Intrusion Detection System: the importance of continuous monitoring

Protecting corporate systems and infrastructure from intrusions is one of the crucial elements in an organization's IT security process.
Having an Intrusion Detection System (IDS) allows the organization to be alerted to attempted digital break-ins by identifying in advance what may pose a danger. 

Attackers can creep into an organization's network silently and then launch the attack explicitly at a later time. The induction of network overloads, the presence of network vulnerabilities, and the inoculation of malicious code are the threats that an Intrusion Detection System can detect, but it is important to clarify that an IDS remains a passive tool designed to identify an attack, but not prevent it from compromising the system.

However, this system can be useful in providing information to more advanced detection & response systems, such as a Cross Layered platform, which we will discuss in the final chapter.

If the network is breached by a malicious attacker, losses can occur to that organization, with progressively severe damage-from temporary downtime, data breaches, and even irreparable loss of customer trust. Damages that an IDS alone cannot counteract, in part because of limited visibility to the network context alone.

Let us proceed in order and first see what an IDS system is.

 
IDS definition: what is it? 

An Intrusion Detection System is a software and/or hardware device depending on whether it consists of only one component or both. It can be implemented as a stand-alone, pre-installed, and pre-configured system. 

The attacks which it can identify are unauthorized access to computers or local networks. The intrusions detected can be those produced by experienced cybercriminals, automated tools, or inexperienced users with semi-automated programs. 

The network where an Intrusion Detection System is installed is monitored continuously, until the moment the system notices indications of an initial or overt digital break-in and notifies what has happened.

The goal of an Intrusion Detection System is to detect attacks with a low false-positive rate and a low false-negative rate (Researchgate). Where rates of both types are high, however, an Intrusion Detection System could raise unwarranted alarms.

 
Types of continuous monitoring

If a firewall and identification, authentication, and authorization systems are placed on the network frontier, like a reinforced house door that prevents unauthorized access, an Intrusion Detection System can be thought of as an alarm system for the house itself. Thus, an IDS must be able to conduct continuous, real-time monitoring of the entire potential attack surface consisting of the corporate network, every system that rests on the network, and every device, including mobile devices, that temporarily or permanently connects to the corporate network.

For this reason, there are different types of Intrusion Detection System:

1. Network Intrusion Detection System (NIDS).
2. Network Node Intrusion Detection System (NNIDS).
3. Host Intrusion Detection System (HIDS).

NIDS and NNIDS examine network traffic, while HIDS examine actions and files on host devices. In the first two cases, continuous monitoring requires the examination of a large amount of traffic, as opposed to HIDS in which less traffic is examined, but in greater depth. 

A NIDS is implemented in a distributed manner i.e., placed at strategic points throughout the network or enterprise subnets to cover those portions of the network where traffic is most likely to be vulnerable to attack; in contrast, in the case of network node analysis, the Network Node Intrusion Detection system is applied to only one node at a time.

In the third case, HIDS continuously monitors network devices with Internet access and, compared with NIDS, has some advantages: looking more closely at internal traffic, it is able to detect more refined clues and thus, functions as a second line of defense against malicious network packets.

 
Types of Intrusion Detection System  

Intrusion detection can follow two main approaches: Intrusion Detection System signature-based and anomaly-based.

In the first type, the tool monitors and compares the collected evidence with the set of known threat patterns (signatures) to know how to recognize malicious conditions to be notified. An IDS of this kind needs regular updates on signatures or identities to ensure that its knowledge of malicious resources is up to date. Such updates should occur continuously to enable always adequate performance in threat recognition. It is a fact, that signature-based IDSs are efficient and effective only in relation to how up-to-date the database is at any given time. Attackers know this, and in order not to be detected they change small elements in the malware (variants) so that the "signature" is not recognized. Also, the progressively increasing DB size implies an increasing load for processing due to the analysis of each connection and verification time against the database.

The second type of Intrusion Detection System, based on anomaly, assumes a network trend that is always predictable or has small known deviations, such that after an initial learning period, the IDS system knows how to distinguish between "good" and "malicious" traffic. Of course, if during the learning phase the network is already compromised, the ability to recognize an anomaly is thwarted at the outset. For this reason, at the startup of the Intrusion Detection System, the learning period is supported with analysts manually examining the condition of the network and helping to clarify and understand doubtful elements.

A Managed Detection and Response service brings a greater layer of protection

As we mentioned at the beginning of this article, the IDS tool can work in synergy with more advanced platforms; in fact, it detects suspicious activity or an abnormal security event, after which the event logs can be received and understood by a Cross Layered platform and handled in a Managed Detection and Response (MDR) logic.

Two things happen at this point:

1. The tool, through Artificial Intelligence algorithms, is able to make an initial skimming of the multitude of information that the Intrusion Detection System generates, to categorize and exclude so-called "false positive" alerts.
2. Information security professionals analyze the data notified by the Cross Layered Analysis System to determine if it is a threat to the client's reality.

The conclusion drawn is that only an MDR solution featuring an additional layer of Cross Layered protection and a team of Specialists can enable the company to take preventive action against cyber attacks, whereas an IDS only detects and reports events.