Although IDSs have their problems, they can still offer value to an organisation or law enforcement agency under the right circumstances. For example, if your network is under attack and there has been a large loss of valuable assets such as credit card numbers or if money has illegally been transferred to the wrong accounts, using an IDS is a smart way to try to catch the perpetrator. Of course, if you install an IDS after a malicious cybercrime has been committed, you may miss picking up the necessary network traffic information you need to solve the crime. However, if the attack is still taking place, installing an IDS may help you quickly solve the mystery surrounding the attack. Because IDSs need to collect a large array of traffic to understand anomalous patterns, they typically require a lot of massaging by a security engineer or network administrator to tune them, interpret the information, and identify false positives. In fact, monitoring IDSs can be a full-time job. We have seen instances where a hacker has actually exploited an IDS, causing it to create a denial of service attack against the organisation it's in place to protect. Bottom line
So what can we take away from all of this? There is still a need for IDSs, but IT decision makers should understand how to use these types of systems in a smarter way. A lot of thought and planning must go in to whether an organisation truly needs an IDS, an IPS, or both. It's important to figure out your IT goals before making procurement decisions. If you work for a financial institution, you should probably deploy both an IDS and an IPS. If your systems contain medical records that include detailed patient information that doctors use to make treatment decisions, you should probably deploy an IDS and an IPS. I am making these recommendations based on the assumption that the loss of large amounts of money or the loss of life have high-risk implications that require the utmost safeguards. However, if losing your data would, at worst, create a big inconvenience while your operations team secured the perimeter and the hosts and restored the data, it might be more worthwhile for your organisation to install only an IPS. Certainly, if there are no staff resources dedicated to tuning an IDS or providing the ongoing expert analysis required to get the value out of it, there is no point in installing one. In implementing either an intrusion detection or intrusion prevention system, the risks being analysed or prevented should always align with business risks -- an important point that many IT decision makers fail to address. The following are some of the important points to remember:
- IDSs are installed on network segments.
- IPSs are installed on servers and desktops.
- IDSs require expert tuning to be truly useful.
- IDSs require more administrative overhead.
- IDSs can't parse encrypted traffic.
- IDSs and IPSs should both have a central management console.
- IDSs have more potential for identifying hackers.
- IPSs can better protect applications.
- Intrusion prevention products are ideal for blocking Web defacement.
- Neither an IDS nor an IPS is a replacement for firewalls.
Have your say instantly in the Tech Update forum.
Find out what's where in the new Tech Update with our Guided Tour.
Let the editors know what you think in the Mailroom.
