Stay Secure With These Intrusion Detection and Protection Techniques

by Sarah Harvey / March 5th, 2020

Does your organization have robust processes and procedures in place to identify and contain threats in your environment? Are you confident that these processes can prevent security incidents and data breaches caused by common attack methods like malware, ransomware, DoS attacks, phishing attacks, and more?

Establishing a strong intrusion detection and prevention system (IDPS) – although they are sometimes separately referred to as intrusion detection systems (IDS) and intrusion prevention systems (IPS) – is a core component to any cybersecurity strategy.

Why is that?

First, let’s take a look at what an intrusion detection and prevention system is, and then we’ll discuss what type of intrusion detection and prevention system your organization should consider using.

What is an Intrusion Detection and Prevention System?

An Intrusion Detection and Prevention System (IDPS) monitors network traffic for indications of an attack, alerting administrators to possible attacks. IDPS solutions monitor traffic for patterns that match with known attacks. Traditionally, they used signature-based or statistical anomaly detection methods, but IDPS increasingly leverages machine learning technologies to process vast amounts of data and identify threats that signature and anomaly detection would miss.

IDPS solutions are usually deployed behind an organization’s firewall to identify threats that pass through the network’s first line of defense. Typically, an intrusion detection and prevention system accomplishes this by using a device or software to gather, log, detect, and prevent suspicious activity.

What Type of Intrusion Detection and Prevention System Do You Need?

When determining which type of intrusion detection and prevention system your organization should use, you’ll need to consider factors like the characteristics of the network environment, the goals and objectives for using an IDPS, and current organization security policies. Ultimately, there are two types of IDS/IPS: network-based and host-based. A network-based IDPS runs on network segments, including wireless or any other network that is selected. A host-based IDPS, on the other hand, runs on servers. The four common types of IDPS, as defined by NIST, include the following:

Network-Based IDPS: This type of IDPS monitors network traffic for specific network segments and devices. It analyzes the network and application protocol activity to identify suspicious and abnormal activity.
Wireless IDPS: This IDPS is a sub-type of network-based IDPS. It monitors wireless network traffic and analyzes it to identify suspicious activity involving networking protocols.
Network Behavior Analysis (NBA) System: This IDPS is a sub-type of network-based IDPS. It is used to examine network traffic in order to identify threats that generate unusual traffic flows (i.e. malware, DDoS attacks, and policy violations).
Host-Based IDPS: This IDPS is used to monitor the characteristics of a single host and the events occurring within that host for suspicious activity.

Should You Use Multiple Types of IDPS Technologies?

Many businesses today have complex environments, making it a necessity to deploy more than one type of intrusion detection and prevention system. However, before implementing multiple types of IDPS technologies, it’s necessary to fully evaluate the needs of your organization. In theory, using multiple types of IDPS technologies can only lead to a more secure environment, but if they’re implemented incorrectly, there could be detrimental consequences.

What Type of Detection Should Your IDPS Use?

After you’ve determined which type of intrusion and detection system your organization should utilize, you’ll need to determine which detection method is right for you. Each type of intrusion detection and prevention system listed above, regardless if they’re network-based or host-based, has detection capabilities with one or more of the following:

Signature-based: The signature-based IDS is used to match the signatures of known attacks that have already been stored in your database to detect attacks on your network.
Anomaly-based: The anomaly-based IDS method identifies abnormal behavior in your organization’s network.
Protocol-based: The protocol-based IDS method monitors and analyzes protocols used by the computing system.

Regardless of which type of intrusion and detection system your organization uses, they are a vital component of your cybersecurity strategy. To mitigate the advancing threats all organizations are faced with, having a robust IDPS in place is a must. If you’re looking for advice on how you can better implement an intrusion detection and prevention system in your environment, let’s chat about how KirkpatrickPrice can partner with you to ensure the security of your business.