Stephen Hawking once said, “We are all now connected by the Internet, like neurons in a giant brain.” When it comes to explaining how certain technology works, organs of the body make for great metaphors. They are equally, if not more complex than current technology, yet common enough (we all have them!) for most people to relate. To me, information security is much like the immune system. More specifically, the largest part of your immune system and the one in which we influence the most: the digestive system. Now before I lose you on this (probably due to hunger), try to image what happens to your immune system when you stop getting your necessary vitamins and minerals. Parts of the body fail, infection from airborne pathogens begin to take over the rest of your organs, and before long your body shuts down for good. And no matter how much Vitamin C you have been getting every day from the most wonderful super-orange in the world, it is not enough to make up for lapses in other areas of your diet. The same goes for the security solutions your company has in place to protect its data. Trying to pit one particular solution against another to crown the out-right champion of cyber protection shows a bit of ignorance. Security is all about layering, and if your network isn’t getting all of its necessary vitamins, it’s going to be exposed to outside attacks. Now with that being said, and for the sake of learning more about how Intrusion Prevent Systems and Intrusion Detection Systems are both a necessity to the well-being of your infrastructure, let’s start comparing apples to oranges.
An Intrusion Detection System (IDS) is defined by Techopedia.com as “a type of security software designed to automatically alert administrators when someone or something is trying to compromise the information system through malicious activities or through security policy violations.” An IDS is able to recognize such activities by reviewing network traffic logs as they become available. To keep the system from slowing down the traffic, it uses a TAP line to make and review copies of the network traffic. This system can also be used to keep track of the threats that are currently attempting to compromise your system, simply by setting it up outside of your firewall. This can be extremely beneficial for gathering corporate intelligence. Although it is actively searching for violations and sending alerts, it is considered a passive system, because it does not have the ability to stop the network traffic once a violation has been discovered. All remediation of the issue must be taken care of by the system administrator, which results in a direct correlation for the effectiveness of this system to the effectiveness of whoever is in charge of managing the system. This also leaves the IDS susceptible to attacks from “Zero-Day” or unknown malware, as their movement signatures have yet to be updated to the system.
As an extension of the IDS, the Intrusion Prevention System (IPS) was developed in order to take a more active approach to the same type of network monitoring. What makes the IPS different, is that it’s placed directly inline of your network traffic, giving it the ability to stop communication all together when a violation has been discovered. This gives the system administrator time to find out what exactly is going on, without allowing the suspicious traffic to continue. A fail-safe through put can be used if the IPS is monitoring traffic that would interfere with business if halted, while still maintaining logs of that activity. Similar to the IDS, detection is based off a database of known malware signatures. This can leave the IPS vulnerable to the same Zero-Day attacks, however, the IPS can incorporate geographical IP address blocking, preventing Zero-Day attacks from originating in many parts of the world. (If you don’t do business in Russia, why allow communication to there at all?) The IPS also has the ability to take samples of network traffic levels at random, searching for statistical anomalies. This gives the system the ability to find and stop threats that may have otherwise gone unnoticed.
These advancements in Intrusion Detection and Prevention are typically tremendous additions to the security systems that many companies currently have in place. They not only provide much more thorough layers of protection, but they also keep record of any and all network activity in the event that review of this information is necessary. Similar to what video evidence does for a burglary, computer forensics experts are often able to bring these perpetrators to justice for their cyber crimes if the network logs are kept. Making each of these systems vital pieces in ensuring that your business is safe, no matter which way the criminals attempt to get themselves in. No security system is going to work 100% of the time, so having yourself covered and prepared for when such a time does come will make all the difference in your recovery.
If you desire to know more Alias Forensics has created a product called BlackBox, which is both an IDS/IPS system that is fully monitored and managed by our Security Operations Team. Our security team working for you, at a fraction of the cost!