Intrusion detection technology presents a confusing array of acronyms, abstract concepts, and hazy deliverables. This exacerbates the difficult situation for executives who are asked to pay for these security goodies.
In a nutshell here are the questions and answers about everything an executive may want to know about IDS:
• What business benefits does IDS deliver?
• What is the difference between all these technologies and buzzwords?
• How do they pay for themselves?
• Why bother in the first place?
IDS is one of many complementary layers of IT security technology. Several security layers exist because no one layer can provide all the security measures itself. IDS does several things that basic firewalls, for instance, cannot do:
• Identify anomalous packet content or patterns of traffic that are different from normal for any particular company’s network.
• Identify patterns, called signatures, of malicious content within packets coming into or leaving a company’s network.
• Identify changes in the security health or “state” of corporate servers.
The business benefit IDS provides is reducing the chance of missing security threats which could compromise confidentiality, integrity, privacy, or availability of mission critical assets and processes. The return on investment calculation for IDS is predicated upon executives and asset owners identifying mission critical elements, the estimated financial loss associated with a security risk developing into a real life security event, and then comparing the lifecycle cost of IDS against the estimated financial loss associated with a breach.
An important consideration in lifecycle cost is managing and tuning out false positives generated by IDS. These activities are onerous and in my experience most network managers would rather outsource these tasks to experts.
The next issue becomes selection of the appropriate IDS technology, which basically come in two flavours: network intrusion detection (NIDS or IDS) and host intrusion detection (HIDS). These two technologies are very different. They are not redundant in what they do. They are deployed completely differently. They are complementary and cannot be substituted for one another.
Network IDS sits on the network telecommunications media such as an Ethernet network or a wireless network, and passively monitors the contents of packets of information flowing in all directions. IDS looks for types of content, types of services, volumes of services, and source and destination of traffic that shouldn’t be present and alerts upon suspicious activity. IDS does not typically examine changes over time, but alerts on suspicious events which it sees at any one point in time.
For the most effective deployment network IDS should have data collection points both on the Internet side of the corporate firewall and on the corporate network side of the corporate firewall. This allows the IDS to see traffic coming from both directions which may be blocked by yet not reported as dropped by the corporate firewall.
Host IDS is an entirely different ballgame. It has agents which reside on servers. It monitors several types of changes over time on servers which may indicate security problems. HIDS monitors the dynamic behavior and the state of a computer system and compares what it expects to see with what it actually sees. Examples of what HIDS monitors are:
• What resources each program typically accesses.
• Changes to the authentication database.
• Changes to specific regions of memory have not been modified, such as the system call table for Linux, and various vtable structures in Microsoft Windows.
• The state of a system, such as state information stored in RAM, .dll files, and in log files.
HIDS accomplishes all this by creating a database of attributes (permissions, size, modifications dates) of whatever subjects (elements) it is monitoring and does regular comparisons for changes.
Intrusion Prevention or IPS is intrusion detection plus the additional capability to actively restrict / deny access in response to a perceived security threat. This is a good feature for networks that do not change and have a very steady state of operation. Otherwise IPS can and does incorrectly interpret some bone fide business traffic as threatening and then it unnecessarily denies access to a process(es).
Why Bother?
In my opinion implementing IDS is worth investigating if business drivers merit a first look. It’s also my opinion that it’s worth doing a trial period with IDS to quantify: the numbers of high, medium, and low threats during the trial period; what subsequent mitigation steps were implemented by the company; and the potential cost of losses that may have been averted by the mitigation steps.
If the dollars show a positive ROI for IDS, then by all means it was worth the bother.
Have a secure week. Ron Lepofsky CISSP, CISM, B.A.SC. www.ere-security.ca