection system,” Chapple says.
An IPS can help in that situation, because it can “take immediate corrective action in response to a detected threat,” Chapple says, which in most cases “means blocking the potentially malicious traffic from entering the network.”
Find out how automation tools can enhance cybersecurity and intrusion detection.
For agencies, an IPS is a “critical component of every network’s core security capabilities,” Shah says.
“It protects against known threats and zero-day attacks, including malware and underlying vulnerabilities,” he adds. “Deployed inline as a bump in the wire, many IPS solutions perform deep packet inspection of traffic at wire speed, requiring high throughput and low latency.”
An intrusion prevention system is “considered an improvement on the existing intrusion detection system, as it is designed to not only monitor and detect but more importantly respond to attacks by either limiting the attacker’s ability to succeed in the attack or providing threat containment,” says Vic Jayaswal, senior manager of government consulting at FireEye Mandiant.
“An example response that is performed by many intrusion prevention systems is the ability to actively block hostile traffic and also isolate and restrict access to specific machines that are deemed to be compromised,” he says.
Such automated, real-time defensive response can be extremely useful for agencies, but “heavy tuning and monitoring is required to ensure critical communication and systems are not inadvertently stopped,” Jayaswal says.
For example, one FireEye customer was using an IPS to protect key portions of its network but did not configure the policies correctly, Jayaswal says. That configurational error not only caused the IPS to block critical communications between key high-value systems but also disabled several key machines.
What Are Different Types of Intrusion Detection Systems?
At the highest level, there are two types of intrusion detection systems: network-based and host-based.
“Network-based intrusion detection systems monitor activity within network traffic for one or more networks, while host-based intrusion detection systems monitor activity within a single host, like a server,” Scarfone says. A host-based IDS sits on an endpoint machine, analyzing the network traffic coming into the machine and monitoring for files being accessed and modified, Jayaswal says.
Network-based intrusion detection system types include wired, wireless and network behavior analysis, which looks mainly at the network traffic flows and not at the activity within those traffic flows, Scarfone says.
Both network- and host-based intrusion systems can use detection methods ranging from signature- to anomaly-based detection, Jayaswal says.
“Signature-based detection is based on detecting specific data patterns that are known to be malicious,” he says. “Anomaly-based detection is designed to detect unknown attacks leveraging machine learning and artificial intelligence.”
Signature-based IDS is the most common and effective IDS approach, Chapple says, and is similar to anti-virus software. It uses very large databases containing patterns of data (or signatures) known to be associated with malicious activity, he says.
Anomaly detection “does have the potential to notice new attack types, but it has a high false positive error rate and is not widely used by security administrators,” he says.
How Intrusion Detection and Prevention Systems Help Government IT
As agencies move toward more decentralized environments, Shah says, their employees and contractors need to access information that originates outside the traditional federal perimeters.
“Government agency stakeholders need to connect information from various points within the federal system — from employees, contractors and constituents,” he says. “The more potential for this information to be exposed to outside entities, the greater the opportunity for malicious content to infiltrate these systems or for pertinent data to be leaked, intentionally or accidentally.”
Network- and host-based intrusion prevention systems are “an essential part of layered security for organizations and should be leveraged as part of a layered approach to an organization’s overall security posture,” Jayaswal says.
“When both systems are leveraged together, an organization can gain a much larger and more holistic view of the activities being performed,” he says. “Additionally, organizations should spend an adequate amount of time tuning these devices to ensure the right responses are performed when violations occur.”
IDS and IPS can help agencies “identify suspicious and potentially malicious activity more quickly, which can allow attacks to be stopped sooner,” Scarfone says.
“That will prevent some attacks from being completed and succeeding, while other attacks that still succeed may have less of a negative impact on the organization,” she says. “Intrusion detection and intrusion prevention technologies are an important component of attack detection and incident response for an agency.”