Intrusion Detection and Prevention System

Intrusion Detection and Prevention System

What is IDS?

An intrusion detection system is a passive monitoring solution for detecting cybersecurity threats to an organization. If a potential intrusion is detected, the IDS generates an alert that notifies security personnel to investigate the incident and take remediative action.

An IDS solution can be classified in a couple of ways. One of these is its deployment location. An IDS can be deployed on a particular host, enabling it to monitor the host’s network traffic, running processes, logs, etc., or at the network level, allowing it to identify threats to the entire network. The choice between a host-based intrusion detection system (HIDS) and a network-based IDS (NIDS) is a tradeoff between depth of visibility and the breadth and context that a system receives.

IDS solutions can also be classified based upon how they identify potential threats. A signature-based IDS uses a library of signatures of known threats to identify them. An anomaly-based IDS builds a model of “normal” behavior of the protected system and reports on any deviations.

"IDS types vary based on where they’re monitoring threats and how they’re detecting them."

Types of IDPS

Organizations can consider implementing four types of intrusion detection and prevention systems based on the kind of deployment they’re looking for.

1. Network intrusion detection systems (NIDS)

A network intrusion detection system will monitor traffic through various sensors — placed either via hardware or software — on the network itself. The system will then monitor all traffic going through devices across the multiple sensor points.

2. Host intrusion detection systems (HIDS)

A HIDS is placed directly on devices to monitor traffic, giving network administrators a bit more control and flexibility. However, this can become burdensome depending on the organization’s size. If an organization is only leveraging HIDS, the company would have to account for every new device added within the organization, leaving room for error while also taking up a lot of time.

3. Protocol-based intrusion detection systems (PIDS)

A protocol-based IDS is often placed at the front of a server and monitors traffic flowing to and from devices. This is leveraged to secure users browsing the internet.

4. Application protocol-based intrusion detection systems (APIDS)

An APIDS is similar to a protocol-based system but monitors traffic across a group of servers. This is often leveraged on specific application protocols to specifically monitor activity, helping network administrators better segment and classify their network monitoring activities.

5. Hybrid intrusion detection systems

Hybrid IDS solutions provide a combination of the above types of intrusion detection. Some vendors' offerings cross multiple categories of IDS to cover multiple systems in one interface.

What is IPS?

An intrusion prevention system (IPS)  is an active protection system. Like the IDS, it attempts to identify potential threats based upon monitoring features of a protected host or network and can use signature, anomaly, or hybrid detection methods. Unlike an IDS, an IPS takes action to block or remediate an identified threat. While an IPS may raise an alert, it also helps to prevent the intrusion from occurring.

Conversely, anomaly-based IPS monitors abnormal activity by creating a baseline standard for network behavior and comparing traffic against it in real-time. While this method is more effective at detecting unknown threats than signature-based IPS, it produces both false positives and false negatives. Cutting-edge IPS are infused with artificial intelligence (AI) and machine learning (ML) to improve their anomaly-based monitoring capabilities and reduce false alerts.

Finally, policy-based IPS relies on security policies set by the enterprise to detect and block violations. This type of IPS is less common than signature-based and anomaly-based measures as it requires security teams to create and set up relevant policies manually.

IDS and IPS tools:

  • Splunk
  • AIDE
  • BluVector Cortex
  • Check Point Quantum IPS
  • Cisco NGIPS
  • Fail2Ban
  • Fidelis Network
  • Hillstone Networks
  • Kismet
  • NSFOCUS
  • OpenWIPS-NG
  • OSSEC
  • Palo Alto Networks
  • Sagan
  • Samhain
  • Security Onion 
  • Semperis 
  • Snort
  • SolarWinds Security Event Manager (SEM) IDS/IPS
  • Suricata
  • Trellix (McAfee + FireEye)
  • Trend Micro
  • Vectra Cognito
  • Zeek (AKA: Bro)
  • ZScalar Cloud IPS

Both systems can:

  • Monitor. After setup, these programs can look over traffic within parameters you specify, and they will work until you turn them off.
  • Alert. Both programs will send a notification to those you specify when a problem has been spotted.
  • Learn. Both can use machine learning to understand patterns and emerging threats.
  • Log. Both will keep records of attacks and responses, so you can adjust your protections accordingly. 

But they differ due to:

  • Response. An IDS is passive, while an IPS is an active control system. You must take action after an IDS alerts you, as your system is still under attack.
  • Protection. Arguably, an IDS offers less help when you're under threat. You must figure out what to do, when to do it, and how to clean up the mess. An IPS does all of this for you.
  • False positives. If an IDS gives you an alert about something that isn't troublesome at all, you're the only one inconvenienced. If an IPS shuts down traffic, many people could be impacted. 

Scan through these lists, and you may immediately understand which system is best for you. If your company can't handle a disruption due to a technical error, for example, an IDS may be best. But if you can't endure even a second of an attack without losing trade secrets or your reputation, an IPS may be better.

Splunk is a powerful software platform used for searching, monitoring, and analyzing machine-generated data. It is particularly valuable in cybersecurity, helping companies detect and prevent unauthorized or suspicious activities within their networks.

G2 is leveraging Splunk to enhance its cybersecurity posture. By using Splunk, G2 has achieved more precise monitoring of its network activities and can quickly respond to any potential threats. This capability not only protects G2’s data but also helps maintain the trust of its customers.

Given its numerous advantages and flexibility, Splunk is recognized as a comprehensive and effective solution in the fields of cybersecurity and data analytics.