As we continue to peel back the layers of cybersecurity protections, intrusion detection is a pivotal part of that plan.  Intrusion detection is an application that monitors a network or system for malicious activity.  It analyzes and then reports the data to an administrator or event management system.  With this type of information, a security operations center (SOC) or other cybersecurity engineer can investigate the activity and execute remediation tactics. 

You might be wondering how this differs from a firewall and why both services are recommended as part of your security strategy.  Firewalls are centered around a standard set of policies to determine what action to apply against traffic passing through.  Firewalls do not stop or detect malicious traffic unless they have security services including intrusion prevention services (IPS) and intrusion detection services (IDS).  Intrusion detection focuses on adding a layer of analysis to any identified intrusion or malicious activity based on network traffic (NIDS) or system usage (HIDS).  By notifying the administrator with specifics of what is going on, the detected intrusion can be directly combatted and it can provide an opportunity to prevent another attack.

What are the most common types?

Intrusion detection systems are designed to be leveraged in different situations.  The two most common types are:

1. NIDS stands for Network Intrusion Detection Services and is a service that works to identify intrusions that occur within a network.  By reviewing and analyzing network traffic patterns, this service is designed to match identified patterns to ones of known attacks.  It can then alert the administrator to the issue.
2. HIDS stands for Host Intrusion Detection Services.  This service works to monitor the inbound and outbound activity from the host and alerts the security team when malicious activity is detected.

How do they work?

Both NIDS and HIDS work to add a layer of protection for your business.  By incorporating these intrusion detection systems, you increase your ability to detect and react making it much more difficult for a hacker to access your network.  There are a few components that help differentiate these systems, but it’s also what make them so successful in their approach.

• A pattern of known threats – By understanding what a threat looks like, the system can recognize that pattern immediately.  Think of when your body encounters a virus.  It develops a response to target and beat back that vicious attack.  After, it remembers the sequence from the first attack and is now better prepared in case it ever happens again.  This type of detection is known as signature detection and relies on generating a signature for an attack and storing that information to prevent a repetitive encounter.
• Normal versus not normal – This type of detection, anomaly-based, works off of an understanding of what ‘normal’ looks like.  This baseline enables the system to notice if anything is unusual or suspicious.  Consider how your body would respond if you had 3 cups of coffee every morning for a year and then suddenly stopped.  Your system would alert you (unfortunately in a miserable way…can we say caffeine headache?) to this abnormal activity and bring attention to something being ‘off’.
• Hybrid – The hybrid model simply uses both of the above methods in their approach to strengthen the response.

Where should they be installed?

There are some key takeaways when it comes to the installation of either a NIDS or HIDS system.  As with all solutions, the initial configuration is important and should be customized to fit within your infrastructure.

• NIDS should be deployed in a manner that enables you to see all network traffic both east-west and north-south as well as inter-network or inter-vlan. Many deployments that are configured only at the perimeter do not provide the visibility needed for inside threats or host to host communications inside the network.
• HIDS should be deployed on all host/endpoints. It provides visibility into the host and the process/applications/services that are running. By providing a baseline of a system, it can provide immediate detection in unauthorized usage or anomalies.

Why are they important?

Intrusion detection is an important piece of the security strategy your business needs to ensure all of your assets, team, and data are protected.  By correctly leveraging NIDS and HIDS, you provide additional security measures and give your team access to important information.  This comprehensive approach can be refined and enhanced as your business model changes without increasing your vulnerabilities.

Advanticom’s cybersecurity team is here to help with all of your layers of cybersecurity, including intrusion detection.  Our approach to cybersecurity is to implement solutions that continually improve IT utilization while simultaneously increasing your security posture.  Our solutions for intrusion detection include installation, configuration, review, optimization, and testing.  Contact us today at ateam@advanticom.com or check out our website for more information.