Intrusion Detection Systems (IDS) explained
What is an IDS?
An intrusion detection system (IDS) is a software application or device that monitors network traffic for anomalous patterns. These patterns indicate potentially suspicious activity. An IDS also monitors for violations of established network policy (like the transmission of unusually large amounts of data). Upon detecting anomalies or violations, the IDS has two possible responses.
1. Send alerts – Passive IDS solutions respond by raising alerts through email or text. They may also notify a security information and event management (SIEM) system. A SIEM will correlate the event with other security events to help determine if this is an issue or not.
2. Defensive action – Active IDS also known as an intrusion prevention system, not only sends alerts, but also has extra security features. These features give active IDS solutions the ability to (1) modify access control lists on firewalls to block the suspicious traffic, (2) kill processes on the internal system involved in the communications, or (3) redirect traffic to a honeypot to further assess the threat.
Types of intrusion detection system solutions
Network intrusion detection system (NIDS) – Sensors are deployed at strategic points within the network (such as within the DMZ or at a network’s perimeter). The sensors can monitor individual packets of inbound and outbound traffic to and from all the devices on the network, analyzing them for malicious activity. Depending on the network architecture and amount of traffic involved, multiple instances of NIDS may be necessary.
Host intrusion detection systems (HIDS) – An agent runs on all servers, endpoints, and devices in the network that have access to both the internet and the internal network. Intrusions are identified by analyzing operating-specific activities (like the modification of the file system, registry, or access control lists) and by monitoring system application logs. HIDS augment NIDS by detecting anomalous traffic that originates within the organization or from the host being monitored. For example, a host infected with malware that is attempting to spread it to other internal hosts is an issue that a NIDS could potentially fail to detect.
Cloud-based intrusion detection system (CBIDS) – Because of the internet-facing nature of the cloud, on-premises IDS solutions are not necessarily optimized for monitoring the cloud. For example, NIDS sensors need to be deployed within the cloud – at an environment’s network perimeter – and yet a cloud service provider (CSP) may not have a way to facilitate this. CBIDS use purpose-built cloud sensors that use cloud service provider (CSP) application programming interfaces (APIs) to get as much visibility as possible into your cloud environment.
Methods of intrusion detection
Signature-based detection – Similar to signature-based antivirus, all packets sent across the network are analyzed for known patterns and compared against a database of malicious signatures.
Anomaly-based detection – Network traffic is first baselined to establish what is considered normal behavior for the network. Bandwidth consumed, protocols and ports used, and IP addresses normally communicating with each other are all part of the baseline model. Current network traffic is compared against the baseline to detect deviations. In some cases, deviations are rule-based, but more IDS vendors are turning to machine learning-based methods of detection.
Reputation-based detection – Communications with internet-based hosts are monitored. The external host’s IP and DNS are compared against a reputation database of potentially malicious hosts. External hosts with low reputation scores can be blocked from connecting with your network.
Capabilities of intrusion detection systems
Security teams use one or more of the following IDS capabilities to detect potential intrusion:
Deep packet inspection – Network traffic is inspected in detail and is used in conjunction with signature-based detection. This level of inspection requires network traffic to be decrypted.
File integrity monitoring – Data files on critical endpoints and servers are monitored for changes, which may indicate malware is being installed or security configurations are being modified.
System call monitoring – Applications, processes, and system libraries can be monitored to determine if activity is sanctioned or not.
Configuration monitoring – Agents can be used to monitor the configuration of specific systems, watching for changes that may alter the networking or security state of the system.
User-friendly data parsing – The details about the state of the network traffic and system are almost always compiled in a format that’s difficult to decipher. IDS solutions parse this data to provide IT and security teams with intelligible information that can be easily understood.
Data visualization – Transforming data into visual elements in an intuitive user interface helps both experienced IT professionals and those without expertise to manage system security and make intelligent decisions.
Signature database – Many vendors offer an extensive signature database of malware and other attacks that can be used by the IDS solution to find threatening activity.
Notifications – Email, text, and event log-based alerts go to IT and security teams, informing them of potential, attempted, or in-progress malware infections, cyberattacks, and data breaches.
Introducing threat detection and response solutions by AT&T Cybersecurity
AT&T Managed Threat Detection and Response is built on an award-winning unified security management (USM) platform, which combines the essential security capabilities needed for effective threat detection and response in a single pane of glass. Key capabilities include asset discovery, vulnerability assessment, network intrusion detection (NIDS), endpoint detection and response (EDR), and SIEM event correlation and log management.
Our USM platform, which can either be managed in-house or by AT&T Cybersecurity, is fueled with continuously updated threat intelligence from AT&T Alien Labs, providing that your defenses are able to detect emerging and evolving threats. AT&T Alien Labs, the threat intelligence unit of AT&T Cybersecurity, produces timely threat intelligence that is integrated directly into the USM platform in the form of correlation rules and other higher-order detections to automate threat detection.