If you’re like most organizations, you probably deploy a baseline security of firewalls to catch attacks at the perimeter. And, you probably use an antivirus to counter attacks that make it through to endpoints.
Maybe you even add email security to help catch potential phishing attacks, or even upgrade firewalls and endpoint protection to the newest, latest editions.
But, are you taking the next important step? Protecting and monitoring your network traffic.
It’s a weakness attackers know all too well.
Recent vulnerabilities and exposed attacks prove your IT network are a critical component of your IT environment, requiring network protection and monitoring.
Let’s take a look at one of the most well-established methods for the job: using intrusion detection systems (IDS) or intrusion prevention systems (IPS).
What are IDS and IPS?
IDS options focus on detecting specific events or changes.
Once detected, the IDS solution sends an alert to your security team with details of the event. Just like their name implies: they detect intruders.
On the other hand, IPS solutions also perform detection. But, for specifically defined events, IPS’s can also take a pre-defined action.
For example, an IPS might add an external IP address to a firewall blacklist, intercept packets containing malware, or isolate a device from the network – all automatically.
Either way, both technologies can incorporate an antivirus-style signature-based technology to block known attacks.
Taking it a step further, more advanced solutions use anomaly detection to catch unusual behavior on your network – often enhanced using Artificial Intelligence (AI) or Machine Learning (ML).
Both IDS and IPS solutions can also be deployed as either network-based or host-based solutions.
But, since host-based solutions overlap heavily with endpoint protection, we’ll focus on network-based solutions from here.
IDS & IPS Deployment
The deployment of intrusion detection systems can be very simple, since it only needs to receive a copy of the network data.
On the other hand, intrusion prevention systems must be in-line, and receive all network traffic, in order to intercept malicious network packets.
Though historically, IDS and IPS solutions have been sold as physical appliances, software solutions and virtual appliances have become more popular in recent years.
In today’s environment, the most common deployment involves adding IDS or IPS functions to Next Generation Firewalls (NGFWs), or to advanced networking equipment.
Level Up IDS or IPS
IDS and IPS solutions both provide valuable information to your security team when monitoring an environment.
But what if you could take that confidence to the next level?
Alerts from these systems become even more valuable when they feed into a Security Information and Event Management (SIEM) or Security Operations Center (SOC) center.
SOCs and SIEMs place IDS/IPS alerts into context with other alerts from endpoints, firewalls, servers, and cloud resources, in order to create a more comprehensive picture of your organization’s security status.
Using these clues, security teams can analyze alerts more quickly, trace events more thoroughly, and catch attackers faster.
Limitations, Cautions, and Work-arounds
While powerful, IDS and IPS solutions do have limitations. For example, if the traffic doesn’t flow through an IPS, it can’t protect that traffic.
But, there are other circumstances as well.
Many IT architectures establish a firewall enhanced with IDS or IPS as a strong perimeter defense.
But, during the pandemic, many companies adopted cloud-based SaaS tools such as Zoom, DropBox, Office 365, or Google Docs that can be accessed directly. Unfortunately, as a result, this bypasses that robust perimeter protection businesses wanted in the first place.
Some companies try to maintain control by routing network traffic through congested and vulnerable VPNs. But, many employees bypass these in search of simplicity or a faster connection.
A more efficient solution may be to adopt a cloud-based IDS/IPS or Gateway solution that captures all user traffic – regardless of origin or destination.
Also, if the traffic cannot be analyzed, the IDS or IPS will not recognize events that should trigger alerts.
Another limitation is encryption.
You see, many older firewalls can’t inspect encrypted traffic. But, websites now use encrypted SSL connections, companies use encrypted emails, and even some malware uses encryption to hide nefarious activities.
To help with this, you’ll want to consider upgrading to next-generation firewalls that can decrypt traffic for analysis.
Most critically, if your security team is overwhelmed, more alerts simply don’t help.
Attempts to strengthen security using IDS or IPS tools need to account for the bandwidth and capabilities of your monitoring security team.
In a prime example, Ireland’s Health Service Executive received alerts detecting the use of hacking tools over a month before Conti ransomware triggered, and yet it didn’t make a difference. Their security team just couldn’t respond in time to the alert.
The Takeaways
It’s hard staying on top of every flaw and vulnerability.
But, IDS and IPS solutions are a great way to stay alert to attacks, sometimes even stopping them before they start.
It’s all about balancing the bandwidth of your team against the alerts and abilities of IDS and IPS.
Outsourcing can address these limitations, while freeing up teams for additional tasks.
Engaging outside experts can also help to rapidly assess technology options and enable quick installations.
For help in investigating options for upgrading security, contact Blue Bastion at 412-349-6680 or fill out the form below. Our experts will provide a no-obligation consultation regarding technology, cybersecurity monitoring, and more.
