Because of regulatory and compliance requirement from Act such as Sarbanes-Oxley, PCI, GLBA, FISMA, HIPAA, companies need to deploy Intrusion Detection and Prevention System, i.e., IDS/IPS or IDPS, and demonstrate to the Federal auditors that company data security is monitored and breaches are detected and acted. The importance of IDS and IPS has been highlighted after some well-known incidents, such as Wal-Mart 2005-2006 Intrusion and recently Comcast DNS highjacking, DDOS to Google, Twitter and Facebook.
Deployment and operation of IDPS is different from other enterprise security product such as firewall, in that it involves data analysis phase before and after the deployment, and the effectiveness of the IDPS or ROI highly depends on interactive alerts tuning and data analysis techniques.
To achieve the best ROI of deploying IDPS, following needs to be considered.
1. Choose between IDS and IPS.
IDS product typically operates in passive monitoring mode, and does not interfere with production traffic, though it requires manual action to analyze and stop an intrusion. IPS typically installs inline on the network throttle point, and can automatically detect and block intrusion. However due to the high false positive rate, caution needs to be taken for deploying IPS on critical networks. Some vendors such as Sourcefire, Tippingpoint offers appliance that can operate in both IDS and IPS mode.
2. Choose between NIDS and HIDS
Network Intrusion Detection System (NIDS) monitors network traffic by aggregating network traffic, versus Host Intrusion Detection System (HIDS) is installed on the individual host as part of the end-point-security. Best to deploy both to have visibility to both network data and host data for correlation. Needless to say, for large enterprise, deploying and support large number of HIDS is quite a challenge and costly, so it is recommended for deploying on just some critical hosts. Small companies can go with just HIDS.
3. Choose where to deploy NIDS
NIDS is important perimeter security device. One critical decision for NIDS deployment is to decide whether deploying it outside or inside of the firewall. This will not only affect the scope of intrusion data collected but also NIDS management. If deployed outside of the perimeter firewall, NIDS can monitor all the outside traffic but in the meantime potentially introduce more false positive events. It is like hanging an alarm outside of the door, and anyone walking by could potentially trigger the false alarm. Also, the management of the IDS will need rules configured on the firewall behind it. Deploying inside of the firewall has the benefit of only monitoring the traffic that passes by the firewall, potentially significantly cut down the noisy data for intrusion analysis. It also has the benefits of avoiding the hassle for firewall rules maintenance. Deploying inside of firewall focuses on catching who breaks the door, downside is that you will not always know who is knocking the door, if you care.
4. Implement effective data capture and analysis techniques
ROI of IDPS highly depends on the effective data capture and analysis. Most often, IDPS captures too much noisy data (false positive) with real Intrusion lost in the noise. Without effective data capture and analysis technique, analyst will waste time filtering false positive and potentially misses the true Intrusion, or not catch it in time. It is also boring for Analyst to eyeball massive IDS data. It is important to configure IDS signature to capture the data that are related to network environment and the important business traffic. OLTP Databases such as Oracle have good utilities that can be used to manage and mine those data sets to convert data into meaningful information. For critical intrusion events, it typically requires bottom-up analysis technique, but for general analysis of large data sets, top-down mining tool will be helpful.
In summary, deploying of IDPS should be part of the enterprise defense-in-depth strategy. Company’s internal and perimeter networks and external threats need to be evaluated to test/choose the right IDS/IPS vendor product (Enterasys, Sourcefire, TippingPoint, to name a few). Based on the company policy requirement, choose to deploy the IDPS inside or outside of perimeter firewalls. Based on the IDPS product features and nature of environment network traffic, implement effective signatures or baseline for data capture, Intrusion alerting, and data analysis. Data mining techniques and OLTP database tools are highly recommended to assist identifying true Intrusion pattern from massive network traffic data.
