Network and host-based intrusion detection systems play an important role in cyber security by alerting organisations to potential malicious activity across networks and devices. To realise the full power of this technology however, organisations must first overcome a variety of challenges.
What is an intrusion detection system (IDS)?
An IDS is a type of software or application that monitors a network to detect suspicious activity and generate immediate alerts if and when it is detected. These alerts are recorded centrally via a security information and event management (SIEM) system or reported to an administrator. They provide key insights to enable incident response specialists or security operations centre (SOC) analysts to investigate issues and take appropriate action. An IDS can monitor for internal as well as external threats.
Challenges of IDS
1 – Ensuring an effective deployment
To attain a high level of threat visibility, organisations must ensure that intrusion detection technology is correctly installed and optimised. Due to budgetary and monitoring constraints it may not be practical to place NIDS and HIDS sensors throughout an IT environment. With many organisations lacking a complete overview of their IT network however, deploying IDS effectively can be tricky and if not done well may leave critical assets exposed.
2 – Managing the high volume of alerts
HIDS and NIDS typically utilise a combination of signature and anomaly-based detection techniques. This means alerts are generated when a sensor either detects activity that matches a known attack pattern, or flags traffic that falls outside a list of normal behaviours. Anomalous activity could include high-bandwidth consumption and irregular web or DNS traffic.
The vast quantity of alerts generated by intrusion detection can be a significant burden for internal teams. Many system alerts are false positives but rarely do organisations have the time and resources to screen every alert, meaning that suspicious activity can often slip under the radar.
Most intrusion detection systems come loaded with a set of pre-defined alert signatures but for most organisations these are insufficient, with additional work needed to baseline behaviours specific to each environment.
3 – Understanding and investigating alerts
IDS alerts consist of base-level security information which, when viewed in isolation, may mean very little. Upon being presented with an alert, it is often not immediately obvious what caused it, or what actions are required to establish whether or not it poses a genuine threat.
Investigating IDS alerts can be very time and resource-intensive, requiring supplementary information from other systems to help determine whether an alarm is serious. Specialist skills are essential to interpret system outputs and many organisations lack the dedicated security experts capable of performing this crucial function.
4 – Knowing how to respond to threats
A common problem for organisations that implement IDS is that they lack an appropriate incident response capability. Identifying a problem is half the battle, knowing how to respond appropriately and having the resources in place to do so is equally important.
Effective incident response requires skilled security personnel with the knowledge of how to swiftly remediate threats, as well as robust procedures to address issues without impacting day-to-day operations. In many organisations there is a big disconnect between the people charged with monitoring alerts and those managing infrastructure, meaning that swift remediation can be difficult to achieve.
To highlight the importance of having an appropriate incident response plan in place, the General Data Protection Regulation (GDPR) requires organisations that process any type of personal data to have appropriate controls in place to report breaches to a relevant authority within 72 hours, or risk a large fine.
How to address your IDS challenges
Before deploying an intrusion detection system, organisations should consider commissioning an independent risk assessment to better understand their environment, including the key assets requiring protection. Being armed with this knowledge will help to ensure that an IDS is properly scoped to ensure that it offers the greatest value and benefits.
Given the challenges of ongoing system maintenance, monitoring and alert investigation, many organisations may wish to consider enlisting a managed service to perform all the heavy lifting. A managed IDS service avoids the need to recruit dedicated security personnel, and if necessary, can also include all requisite technology, circumventing the need for upfront capital expenditure.
ThreatDetect is Redscan’s flagship and award-winning managed detection and response service (MDR). Offering advanced security capabilities for a cost-effective monthly subscription, ThreatDetect includes cutting-edge intrusion detection technology as well as a range of complementary security tools needed to further enhance threat detection. These include SIEM, vulnerability scanning and endpoint analytics.
Understanding the way that cybercriminals operate, our certified CSOC team are experienced at monitoring systems and hunting for threats and can assist with system maintenance and optimisation, such as baselining your chosen IDS system.
Through CyberOps, the real-time threat notification and analytics platform included as part of ThreatDetect, we provide detailed incident information and remediation advice direct to your security and IT teams through one central workflow – thereby ensuring threats can be successfully managed from detection to remediation.