IDS/IPS: What determines the effectiveness of intrusion detection and prevention systems

[Father]

IDS is an intrusion detection system. It allows you to detect attacks or other malicious activities at an early stage, when you first interact with the company's infrastructure.

A more advanced class of such solutions can be called IPS systems. They not only detect violations, but also "respond" to them automatically, or immediately offer the operator certain actions in response to the threat.

In this article, we will discuss the principles of intrusion detection and prevention systems, their specifics and strengths.

Importance of rules for IDS systems​

The most important element of IDS is rules and signatures. Based on them, the system identifies certain actions as a threat to the infrastructure.

But for intrusion detection systems, "customization" is important, that is, the use of specific rules that are determined by the company's infrastructure and its private practice of protecting against cyber incidents.

Igor Grachev
Head of Information Security Department at BRR Bank

First of all, you need to understand what IDS/IPS (sometimes IDS) is? – this is a complex of intrusion detection and prevention systems. There are several types of IDS/IPS systems: network-based (NIDS), protocol-based (PIDS), application-based (APIDS), node-based (HIDS), and hybrid IDS/IPS.

The most common option is the IDS/IPS network type. The complex is installed in strategically important locations of the organization's network, and, in this case, the complex operates at the network level, "looking" at each network packet from the data link layer to the application layer (in the OSI network model).

The most similar option to the classic antivirus is node IDS / IPS. Such a system is installed on a host (computer) inside the network and protects only it according to the same principles that are used in the network version – it checks and filters incoming and outgoing traffic by packets.

The effectiveness of such systems largely depends on the relevance of signatures and the rules by which the system operates. New threats appear virtually every day, and here the question of the relevance of the formed protection rules comes to the fore.

Also, the effectiveness of the system depends on the choice of installation location of the system, which, in turn, depends on what is protected using IDS/IPS. An important role is played by allocating resources for the operation of the system. Specialized software and hardware complexes, the hardware architecture of which is "sharpened" for working with network traffic, have proven themselves best of all.

There is another approach to work based on anomalies – Intrusion detection system. In this case, the system goes through an "introductory" period of operation, during which it examines and remembers the current state of the infrastructure. What is learned becomes a reference point, which the system will focus on in the future.

If we talk about IPS, then not only the identification rules are important here,but also the response models that are prescribed to the system in the event of an event.

Despite the variety of approaches to both infrastructure segments and their analysis, IDS systems are not without drawbacks. The main drawback of IDS is the eternal struggle with minimizing the number of false positive positives without losing efficiency.

What determines the effectiveness of the IPS System​

The biggest risk when working with IPS and IDS is system overload. It can occur for two reasons:

• incorrect configuration;
• external influence.

The "safety margin" of any system is largely determined by its settings. In particular, the server capacity allocated for the system plays an important role. Excessive generation of system triggers creates a queue that includes both significant information security events and conditionally "random" events that do not have a big impact on the system's operation.

Igor Landyrev
Penetration Testing Specialist, Awillix

If we talk about the enterprise, then the question of the frequency of updates, the speed of processing packets (traffic) and the capacity laid down for the server is important here. Creating specific rules in commercial solutions may be the vendor's area of responsibility. Open source solutions add the qualifications of system administrators who configure them and create "custom" rules, as well as the server power that processes input streams and the speed of traffic processing.

All IDs generate false positives. There is the following paradigm-if the traffic entering IDS exceeds the processing speed, then queues appear, which lead to three possible problems:

1. Increase the time for creating events.
2. Incorrect event handling.
3. Blocking traffic due to weak server power.

In the case of IPS, the situation can be even more critical, since the system spends resources not only on detecting, but also on preventing threats. Protocols for ranking and prioritizing incidents are very important for automatic response.

In the current conditions of the forced trend towards import substitution, the issue of updating signatures is particularly acute for those companies that have worked with foreign vendors. For example, the solutions of Cisco, which currently stopped supporting its products in Russia, were popular on the market.

Conclusion​

IDS and IPS can remove some of the incident detection and response tasks from the information security specialist. At the same time, this class of solutions does not remove responsibility from the person: the final decision remains with the specialist.

Keeping the signature database up – to-date, i.e., the frequency of updates, is a priority "at a distance". In this regard, proprietary solutions look more reliable, because they are backed by the vendor's reputation.

The integration of such a system into the company's defense greatly complicates the life of attackers: to conduct an attack, you need not only to find vulnerabilities, but also to disguise their exploitation as a legitimate action, which requires much more resources than in a classic attack.