An intrusion detection system, or an IDS, is any kind of device or application that monitors your network for malicious activity that could be the sign of a cyberattack, or for policy violations which could point towards a data or compliance breach.
If you’re new to the idea of intrusion detection systems, let this guide be your… guide! We’ll cover how an intrusion detection system can help your business, what different options you have for this technology, and how you can use the data your IDS gathers to boost your network security overall. Hold on tight!
Understanding how an intrusion detection system supports your business
There are two main types of detection methods that an intrusion detection system will use. These are either a signature-based approach, or an anomaly-based approach. These are common categories that you might have seen with other antivirus or cybersecurity efforts.
With a signature-based approach, your IDS will look for known malicious patterns in the way that traffic is behaving, often called signatures. The problem with this approach is that if a new attack variety arises, it’s difficult for intrusion detection systems to spot them, as they are not “known” intrusions. It can also take some time for a database to catch up with known attack patterns, which can leave you with a dangerous gap.
In contrast, a newer focus is to use an anomaly-based approach, with or without machine learning and statistics to build a model of usual traffic and communications. This kind of software or device will look (and alert) for anything unusual that doesn’t fit the pattern of regular traffic. This means you need a baseline for what constitutes “regular behavior” and then you’ll be alerted to anything outside of this pattern.
You can learn more about the techniques of the latest intrusion detection systems, including how statistics and modelling are used, here.
Intrusion detection vs firewalls
One common question we hear a lot is, are IDS the same as firewalls? The answer is a firm, no! While a firewall will block access to stop malicious attacks from making it into your environment, (or in the case of next-gen firewalls to stop an attack making it from one part of your data center to another), an IDS will provide information about a suspected intrusion that has already occurred. In this way, a firewall is more of an intrusion prevention system, turning away malicious traffic than an intrusion detection system.
The different kinds of intrusion detection systems
There are a few main kinds of intrusion detection systems, and you’ll need to think hard about which ones will work best for your business requirements, or for your own clients. Let’s run through some examples:
NIDS: This stands for Network Intrusion Detection System, and you can set this up in a specific place within the network. It will observe all the traffic that travels on the subnet, and scan for abnormal behavior using the techniques described above. You could place the NIDS where the firewalls are, and see if there is a brute force attack occurring.
HIDS: In contrast, a Host Intrusion Detection System will run on an independent host or on a device, monitoring what comes in and out of the device itself. This is usually reserved for machinery or assets which perform a specific task or type of communication, and where you want administrators to get an alert if something out of the norm occurs, or the communication changes.
PIDS: This acronym stands for Protocol-based Intrusion Detection System, and it will monitor the HTTPS protocol between the server and the users or devices that are communicating with it. The web server is secured by this monitoring and validation of the protocol on an ongoing basis.
VMIDS: Virtual Machine Intrusion Detection Systems is not deployed on-premises, but rather remotely via a Virtual Machine. This is a new kind of intrusion detection system, and great for MSPs as they don’t have to physically go to client offices in order to implement the IDS. Of course, if your internet connection fails – this could cause a problem.
Using the data from intrusion detection systems to improve network security
When using the data that you get from IDS to improve your network security, it’s important to consider a few shortcomings. For example, this technology has been shown to have a high false alarm rate, so you want to ensure you have a process in place to limit alert fatigue – for example a traffic light system for administrators or security teams. If you use a signature-based detection strategy, remember that new threats might not be caught, and databases could be out of date.
It’s also essential to recognize that IDS is a detection system, not an intrusion prevention system. An IPS will offer controls to keep malicious attackers out and away from your crown jewel applications and assets, while an IDS will usually only alert you to a problem that is taking place already.
It’s therefore very important to use an IDS as part of a multi-layered security strategy, not as your first and last point of defense. For example, make sure your network protocols are strong, and that you have tight identity and authorization management policies in place, and a killer antivirus suite. You’ll also need another solution for encrypted packets, which IDS usually can’t process. Finally – you’ll want a strong security team or IT stakeholder who can look at the results of an intrusion detection system, and make quick and smart decisions on next steps.
Looking for a full suite of security solutions that can protect your clients from malware, malicious intent, and the risk of non-compliance? Check out the awesome integrations Atera partners with as standard.