Show
Toolkit menu
Our mission: Solving problems for a safer world. Follow our latest developments, stories, and technical resources.
Media InquiryReach out to us for media requests and public inquiries regarding MITRE—our work, our executive team, and our technical experts.
EventsView our noteworthy events either hosted by MITRE or where company representatives are active participants. Recommended textbook solutions
Fundamentals of Electric Circuits6th EditionCharles Alexander, Matthew Sadiku 2,102 solutions Microelectronic Circuits7th EditionAdel S. Sedra, Kenneth C. Smith 2,025 solutions Signals and Systems2nd EditionAlan S. Willsky, Alan V. Oppenheim, Hamid Nawab 665 solutions Fundamentals of Heat and Mass Transfer7th EditionAdrienne S Lavine, David P. Dewitt, Frank P. Incropera, Theodore L. Bergman 1,506 solutions An intrusion detection and prevention system (IDPS) is defined as a system that monitors a network and scans it for possible threats to alert the administrator and prevent potential attacks. This article explains an intrusion detection and prevention system and its techniques in detail and lists the best practices for 2022. Table of Contents
What Is an Intrusion Detection and Prevention System?An intrusion detection and prevention system (IDPS) monitors a network for possible threats to alert the administrator, thereby preventing potential attacks. How IDPS Functions Today’s businesses rely on technology for everything, from hosting applications on servers to communication. As technology evolves, the attack surface that cybercriminals have access to also widens. A 2021 Check Point research reported that there had been 50% more attacks per week on corporate networks in 2021 as compared to 2020. As such, organizations of all industry verticals and sizes are ramping up their security posture, aiming to protect every layer of their digital infrastructure from cyber attacks. A firewall is a go-to solution to prevent unwanted and suspicious traffic from flowing into a system. It is tempting to think that firewalls are 100% foolproof and no malicious traffic can seep into the network. Cybercriminals, however, are constantly evolving their techniques to bypass all security measures. This is where an intrusion detection and prevention system comes to the rescue. While a firewall regulates what gets in, the IDPS regulates what flows through the system. It often sits right behind firewalls, working in tandem. An intrusion detection and prevention system is like the baggage and security check at airports. A ticket or a boarding pass is required to enter an airport, and once inside, passengers are not allowed to board their flights until the necessary security checks have been made. Similarly, an intrusion detection system (IDS) only monitors and alerts bad traffic or policy violations. It is the predecessor of the intrusion prevention system (IPS), also known as an intrusion detection and prevention system. Besides monitoring and alerting, the IPS also works to prevent possible incidents with automated courses of action. See More: Top 10 IT Intrusion Detection and Prevention Systems for 2021 Basic functions of an IDPSAn intrusion detection and prevention system offers the following features: Basic Functions of an IDPS
An IDPS works by scanning processes for harmful patterns, comparing system files, and monitoring user behavior and system patterns. IPS uses web application firewalls and traffic filtering solutions to achieve incident prevention. See More: What Is Fraud Detection? Definition, Types, Applications, and Best Practices Types of IDPSOrganizations can consider implementing four types of intrusion detection and prevention systems based on the kind of deployment they’re looking for. IDPS Types
The type of IDP system required by an organization depends on its existing infrastructure and how its plans to scale up in the future. The techniques used by intrusion detection and prevention solutions are also an important consideration. Let’s summarize the types of intrusion detection and prevention systems.
