Description: An Intrusion is a blatant violation of business security policies involving unauthorized access to network resources. Intrusions are what most people think of when they think of “hacking”.  Intrusion attempts can have many different objectives, ranging from unauthorized data access to denial-of-service attempts on critical network infrastructure.

One of the most vital pieces of cybersecurity infrastructure for addressing such intrusions is the Intrusion Detection and Prevention System (IDPS). An IDPS is a larger term covering two related yet different systems. An Intrusion Detection System (IDS) monitors network activity and generates alerts when it concludes that an intrusion to taking place or is about to take place. The IDS will alert a network administrator about the incident. An Intrusion Prevention System (IPS) has the same features as an IDS, yet it can also stop the intrusion in progress. This can be done by any number of means, ranging from terminating the network connection in question to actively changing firewall rules to address the specific method of attack.

It is up to a business to decide the specifics of its intrusion detection and prevention strategy. Some businesses may decide that simple detection methods are simple enough, and that Incident Response staff can perform the tasks of eliminating the intrusion. On the other hand, some businesses may decide they need more automated help with preventing cyber-attacks and that a combined detection and prevention system is desired.

There are also several different types of IDPS systems, each guarding a different type of asset. The four common IDPS technologies are:

  1. Network-Based: Monitors entire network segments and performs its operations on all traffic involving the segment in question.
  2. Host-Based: Resides on individual hosts and addresses intrusion attempts on the single host in question. These systems are often deployed on all business devices and are managed by a central console on a management server.
  3. Wireless: Monitors wireless networks specifically, alerting on intrusion attempts involving wireless access. These systems can be useful in weeding out attacks such as Rogue Access Points.
  4. Network Behavior Analysis (NBA): Proactively monitors and profiles baseline behavior of the network at large and alerts on deviations from baseline activity that may indicate an intrusion.

All four of these specific technologies can be implemented separately, but many products today provide all four as part of a larger system. If you are considering implementing an IDPS for your business, it is up to you to do your due diligence and thoroughly research the specifics of potential products.

IDPS systems can use several different methodologies for detecting intrusions. These methodologies align with those used by many other security technologies, such as anti-malware software and endpoint detection and response (EDR) tools. The three main methodologies are:

  1. Signature-based: The system keeps a database of known threat behaviors in signature format, and studies traffic for occurrences of the signatures. This is great for addressing known threats, but it usually falls short when addressing new and innovative threats.
  2. Anomaly-based: The system profiles baseline behavior and alerts on activity that significantly deviates from baseline behavior. This is a good strategy for addressing new threats, as well as more covert threats that try to obfuscate as much of their behavior as possible. However, many administrators often find it frustrating to fine-tune baselines. False positives and False Negatives also must be addressed with anomaly-based detection.
  3. Stateful Protocol Analysis: Similar to Anomaly-based detection, Stateful Protocol Analysis uses pre-determined profiles of baseline behavior to compare network traffic against. However, these systems address specific protocols rather than the entire network, and profiles are created by the vendors themselves. Stateful protocol analysis systems are able to track the entire history of specific protocol interactions and alert on behaviors that are not typical of the protocol in question.

IDPS systems are usually deployed in one of two modes. Inline Mode involves the system being placed on a network link between an outside network and the destination. For example, an IDPS could be placed in front of a VPN Concentrator to gather and study all traffic destined for the VPN before it actually reaches it. An IDPS could be placed in front of the firewall guarding a whole network segment to weed out malicious traffic before it even reaches the firewall checkpoint. Passive Mode involves an IDPS being connected to a network and configured in passive mode, similar to a traffic sniffer. This allows it to observe all traffic flows on the network and analyze them.

IDPS can be an important aspect of a good information security program and should be heavily considered for use. You, your senior, and IT management must discuss different use cases and implementation strategies. In particular, IDPS are useful for protecting network segments hosting assets that have low security capabilities, such as legacy system networks and IoT networks. IDPS are also very useful in defending publicly accessible servers, such as Demilitarized Zones (DMZ) hosting web and database servers. At a minimum, you should strive to implement IDPS on these network segments.

Configuring and fine-tuning an IDPS to fit your specific business case is a long process that can involve significant trial and error. If improperly implemented, severe consequences can arise from the lack of proper monitoring. If you decide to implement IDPS capabilities in your digital infrastructure, ensure that the System Development Lifecycle (SDLC) is followed for as smooth an implementation process as possible. If possible, it is recommended to run the IDPS in a simulation test network to help fine-tune its capabilities and observe potential issues before full implementation.