Intrusion Detections and Prevention Systems work especially well when they feed into a Security Information and Event Management (SIEM) or Security Operations Centre (SOC), to provide patterns of behaviour. Current IDPs are much more advanced than early models, which were simple, pattern-matching engines against packets. The simplicity of the early generations resulted in low performance, false alarms, and difficulty using the local security intelligence generated by the IDP.
Modern IDPs act more like virtual patching systems. When configured correctly, they are able to understand the vulnerability of the services they are protecting, and selectively apply blocking to malicious traffic. Some modern IDPs can also ingest real time global threat intelligence, so that organisations can benefit from a worldwide network of intrusion detection sensors, allowing organisations to block the IPs of hackers, before they even start scanning.
IDPs can generate a rich feed of local threat intelligence for use in a SIEM or a SOC. Attackers follow a predictable ‘Cyber Kill Chain of identifying assets before scanning for vulnerabilities and attempting to exploit them. This early warning can tell us a lot about an attacker and what they’re interested in. When a high level of confidence that the traffic is not legitimate has been reached, the IDP, the SIEM, or a SOC operator can automatically or manually adjust firewall rules to block the attacker.
IDPs can also be an effective security control against internal attacks by disgruntled staff or attackers who have internal access through compromised credentials or remote controlled end user devices – see diagram below. Monitoring inter-VLAN traffic internally can give early warnings and ability to block stealthy attacks and self-propagating malware such as WannaCry and Petya.
To get the most out of your IDP, it needs to be integrated into a security strategy. You need to understand the risk scenarios to respond to, or face an overwhelming volume of alerts. You also need to determine how local and threat intelligence can be used to aid decision-making – to confirm an attack or dismiss it as a false alarm. Once an intrusion attack has been confirmed, the IDP plays a critical role in deciding how to respond, whether this is scripted by API or by a security operator.
Content Security can help you design an IDP that integrates with your existing infrastructure, or uplift of your capability. Whether you currently don’t have an IDP, or you have one but it’s just there to tick compliance boxes, or even if you are struggling to maintain it, Content Security can help you simplify the process and get optimal value from it.
Our team are seasoned, experienced and business-minded security consultants with an average of 10 years experience across state and local government, health, finance, education, nonprofit organisations and more.