Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) have been touted as the cure-all to security and compliance woes. The most common type of system sits on the network and inspects all inbound packets. An IDS/IPS is designed to inspect incoming packets to see if they are part of a malicious attack and drop or alert on the packets which are. But like most technologies, IDS/IPS has numerous limitations and pitfalls that vendors of these systems don’t want you to know. When considering how best to protect your organization’s network and an IDS/IPS is in the running, you should consider the following five key limitations.
- Detect or Prevent Numerous Common Attack Techniques
Even with an IDS/IPS installed and continuously monitoring your inbound network traffic packets, there are many common attack types and methods that will evade detection. Most IDS/IPS technologies use rule or signature-based packet evaluation, attempting to match packets with known malicious patterns. The problem with this methodology is that the IDS/IPS must be kept constantly up-to-date to catch the latest known attacks. Just a few calculated changes to an attack will evade matching the system’s known attack signature, and often the system cannot process encrypted packets which let malicious packets slip by the IDS/IPS.
In addition to the fundamental limitations with how IDS/IPS detects attacks, they also cannot detect attacks that prey on weak authentication. The IDS/IPS can’t detect a malicious actor “legitimately” logging in to a critical system because the admin user’s password was password123. An IDS/IPS is better at catching inbound attacks if its alerts are reviewed in combination with logs and alerts from other devices, hosts, and applications running within the network.
- Prevent Itself from Being Attacked
IDS/IPS are susceptible to many of the same network protocol attacks that the hosts it is trying to protect are. Most frequently, these attacks can be used to try to crash the IDS/IPS. If successful, hackers can mount further attacks freed of the IDS/IPS hassling them.
- Tune Itself to Reduce the Number False Alarms
When an IDS/IPS detects traffic that it deems suspicious, it will send off an alert. Depending on the IDS/IPS, this may be in the form of a log or notification which is usually sent to a central log management or SIEM system. An IDS/IPS will send a lot of false alerts if not tuned correctly. Tuning takes a lot of time, effort, and domain knowledge of the specific environment to get right and is usually an ongoing process as the environment changes over time. Even “smarter” IDS/IPS software advertised as having learning capabilities can only do very basic forms of self-tuning, that take a lot of time during which false alarms will be raised frequently.
- Help Guide Responses to Incidents
The most perfectly tuned IDS/IPS with a low false alarm rate still cannot help in one critical area: providing guidance on how to respond to intrusions or intrusion attempts. Knowing how to respond to an intrusion is equally critical to knowing an intrusion occurred. Even if the system is an IPS and drops the attack packets, response measures may still need to be taken to ensure the attacker cannot come back and make another, successful intrusion attempt.
- Replace a Human Monitoring Your Network 24x7
The machines haven’t won yet; the best threat detection and prevention system is still a human monitoring your network logs and alerts around the clock, including those from an IDS/IPS. An IDS/IPS is little more than a slightly advanced firewall without a human reviewing the alerts coming from it. A human must be involved all day every day to assess the IDS/IPS alerts in context with other activity on your network, so that appropriate action can be taken against real threats.
These five limitations critical to understand when evaluating implementing an IDS/IPS, but these security systems are worthwhile when set up in combination with a robust security log and event monitoring program. There are several good open-source, low cost IDS/IPS options out there, like Snort, Bro, or Suricata just to name a few. Having an IDS/IPS protecting your network is a good idea, but it needs to be in combination with additional security controls and monitoring to overcome the limitations of IDS/IPS.
Nothing will boost your security posture more than having your network monitored around the clock with a SIEM/Log Management tool and a SOC team. Security professionals are scarce and expensive however, and at least 4 full-time people are needed to realistically monitor a business network all day every day. Security Monitoring services that offer a 24x7 SOC team to monitor security alerts, do most of the legwork on incident investigations, and provide tailored incident response guidance are truly valuable and should be prioritized on your security maturity roadmap.
Cygilant offers a SOC-as-a-Service at a fraction of the cost of hiring a 24x7 in-house security professionals and additionally buying and maintaining a SIEM tool set for them. And Cygilant’s SOC team has an unparalleled depth and breadth of expertise handling many different incidents in a variety of network environments, benefiting you when the day comes that you need this expertise without the cost of constantly training an in-house security team.