Intrusion detection plays an important role in cyber security by alerting organisations to potential malicious activity across networks and devices.
However, to achieve the full potential of this approach, they must first overcome a variety of challenges.
Read on to discover what intrusion detection is and how it has evolved, plus the four key challenges associated with it and how to address them.
What is an intrusion detection system (IDS)?
An IDS is a type of software or application that monitors a network to detect suspicious activity and generate immediate alerts if and when it is detected. These alerts are recorded centrally via a security information and event management (SIEM) system or reported to an administrator. They provide key insights to enable incident response specialists or security operations centre (SOC) analysts to investigate issues and take appropriate action. An IDS can monitor for internal as well as external threats, in the form of a network intrusion detection system (NID). NIDS are commonly used in conjunction with host-based intrusion detection systems (HIDS) and SIEM solutions, which aggregate and analyse security events from multiple sources.
How has intrusion detection changed?
The emergence of more sophisticated security solutions means that the market is moving away from the use of IDS. Approaches to network security have evolved to become more holistic, drawing in information from multiple sources and providing a broader overview.
One notable change was the use of this type of technology in conjunction with SIEM, as mentioned, which provides a more comprehensive overview to utilise information from IDS, intrusion prevention systems (IPS), logs, and firewalls in order to build a more comprehensive picture of network security to advance measures beyond simply screening hostile traffic.
However, SIEMs only analyse and categorise log data from different IT systems to search for security issues and alert engineers, meaning the investigation itself must be undertaken manually. In contrast, SOAR (Security Orchestration, Automation and Response) security technologies allow organisations to collect and aggregate vast amounts of security data and alerts from a multitude of sources, enabling businesses to significantly improve their ability to swiftly detect and respond to attacks.
Changes in threat actor behaviour meant that breaches increasingly posed a threat at endpoint level, with traditional endpoint solutions limited in their ability to detect or address known file-based, or signature-based endpoint threats. This gave rise to endpoint detection and response (EDR) which is able to identify and contain potential threats at network perimeter level, as well as enabling security teams to uncover and mitigate emerging threats.
SOAR gathers alert data from a range of platforms, including SIEM, as well as EDR, extended detection and response (XDR), and threat intelligence platforms (TIP), enabling automated and adaptive incident response workflows. Although this evolution has made intrusion detection a much more sophisticated and effective element of cyber security, a number of issues continue to impact organisations.
The challenges of intrusion detection
1 – Ensuring an effective deployment
To attain a high level of threat visibility, organisations must ensure that their choice of intrusion detection solution is correctly installed and optimised. Budgetary and monitoring constraints mean that it may not be practical to integrate certain types of intrusion detection technology throughout an IT environment. With many organisations lacking a complete overview of their IT network however, deploying these types of solutions effectively can be tricky and if not done well may leave critical assets exposed.
2 – Managing the high volume of alerts
The vast quantity of alerts generated by intrusion detection solutions can be a significant burden for internal teams. Many system alerts are false positives but organisations rarely have the time and resources to screen every alert, meaning that suspicious activity can often slip under the radar.
Most intrusion detection systems come loaded with a set of pre-defined alert signatures but for most organisations these are insufficient, with additional work needed to baseline behaviours specific to each environment.
3 – Understanding and investigating alerts
Investigating alerts detected by intrusion detection systems can be very time– and resource-intensive, requiring supplementary information from other systems to help determine whether an alarm is serious. Specialist skills are essential to interpret system outputs and many organisations lack the support of dedicated security experts capable of performing this crucial function.
4 – Knowing how to respond to threats
A common problem for organisations attempting to implement intrusion detection systems is that they lack an appropriate incident response capability. Identifying a problem is half the battle, while knowing how to respond appropriately and having the resources in place to do so is equally important.
Effective incident response requires skilled security personnel with the knowledge of how to swiftly remediate threats, as well as robust procedures to address issues without impacting day-to-day operations. In many organisations there is a big disconnect between the people charged with monitoring alerts and those managing infrastructure, meaning that swift remediation can be difficult to achieve.
To highlight the importance of having an appropriate incident response plan in place, the General Data Protection Regulation (GDPR) requires organisations that process any type of personal data to have appropriate controls in place to report breaches to a relevant authority within 72 hours, or risk a large fine.
How to address your intrusion detection challenges
Before deploying an intrusion detection solution, organisations should consider commissioning an independent risk assessment to better understand their environment, including the key assets requiring protection. Being armed with this knowledge will help to ensure that their chosen solution is properly scoped to offer the greatest value and benefits.
Given the challenges of ongoing system maintenance, monitoring and alert investigation, many organisations may wish to consider enlisting a managed service to perform all the heavy lifting. A managed intrusion detection service avoids the need to recruit dedicated security personnel, and if necessary, can also include all requisite technology, circumventing the need for upfront capital expenditure. Achieving this through a managed detection and response (MDR) service can help to overcome your security challenges by supplying experienced security experts to deploy, configure and monitor network and endpoint detection systems, delivering the security outcomes you need and allowing in-house teams to focus on other important tasks.
How Kroll can help
Kroll Responder, our award-winning managed detection and response service, provides the extensive capabilities your organisation needs to hunt for and eradicate threat actors across your on-premise, cloud and hybrid environments.
Working as an extension of your IT or security team, Kroll Responder combines world-class security expertise, leading network and endpoint detection technologies, and aggregated security intelligence to help hunt for threats and shut down breaches before they can damage and disrupt your business. Being vendor-agnostic, we can manage multiple SIEMs, both on-premise and on the cloud. We can also enrich alerts and contextualise them with telemetry from other cloud and endpoint sources.