If you’ve been looking into ways to improve your organization’s information security posture, you may be left wondering what is the difference between technologies such as IDS/IPS, UTM, and SIEM. Let’s look at some of the basic differences in approaches between the technologies.
Intrusion Detection Systems / Intrusion Prevention Systems (IDS/IPS)
Intrusion Detection and Prevention Systems both work by actively monitoring your network traffic for unusual patterns or suspicious behavior. For example, an unusually high volume of data being directed to an external IP—maybe one based in a country your organization does not do work in—might trigger an IDS or IPS system alert. The main difference between IDS and IPS is that while IDS will alert on unusual traffic, it is a passive system and does not prevent or stop the activity. By contrast, IPS typically integrate firewall-like functions to make active changes to prevent the flow of suspicious data, to deny the traffic as quickly as possible. Both technologies are largely signature-based and work by identifying traffic patterns that are similar to known attack methods. This means that they may be ineffective against the latest threats, if there is not yet an identified signature for the attack.
Unified Threat Management (UTM)
UTM devices typically integrate a range of security devices, such as firewalls, gateway anti-virus, and IDS/IPS into a single device or platform. By consolidating some of these functions, it can simplify management tasks and training requirements. On the flip side, however, as Tom’s IT Pro points out, this can create single point of failure and may not offer best of breed solutions for each of its components.
Security Information and Event Management (SIEM)
SIEM works differently. Rather than replacing firewalls, antivirus, or intrusion detection/prevention systems, SIEM works alongside these devices to collect and correlate information from all of these, as well as the log and event data produced by servers and applications on your network.
SIEM technologies make it easier to review log data (a component of many compliance mandates) and intelligently correlate information from disparate systems to generate a fuller picture of the organization's true security posture. While individual devices or point products may provide bits and pieces of information, SIEM helps assemble the puzzle and identify security risks that individual products may miss.
As a complex technology, SIEM can often be difficult for smaller organizations without the resources, people, and time they need to deploy, tweak, and receive value from the technology.
As the world's first Cybersecurity Agency, we help our customers with best of breed solutions for SIEM and vulnerability scanning. Our Security Analysts triage and investigate potential security incidents to give your rapid actionable recommendations.
We’re not about magical AI or a silver bullet platform. We believe it’s about combining best of breed technologies with the experts to help you navigate them.