What is an intrusion detection system (IDS)? A valued capability with serious management challenges
- 19 February, 2018 22:00
An intrusion detection system, or IDS, monitors traffic moving on networks and through systems to search for suspicious activity and known threats, sending up alerts when it finds such items.
Enterprise IT departments deploy intrusion detection systems to gain visibility into potentially malicious activities happening within their technology environments.
“The overall purpose of an IDS is to inform IT personnel that a network intrusion may be taking place. Alerting information will generally include information about the source address of the intrusion, the target/victim address, and type of attack that is suspected,” said Brian Rexroad, vice president of security platforms for AT&T.
Each IDS is programmed to analyze traffic and identify patterns in that traffic that may indicate a cyberattack of various sorts.
An IDS can identify “traffic that could be considered universally malicious or noteworthy,” explained Judy Novak, a senior instructor with the cybersecurity training institute SANS and author of SANS SEC503: Intrusion Detection In-Depth, such as a phishing attack link that downloads malicious software. Additionally, an IDS can detect traffic that’s problematic to specific software; so it would alert IT if it detects a known attack against the Firefox browsers in use at a company (but should not alert if the company uses a different browser).
Types of IDSs
Intrusion detection systems can be broken into two broad categories: host-based IDSs and network-based IDSs; those two categories speak to where sensors for the intrusion detection software are placed (a host/endpoint or a network).
Some experts segment the market even further, also listing perimeter IDSs, VM-based IDSs, stack-based IDSs, signature-based IDSs and anomaly-based IDSs (with similar abbreviations corresponding to the IDS’ descriptive prefixes).
Whatever the type, analysts said the technology generally works the same, with the system designed to detect intrusions at the points where the sensors are place and to alert security analysts to its finding.
How does an IDS work?
Intrusion detection is a passive technology; it detects and acknowledges a problem but interrupt the flow of network traffic, Novak said. “As mentioned, the purpose is to find and alert on noteworthy traffic. An alert informs the IDS analyst that some interesting traffic has been observed. But it is after-the-fact because the traffic is not blocked or stopped in any way from reaching its destination.”
Compare that to firewalls that block out known malware and intrusion prevention system (IPS) technology, which as the name describes, also blocks malicious traffic.
IDS in the modern enterprise
Although an IDS doesn’t stop malware, cybersecurity experts said the technology still has a place in the modern enterprise.
“The functionality of what it does is still critically important,” said Eric Hanselman, chief analyst with 451 Research. “The IDS piece itself is still relevant because at its core it’s detecting an active attack.”
However, cybersecurity experts said organizations usually don’t buy and implement IDS as a standalone solution as they once did. Rather, they buy a suite of security capabilities or a security platform that has intrusion detection as one of many built-in capabilities.
Rob Clyde, board of directors vice chair ISACA, an association for IT governance professionals, and executive chair for the board at White Cloud Security Inc., agreed that intrusion detection is still a critical capability. But he said companies need to understand that an intrusion detection system requires maintenance and consider whether, and how, they’ll support an IDS if they opt for it.
“Once you’ve gone down the path to say we’re going to keep track of what’s going on in our environment, you need someone to respond to alerts and incidents. Otherwise, why bother?” he said.
Given the work an intrusion detection system takes, he said smaller-size companies should have the capability but only as part of a larger suite of functions so they’re not managing the IDS in addition to other standalone solutions. They should also consider working with a managed security service provider for their overall security requirements, as the provider due to scale can more efficiently respond to alerts. “They’ll use machine learning or maybe AI and human effort to alert your staff to an incident or intrusion you truly have to worry about,” he said.
“And at mid-size and larger companies, where you really need to know if someone is inside the network, you do want to have the additional layer, or additional layers, than just what’s built into your firewall,” he said.
3 challenges of managing an IDS
IDSs do have several recognized management challenges that may be more work than an organization is willing or able to take on.
False positives (i.e., generating alerts when there is no real problem). “IDSs are notorious for generating false positives,” Rexroad said, adding that alerts are generally are sent to a secondary analysis platform to help contend with this challenge.
This challenge also puts pressure on IT teams to continually update their IDSs with the right information to detect legitimate threats and to distinguish those real threats from allowable traffic.
It’s no small task, experts said.
“IDS systems must be tuned by IT administrators to analyze the proper context and reduce false-positives. For example, there is little benefit to analyzing and providing alerts on internet activity for a server that is protected against known attacks. This would generate thousands of irrelevant alarms at the expense of raising meaningful alarms. Similarly, there are circumstances where perfectly valid activities may generate false alarms simply as a matter of probability,” Rexroad said, noting that organizations often opt for a secondary analysis platform, such as a Security Incident & Event Management (SIEM) platform, to help with investigating alerts.
Staffing. Given the requirement for understanding context, an enterprise has to be ready to make any IDS fit its own unique needs, experts advised.
“What this means is that an IDS cannot be a one-size-fits all configuration to operate accurately and effectively. And, this requires a savvy IDS analyst to tailor the IDS for the interests and needs of a given site. And, knowledgeable trained system analysts are scarce,” Novak added.
- Missing a legitimate risk. “The trick with IDS is that you have to know what the attack is to be able to identify it. The IDS has always had the patient zero problem: You have to have found someone who got sick and died before you can identify it,” Hanselman said.
IDS technology can also have trouble detecting malware with encrypted traffic, experts said. Additionally, the speed and distributed nature of incoming traffic can limit the effectiveness of an intrusion detection system in an enterprise.
“You might have an IDS that can handle 100 megabits of traffic but you might have 200 megabits coming at it or traffic gets distributed, so your IDS only sees one out of every three or four packets,” Hanselman said.
The future of intrusion detection
Hanselman said those limitations still don’t invalidate the value of an IDS as a function.
“No security tool is perfect. Different products have different blind spots, so the challenge is knowing those blind spots,” he explained. “I continue to think that IDS will be with us for a long time to come. There’s still that basic value in being able to identify specific hostile traffic on the wire.”
However, experts said this has some organizations rethinking the need for an IDS – even though today implementing the technology remains a security best practice.
“This tuning and analysis requires a significant amount of effort based on the number of alerts received. An organization may not have the resources to manage all devices in this capacity. Other organizations may conduct a more comprehensive threat assessment and decide not to implement IDS devices,” Rexroad said, adding that the high number of false alerts from IDSs have some organizations opting against implementing IPSs as well for fear of blocking legitimate business transactions.
He said other organizations may decide to focus on more advanced protections at the internet gateway or use flow analysis from network devices in conjunction with log analysis from systems and applications to identify suspect events instead of using IDSs.
Likewise, Scott Simkin, director of threat intelligence at Palo Alto Networks, said he does not believe IDS as a solution has a role in most modern enterprises.
But, he said, he said he does think IDS retains a place as a function in a broader cybersecurity portfolio.
“The capability is absolutely critical and foundational to every single security team,” he said, adding that the automation and intelligence being built into modern security platforms have pushed IDS as a function deeper into the solution.
“IDSs [as systems] been superseded by IPSs and next-generation firewalls that take the concept of IDS and then layer something on top of it. And those should exist alongside behavioral analytics, web filtering, application identity management and other controls,” he said. “But you don’t really buy IDSs anymore.”