Monitor for and prevent malicious activity and breaches.
InsightIDR ProductAn intrusion detection and prevention system (IDPS) is a network monitoring strategy that works by both passively monitoring traffic and actively blocking suspicious or malicious behavior once it is flagged.
An IDPS can also be described as a visibility tool that sits off to the side of the network and monitors traffic. It consists of a management console and sensors that – when encountering something matching a previously detected attack signature – report the activity to the console.
The last point above is key in discerning the difference between these two strategies that may look similar on the surface. IDPS detects known attack signatures and is able to quickly match current activity to that past attack. One of the primary functions of an MDR program is to detect new or unknown types of attacks and respond with countermeasures to those novel threats.
Getting into the weeds of process, the mission of IDPS is to scan whole networks of endpoints and systems linked together. It takes a macro view and matches up well to modern enterprise attacks perpetrated by large threat groups. Antivirus primarily scans files on a network, ensuring the integrity and appropriateness of each file to exist on the network – and quickly quarantining them if not.
IDPS systems can look and act differently in subtle ways, depending on the end-use of the telemetry gathered. Let’s take a look at how the National Institute of Standards and Technology describes IDPS system function across some key scenarios:
A network-based IDPS monitors network traffic for network segments, analyzing the network activity to identify suspicious activity. It can identify many different types of events, and is most commonly deployed at a boundary between networks, like firewalls or remote access servers.
A host-based IDPS monitors characteristics of events occurring within a host for suspicious activity. This includes monitoring network traffic, system logs, running processes, application activity, file access and modification, and system and application configuration changes. Host-based IDPSs are most commonly deployed on critical hosts like public servers.
A wireless IDPS monitors wireless network traffic and analyzes protocols to identify suspicious activity. It can’t identify suspicious activity in an application or higher-layer network protocol. It is most commonly deployed within range of an organization’s wireless network, but can also monitor for unauthorized wireless networking.
An NBA system examines network traffic to identify threats generating unusual traffic flows, like distributed denial of service (DDoS) attacks, certain forms of malware, and policy violations. NBA systems are most often deployed to monitor flows on an organization’s internal networks, and can also be used to monitor external traffic flow away from the organization.
What are some of the inner-workings of an IDPS? The below list isn't exhaustive of each and every process involved, but it is fairly inclusive of the protocols that can be executed in the event of suspicious activity.
Heuristic detections identify malicious code by matching specific behavior instead of exact patterns in that code. It watches the way the code runs, and determines dangerous behavior based on more complex sets of rules.
Admins can gain insight into current system behavior with statistical analysis that looks at logs, trend predictions, and troubleshooting efforts. Anomalous events can be detected sooner and response plans put into action faster with advanced statistical analysis.
Application-layer protocol analysis is at the core of this technique, comparing an uncorrupted protocol to activity that could be suspicious, with the ultimate goal of catching anomalies and denying access.
This process applies insight to network events with the goal of detecting compromised credentials, lateral movement, and other malicious behavior. This typically applies to how users behave on a network versus static threat indicators.
Detection and response methodologies are clearly required to stop ever-evolving threats and breaches. However, prevention processes can mitigate what could otherwise be a bigger problem for a security organization. Prevention techniques include putting a stop to in-progress attacks, monitoring for changes in a security environment, and actively modifying the content of an attack to mitigate its effects.
To conduct IDPS techniques in the most hygienic way possible, it's a good idea to leverage some best practices when standing up an intrusion detection and prevention system.
This type of assessment will allow security teams to properly manage and patch vulnerabilities that pose risks to the network, protecting organizations from threat actors and the possibility of a breach. The assessment will help to define what a vulnerability looks like on a network as well as gain visibility into the overall structure of the network so analysts can define what “good” looks like.
Signature-based detections typically “live in the moment” and aren’t great at detecting unknown attacks. They can compare signatures to known behaviors and catch suspicious activity in that manner, so it’s important to regularly update both signatures and rules that govern specific network security objectives.
Firewalls typically generate the data that will then be analyzed by a security information and event management (SIEM) system. This firewall data can come in the form of logs, network traffic, and alerts. This symbiotic relationship helps to build a picture of what healthy network behavior looks like.
Remaining in compliance with both internal and external policies (i.e. government-mandated policies) is critical to network health. Scheduling regular network assessments and audits can ensure compliance with secure configurations, password policies, and access control requirements. Assessing network security against internally constructed benchmarks can and will help mitigate threats.