See More: Top 10 Firewall Security Software in 2021 Intrusion Detection and Prevention System Techniques with ExamplesIDP systems have two levels of broad functionalities — detection and prevention. At each level, most solutions offer some basic approaches. Detection–level functionalities of IDPS1. Threshold monitoring The first step of threshold monitoring consists of setting accepted levels associated with each user, application, and system behavior. Examples of metrics that are used during threshold monitoring include the number of failed login attempts, the number of downloads from a particular source, or even something slightly more complicated such as the accepted time of access to a specific resource. The monitoring system alerts admins and sometimes triggers automated responses when a threshold is crossed. Only having threshold monitoring instead of intrusion detection comes with its own set of problems. More often than not, the complex infrastructure underlying an organization’s operations and offerings cannot be filtered down to a few metrics. These threshold values also tend to vary as the company’s customer base and services grow. Very stringent implementation of threshold monitoring, in these cases, can cause a lot of false positives. A false positive, in the context of IDP solutions, is when benign activity is identified as suspicious. 2. Profiling Intrusion detection and prevention systems offer two types of profiling: user profiling and resource profiling. User profiling involves monitoring if a user with a particular role or user group only generates traffic that is allowed. For example, only a DevOps user can have access to the cloud server hosting applications. A programmer can only access data in a sandbox server environment. Short-term user profile monitoring allows administrators to view recent work patterns while long-term profiling provides an extended view of resource usage. This comes in handy while creating a baseline for normal behavior and for creating a user role itself. Resource profiling measures how each system, host, and application consumes and generates data. An application with a suddenly increased workflow might indicate malicious behavior. Executable profiling tells administrators what kind of programs are usually installed and run by individual users, applications, and systems. For example, a host can be running an application that accesses only certain files. Any other file or a rogue database request indicates foul play. This kind of profiling makes it easy to trace malware, ransomware, or Trojan downloaded by mistake. Sometimes, profiling may make it difficult to interpret overall network traffic and the bumps that come along with it. The sweet spot for profiling lies between profiles that are too broad and allow bad actors and those too narrow, which hinder productivity. Prevention–level functionalities of IDPS1. Stopping the attack Otherwise known as ‘banishment vigilance’, intrusion prevention systems prevent incidents before they occur. This is done by blocking users or traffic originating from a particular IP address. It also involves terminating or resetting a network connection. For example, when a particular user is scanning data too frequently, it makes sense to revoke access until these requests have been investigated. 2. Security environment changes This involves changing security configurations to prevent attacks. An example is the IPS reconfiguring the firewall settings to block a particular IP address. 3. Attack content modification Malicious content can be introduced into a system in various forms. One way of making this content more benign is to remove the offending segments. A basic example is removing suspicious-looking attachments in emails. A more intricate example is repackaging incoming payloads to a common and pre-designed lot, such as removing unnecessary header information. Techniques of IDPS1. Signature-based detection A signature is a specific pattern in the payload. This specific pattern can be anything from the sequence of 1s and 0s to the number of bytes. Most malware and cyberattacks come with their own identifiable signature. Another example of a signature is something as simple as the name of the attachment in a malicious email. The IDP system maintains a database of known malware signatures with signature-based detection. Each time new malware is encountered, this database is updated. The detection system works by checking the traffic payload against this database and alerting when there’s a match. Signature-based detection obviously cannot work if the malware isn’t previously known. It does not check for the payload’s nature and cannot give administrators information such as the preceding request to a malicious response. 2. Anomaly-based detection Anomaly detection works on threshold monitoring and profiling. The ‘normal’ behavior of all users, hosts, systems, and applications is configured. Any deviation from this norm is considered an anomaly and alerted for. For example, if an email ID generates hundreds of emails within a few hours, the chances of that email account being hacked are high. Anomaly detection is better than signature-based detection when considering new attacks that aren’t in the signature database. Creating these baseline profiles takes a lot of time (also known as the ‘training period’). Even then, the rates of false positives may be high, especially in dynamic environments. 3. Stateful protocol analysis Anomaly detection uses host- or network-specific profiles to determine suspicious activity. Stateful protocol analysis goes one step further and uses the predefined standards of each protocol state to check for deviations. For example, file transfer protocol (FTP) only allows logins when unauthenticated. Once a session is authenticated, users can view, create, or modify files based on their permissions. This information is part of the FTP protocol definition. The intrusion detection system analyzes if these norms are met. This kind of stateful protocol analysis makes it easy to keep track of the authenticator in each session and subsequent activity associated with this request. Stateful protocol analysis relies heavily on vendor-driven protocol definitions. The granular nature means that it is also resource-intensive, taking up precious bandwidth while tracking simultaneous sessions. Each of these techniques either ensures the prevention of incoming attacks or helps administrators spot security vulnerabilities in their systems. Most IDP solutions offer a combination of more than one approach. See More: What Is a Security Vulnerability? Definition, Types, and Best Practices for Prevention Top 10 Best Practices of Intrusion Detection and Prevention System for 2022To get the most out of an intrusion detection and prevention system, here are some best practices that organizations should follow: IDPS Best Practices 1. Establish a baselineThe premise of an intrusion prevention system is normal behavior vs. unusual activity. So, what constitutes ‘normal’ needs to be discussed, documented, and configured. Establishing a baseline improves accuracy and usability. It can make or break the efficiency of the system. The baseline includes acceptable thresholds, profiles, report settings, and alert settings. 2. Define IDP requirements with all stakeholdersAs with any other new system, the first step toward implementing an IDP system is to figure out the requirements, and ultimately, the final goals of the system.
