When it comes to IDS, there are various things to consider: Host – IDS (HIDS) vs Network IDS (NIDS). There is also Signature Based vs Anomaly Based. And finally IDS vs IPS. How does one figure out figure out what to use and when? Provide your views on the various IDS techniques and what is the best approach to working through them?
Shain R. Amzovski says
Host-based IDS is only placed on a single host system. “Currently, HIDS involves installing an agent on the local host that monitors and reports on the system configuration and application activity.” (https://www.sans.org/security-resources/idfaq/what-is-a-host-intrusion-detection-system/1/24). HIDS can perform log analysis, event correlation, integrity checking, policy enforcement, rootkit detection, and can alert security administrators of a possible threat. Initially, HIDS are set up in “monitor only” mode to allow administrators to tune the system after the administrator discovers what the HIDS considers to be normal activity. The reason for the “monitor only” mode is because HIDS prevent what it believes to be malicious activity, and could block users from accessing programs, system changes or applications that are not malicious.
Network IDS specifically monitors network traffic, and attempts to identify anomalous behavior. A Network IDS collects packets using a network tap, span port, or hub. “Unlike an intrusion prevention system, an intrusion detection system does not actively block network traffic. The role of a network IDS is passive, only gathering, identifying, logging and alerting.” (https://www.sans.org/security-resources/idfaq/what-is-intrusion-detection/1/1).
IDS vs. IPS
IDS is used for detecting malicious or anomalous activity. With this information, an IDS can determine if an organization experienced an intrusion on either its network or on specific servers. IDS, like the Network IDS, does not actively block traffic and is only used for monitoring activity. Intrusion Prevention Systems, (IPS) actively drop packets or connections that contain unauthorized data. The two should be used in conjunction as a defense-in-depth strategy to actively monitor for threats, and block packets that are ruled as not authorized. “Using both technologies in harmony will provide the needed perimeter and core defenses to combat zero day and existing threats while also having the visibility into internal networks with the ability to provide forensic data and trend analysis.” (https://www.sans.org/reading-room/whitepapers/detection/understanding-ips-ids-ips-ids-defense-in-depth-1381).
Ruslan Yakush says
Shain, I agree that defense-in-depth strategy is effective approach. Since there is no “single sliver bullet” against all security threats, having multiple security controls and technologies in the environment would provide better visibility into communications behavior in all segments and provide multi-layered protection in case if one layer of defense gets compromised. An example would be deploying IDS/IPS systems in decentralized fashion rather than one centralized system, so that systems protect multiple segments and critical servers while providing redundancy and eliminating single point of failure.
Zhengshu Wu says
Ruslan, I agree with decentralized the risks of failure in detecting intrusion. That said, when selecting IDS/IPS, considerations can be given to systems from different vendors because they can complement one another in detective or preventive strategies and rules.
Julien Rossow-Greenberg says
HIDS – Host-based IDPS’ are installed on a specific host and analyzes traffic in and out of that host
NIDS – Network-based IDPS’ monitor traffic at various points in a network using sensors
Signature Based – leverage signatures of known attacks
Anomaly Based – leverage learned profiles of usual network traffic and alert when there’s an anomaly
IDS – Analyzes traffic and logs when a possible threat is detected
IPS – Analyzes traffic and drops packets when a threat is detected
All of the types of IDPS systems have pros and cons. If you’re concerned about traffic coming to and from a critical system on your network, you may want to install a HIDS. For traffic coming in and out of a specific network segment, you may want to deploy a NIDS. If you’re concerned about known attacks only, you’ll want to install a signature based IDS. For attacks without a known signature, you’ll want to deploy an anomaly based IDS. If you’re looking for a passive system to log known bad packets, you’ll want a IDS. To drop instead of log that traffic you’ll want a IPS. Etc.
Every network is different so it’s important to know where your critical systems and data are and the implement these tools accordingly. Using a combination of these tools will assist you in achieving defense in depth.
