As new threats emerge every day, the risks companies face not properly securing network data is growing more widespread and costly than ever. 15% of data breaches involve Healthcare organizations, 10% in the Financial industry and 16% in the Public Sector1, with the banking industry incurring the most cybercrime costs in 2018 at $18.3 million (average cost per company)2.
Many industries face severe consequences as stricter legislation passes across the world enforcing data compliance with data privacy legislation like HIPAA, ISO 27001, SOX and more. In 2018, HIPAA had 25,912 complaints and 431 data breach investigations, leading to $28.7 million in fines for just the top 10 companies breached3.
When companies are building their IT security strategies to combat these threats, two of the most important network security tools used to detect and actively block threats into the network are Intrusion Detection System (IDS) and Intrusion Prevention System (IPS).
Previously we reviewed Out-of-Band vs Inline Network Security and which tools were associated with the two strategies. It is important for security teams to keep on top of the latest best practices for deploying and managing these critical tools, as the security landscape evolves. So let’s dig a little deeper on these two bedrock solutions.
As SecOps face the ballooning threat of data breaches, compliance fines and policy enforcements, IDS/IPS technology have become the go-to tools in modern security stacks.
IDS/IPS are relatively hands-off and can be deployed with limited resources, providing high level peace of mind that the network is protected from threats — which is attractive to both smaller networks and enterprises. Many companies also implement IDS and IPS solutions to fulfill certain compliance regulations by addressing a number of the CIS Security controls and auditing data.
An Intrusion Detection System (IDS) is a network security tool that analyzes network traffic for malicious activity, vulnerability exploits or policy violations that are attempting to infiltrate or steal data from a network.
The IDS detects threats by comparing current network activity to a known threat database, looking at several key behaviors like security policy violations, malware, and port scanners. Any violation or intrusion activity is either reported to the administrator or collected using a security information and event management (SIEM) system. The SIEM can be used to distinguish malicious activity from false alarms.
The IDS and IPS both analyze network packets and compare the contents to a known threat database. The key high-level difference is that an IDS is a monitoring system, while IPS is a control system.
An IDS doesn’t alter packets, it is a passive “listen-only” detection and monitoring solution that doesn’t take action on it’s own.
Where an IPS is a control system that accepts or rejects packets based on the ruleset, actively preventing packet delivery based on the contents, similar to a firewall preventing traffic by IP address.
IDS deployments do require admin staff or another system like a SIEM to analyze the results and take the appropriate action. The IDS cannot take automatic actions against hackers capable of exploiting these vulnerabilities once they enter the network, leaving the IDS inadequate for threat prevention. IDS typically are positioned as a post-mortem forensics tool for the SecOps or computer security incident response team (CSIRT) for security incident investigations.
The IPS, on the other hand, is designed to catch dangerous packets in the act and drop them before they reach their target. Acting on its own to make decisions, which requires regularly updating the database with new threat data.
There are a few things to note about both IDS and IPS — they are only as effective as their threat databases, and need to be kept updated when new attacks break out.
And, why are these two different tools? The IDS was originally developed as a listen-only monitoring tool because the analysis required could not keep pace with the direct communications traffic of the network infrastructure. And that is where it has stayed, a forensics detection solution, while the IPS was developed to take it a step further to actively block.
Yes, there are vendors that provide both IDS and IPS functionality in one. There are solutions that have integrated IPS systems with firewalls creating a Unified Threat Management (UTM) technology. But both IDS and IPS have found their use as the go-to tools for Modern Security Stacks.
With the IDS being a listen-only monitoring solution, it is placed out-of-band on the network infrastructure, meaning that it is not analyzing real-time traffic but is receiving a copy of the data.
The two ways an IDS tool access this data is through SPAN / mirror ports on the switch or through the industry best practice network TAPs. SPAN is generally used for low utilization applications and are known to drop or alter packets, possibly masking threats. The network TAP creates full duplex traffic copies that pass physical errors and provide the flexibility to send this data to multiple destinations. If the IDS is processing many network segments, a network TAP and network packet broker are used to streamline the data to optimize security detection. If you are deploying a virtual IDS systems, the same concept would incorporate a virtual traffic mirror or cloud TAP like Garland Prisms.