IDS Best Practices
In network security no other tool is as valuable as intrusion detection. The ability to locate and identify malicious activity on your network by examining network traffic in real time gives you visibility unrivaled by any other detective control.
First be sure you are using the right tool for the right job. IDS are available in Network and Host forms. Host intrusion detection is installed as an agent on a machine you wish to protect and monitor. Network IDS examines the traffic between hosts - looking for patterns, or signatures, of nefarious behavior.
Let’s examine some best practices for Network IDS:
- Baselining or Profiling normal network behavior is a key process for IDS deployment. Every environment is different and determining what’s “normal” for your network allows you to focus better on anomalous and potentially malicious behavior. This saves time and brings real threats to the surface for remediation.
- Placement of the IDS device is an important consideration. Most often it is deployed behind the firewall on the edge of your network. This gives the highest visibility but it also excludes traffic that occurs between hosts. The right approach is determined by your available resources. Start with the highest point of visibility and work down into your network.
- Consider having multiple IDS installations to cover intra-host traffic.
- Properly size your IDS installation by examining the amount of data that is flowing in BOTH directions at the area you wish to tap or examine. Add overhead for future expansion.
- False positives occur when your IDS alerts you to a threat that you know is innocuous.
- An improperly tuned IDS will generate an overwhelming number of False Positives. Establishing a policy that removes known False Positives will save time in future investigations and prevent unwarranted escalations.
- Asset inventory and information go hand in hand with IDS. Knowing the role, function, and vulnerabilities of an asset will add valuable context to your investigations.
Best practices for Host IDS:
- The defaults are not enough.
- The defaults for HIDS usually only monitor changes to the basic operating system files. They may not have awareness of applications you have installed or proprietary data you wish to safeguard.
- Define what critical data resides on your assets and create policies to detect changes in that data.
- If your company uses custom applications, be sure to include the logs for them in your HIDS configuration.
- As with Network IDS removing the occurrence of False Positives is critical.
Best practices for WIDS:
- Like physical network detection, placement of WIDS is also paramount.
- Placement should be within the range of existing wireless signals.
- Record and Inventory existing Access Point names and whitelist them.
AlienVault Unified Security Management (USM) includes built-in network, host and wireless IDS’s. In addition to IDS, USM also includes Security Information and Event Management (SIEM), vulnerability management, behavioral network monitoring, asset discovery and more. Please download USM here to see for yourself.