These are some of the questions that must be answered before designing the IDP solution. 3. Integrate multiple IDP techniquesEach IDP technique has its benefits and drawbacks. Relying on just one to secure network traffic isn’t enough. A truly effective intrusion detection and prevention system uses a mix of these techniques. Based on the requirement, an organization may need a combination of network-based and host-based deployments. Each of these may further need to use a combination of signature, anomaly, and protocol-based detection techniques. This may require multiple IDPS solutions to be integrated. In such a scenario, the integration model also needs to be decided upon. Some IDP solutions directly feed information into other solutions, while others feed information into a central software such as a security information and event management (SIEM) solution. 4. Design process to deal with false positivesNo matter how much analysis goes into tuning the system, there is always room for false positives in a system like IDP. The solution must be configured so that false positives do not bring operations to a halt. The most effective mechanism is to alert the administrator of suspicious activity and wait for them to take appropriate action. This may end up becoming tedious for the admins. Prevention systems can be configured to switch to a different network or server until the problem is manually addressed. 5. Ensure optimal resource consumptionThe intrusion detection and prevention system is an in-line security component. All resources consumed by the system reduce resource availability for the other operations-related components. While designing or choosing an IDP system, organizations must check for the maximum volume of traffic, number of packets monitored per second, number of events per second, or the number of hosts that can be profiled. Remember, the more complex the solution, the more bandwidth it will require. The IDP solution can be deployed in the same network while using a virtual management network with a virtual LAN. It can also be deployed on a separate network with additional management networks, servers, interfaces, and consoles. The trade-off between cost, efficiency, and resource consumption is a critical decision that must be taken before implementing the system. 6. Run simulations regularly to fine-tuneTesting an intrusion detection and penetration system is difficult given its nature. This is why some third-party vendors offer a learning or simulation mode that allows admins to turn on the software’s detection and penetration layers. This allows them to change and fine-tune their existing settings and profiles. Regular fine-tuning drastically reduces false-positive rates. 7. Ensure up-to-date informationSignature detection relies on an updated and evolving database of known malware. Stateful protocol analysis relies on up-to-date standards from the corresponding vendor. Protocols are regularly revised and re-implemented by vendors. The protocol models and databases must be updated to reflect these changes. Patch management is also crucial in this context. 8. Create backupsFinely tuned IDP systems are painstaking to achieve. This is why configuration settings must be backed up periodically. Settings and profiles also need to be backed up before applying updates to the system or making significant infrastructure changes. 9. Design a reliable and available systemDesigning an intrusion prevention system isn’t just about deciding where to place the components. It is also about identifying which network segments are critical and creating a fail-proof IDP implementation there. For example, multiple sensors can be used to monitor the same activity, or even multiple management servers with backed-up configurations can be used. Usability, redundancy, and load balancing need to be considered. Since the IDPS usually resides within the network, critical components of the system may go down along with the network. This is where deployment options need to be considered. 10. Secure all IDP componentsCybercriminals often attack IDPS components themselves since they house configurations and known vulnerabilities. The security of these components must be part of the overall security agenda. All components must be up to date, with a patch management system running. IDP system users and administrators need separate accounts. Network and access restrictions must be placed on each component, and vulnerability assessments need to be scheduled. See More: What Is Incident Response? Definition, Process, Lifecycle and Planning Best Practices TakeawayMarketsandMarkets’ 2021 global forecast says that the global IDPS market size is projected to grow from $4.7 billion in 2019 to $7.1 billion by 2024, at a CAGR of 8.3%. This high market growth comes as no surprise since an IDPS is the first step toward a fully secure digital infrastructure. It is important to consider the cost of acquisition, maintenance, and personnel while deciding on an intrusion detection and prevention system. Costs may seem steep, especially if the organization is building a security system from scratch. However, as detailed above, the benefits of a robust IDP system enormously outweigh these costs. Did this article help you understand intrusion detection and prevention systems in detail? Tell us on LinkedIn, Twitter, or Facebook. We’d love to hear from you! MORE ON SIEM
What is the role of intrusion detection and intrusion prevention in the area of network security?Intrusion detection systems (IDS) and intrusion prevention systems (IPS) constantly watch your network, identifying possible incidents and logging information about them, stopping the incidents, and reporting them to security administrators.
Who is an intrusion detection system analyst?An Intrusion Detection System (IDS) is a monitoring system that detects suspicious activities and generates alerts when they are detected. Based upon these alerts, a security operations center (SOC) analyst or incident responder can investigate the issue and take the appropriate actions to remediate the threat.
What is the role of the intrusion prevention system?An intrusion prevention system (IPS) is a network security tool (which can be a hardware device or software) that continuously monitors a network for malicious activity and takes action to prevent it, including reporting, blocking, or dropping it, when it does occur.
Who is responsible for detecting the intrusion?Each of these IDSs consists of two components: a detection component and a correlation manager. The detection component is responsible for inspecting the system's behavior and sending the collected data after representing them in a standard format to the correlation manager.
|