05 Dec 4 Considerations for Evaluating an Intrusion Detection System
by Kent Wilson
The cybersecurity landscape is cluttered with tools, many of which are difficult to understand. This conjures up the question: do we really need that?
Usually, there is no right answer because it depends on a range of factors – the vertical market, tolerance for risk, the culture, and of course, available resources.
Today, I engage with a lot of customers and prospects in the process of evaluating cybersecurity technology. In the past decade of working with security leaders and decision makers I find three key questions help put things in focus:
- What am I really trying to protect?
- What questions am I trying to answer about the security of my environment?
- What data do I need to provide those answers?
As we work through these layered cyber defense strategies and the conversation moves to network monitoring and intrusion detection systems (IDS) there is a tendency to view these tools as part of a legacy play book. This makes sense, the IDS is one of the most mature tools in the arsenal; that said, it remains a critical building block to a defense in depth and a modern approach to IDS technology can bring more value than ever before.
There are many considerations in choosing an IDS and I thought it would be helpful to list several of the most applicable to the broader community. Here are four important considerations for evaluating IDS:
1) Standalone IDS versus embedded system.
Many firewalls and routers ship with some form of IDS out of the box with a software license that can be activated. For organizations with limited technical expertise, this could be a sufficient solution that offers added protection.
However, blending these edge devices puts the resource burden of these multiple functions on a single piece of hardware, which may not scale as efficiently as purpose built devices. Additionally, IDS systems embedded in a firewall are part of the quintessential hard-shell with a soft gooey center strategy. If malware slips by in a phishing email or flash drive, the IDS on a perimeter is no longer much help.
Once an adversary has made their way beyond the firewall, we cannot count on outbound command and control traffic to give away their position. Contemporary ransomware threats, don’t need help propagating themselves throughout the network and it is critical to maintain ‘eyes on’ the traffic between those systems that matter most.
A standalone IDS can sit on the internal network as part of a layered defense, providing visibility within the enterprise around priority assets, where the fight is now likely to occur. It can be configured with a greater degree of sophistication and granularity. With compartmentalized networks, prevention or blocking can be enabled to protect sensitive data without interfering with legitimate network traffic.
2) Open source vs. proprietary
Both open source and proprietary software have strengths and weaknesses. Proprietary software tends to be well resourced and those vendors are incented to get updates published in a timely manner. This typically comes at a significant budgetary cost but ensures enterprise level support and someone to turn if things go south.
The traditional case for open source software is a lower cost since it doesn’t have licensing fees. Contrary to popular opinion, these tools are also well supported. For example, it took just over a week to publish Suricata rules in response to Wannacry and a just over a day to publish Snort rules to the Apache Struts vulnerability at the center of the Equifax controversy. As my colleague Druce Macfarlane wrote for CSO, this is much faster than the change management process enterprises have to publish a patch.
The challenge in many cases with open source ‘science projects’ is that they can become difficult to scale, as there is often little built-in support for enterprise level deployments; difficult to manage when policies change from one part of the organization to another; and impossible to maintain when the open source developer leaves to pursue other interests.
There are also hybrid approaches to these two models. Proprietary solutions built leveraging open source projects and communities. These hybrid entities seek to bring together the best of both worlds – well resourced, scalable, and supportable products, backed by an entire open source community of users and developers. When successful, these hybrid solutions can bring immense value at a great reduction in cost.
3) Enhancing value through integration
Too many enterprises have lots of tools that don’t talk to each other. For example, an industry analyst survey found most financial services companies have 25 or more while some have more than 100.
The key considerations when thinking about IDS integration are these:
- What role will this integration play?
- Will it be helping to answer questions or providing data?
- Where will the work be performed?
- Will it be performed locally on the native IDS interface and support threat hunting?
- Or will the IDS data be pushed to some centralized analytics tool, a data lake, or some other massive big data repository?
A next generation IDS should easily integrate with existing tools in the security portfolio to support the specific workflows that organization needs.
Integration alone isn’t enough, just because a tool can push data doesn’t make that data valuable. For instance, pushing IDS alerts, along with every other log generating device in the network, to a security information and event management tool (SIEM) and hoping it magically spits out insight is a flawed approach. If the data doesn’t support any of the questions being asked by the security program, then it is just creating noise and overhead for those who must sift through it.
4) Beyond just signatures
Traditionally the IDS is signature based, and while effective at identifying previously observed threats, does little to alert on those threats previously unseen. To combat this gap, there have been some great strides made by the security industry in developing behavioral and big data analytics techniques to detect anomalous and potentially malicious network activity, and to alert defenders to threats before they taken root, or widely-propagated themselves across an environment.
A modern approach to IDS will leverage these improved analytics engines to provide context to the logs and alerts generated by the solution. In the event of an attack, this context is critical to taking action quickly and giving network defenders the tools they need to quickly contain and remediate threats. In the hands of seasoned threat hunters and incident responders this can mean the difference between a well contained incident or an out of control breach.
* * *
As the world continues to adapt to the physics of the cyber domain, and the illusion of security is routinely dispelled by the noise of high profile breaches, the role cybersecurity is now to help organizations quickly detect, contain and remediate threats and attacks rather than prevent them outright. This means reducing risk and eliminating malicious disruptions to the business at best possible value. And in that, perhaps we have the ultimate consideration for cybersecurity procurement.
If you enjoyed this post, you might also like:
Panel Discussion: How to Buy Cybersecurity