Vaibhav Shukla says
Very well mentioned that all types of IDPS has pros and cons and one need to concentrate on requirement ,cost and risk appetite of company when selecting the appropriate IDS. IDS on one hand can only detect the incident but cannot prevent it whereas IPS can prevent the unwanted activity but IPS on detecting any unwanted event can, result in a lock-down the network for an undetermined period of time until a technical professional can be on-site to identify the problem and reset the detection system
Josh Zenker says
Yes, as Vaibhav noted, you need to have a high degree of certainty before enabling an IPS. You want to be secure, but you do not want security to prevent the organization from carrying out its essential functions. I would recommend reserving an IPS for blocking only well-known and clearly defined threats. Otherwise you run the risk of blocking legitimate traffic.
Ruslan Yakush says
Great discussion, guys!
I would also add that prior to enabling IPS function, it would be ideal to develop a baseline in order to determine legitimate traffic and distinguish between normal and abnormal network communications behavior. Once baseline is set, next step would be defining threshold, alerting and actions for behavior-based detection and prevention.
Julien Rossow-Greenberg says
Josh, good point. Also, I just wanted to add that standalone IPS’s may be on the decline as next gen firewalls are now overlapping some IPS functionality. Though they’re not a true replacement for an IPS, NGFWs are sometimes now normally in discussion as a preferred tool over standalone IPS.
Anthony Clayton Fecondo says
Great point about IPS requiring a higher degree of confidence to avoid rejecting legitimate traffic. This wasn’t really a factor that I thought of. I think this factor implies that signature based detection is better suited for IPSs. Because of the high rate of false positives associated with anomaly detection, you would want to reserve that for IDSs because of their less intrusive nature.
Loi Van Tran says
That makes sense Anthony. I believe signature based IPS would be a good start, but as we’ve noted in our coursework: attacks are evolving. An organization can may be able to stop a lot of attempted attacks over it’s lifetime, but only one successful attack is needed to cripple the organization. As we know, signature-based IPS can not identify and prevent new attacks. It may be burdensome to analyze all the rejected traffic from a behavior-based IPS, but in some cases this may prove to be a necessity.
Vaibhav Shukla says
Intrusion Detection System (IDS) is designed to monitor an entire network activity, traffic and identify network and system attack with only a few devices
Classification based on device installation location
Host Intrusion Detection Systems (HIDS) are installed on the individual devices in the network. HIDS analyzes the incoming and outgoing packets from a particular device.
Network Intrusion Detection Systems (NIDS) are monitoring traffic at strategic points on the network. IDS uses as a dedicated platform for use to analyze all the passing network traffic.
HIDS is better than Network IDS as a comparison to detecting malicious activities for a particular device but cost factor drives NIDS to be better than HIDS as installation of HIDS could be too costly if installed on individual devices
Classification based on device processing
IDS Signature detection work well with the threads that are already determined or known.It implicates searching a series of bytes or sequence that are termed to be malicious
Anomaly detection technique is a centralized process that works on the concept of a baseline for network behavior. This baseline is a description of accepted network behavior, which is learned or specified by the network administrators, or both.
One of the most profitable point is that IDS Signatures are easy to apply and develop once you will figure out the sort of network behavior to be find out but it has drawback that it is unable to find out zero day or new attacks..
NIDS can detect new attacks but it raises a lot of false alarms
https://www.slideshare.net/davidromm/five-major-types-of-intrusion-detection-system-ids
Zhengshu Wu says
Vaibhav, good to mention zero-day attack. Zero day exploits cannot be detected by conventional means, such as antimalware or IDS/IPS devices, because signatures have not yet been created. Without specific detection capabilities, security administrators have to rely on behavior-based detection methods.
Anthony Clayton Fecondo says
This question really loops back around to the concept of defense in depth. There isn’t one end-all-be-all best implementation of an IDS. In order to achieve a higher degree of security, an organization needs to layer NIDS and HIDS and utilize IPS as well. I’m going to assert that you should be using ALL of these technologies which means the issue is more about WHERE you use them. HIDS should be on all of your machines to detect any intrusion to a specific machine. A network IPS should be implemented just inside of your firewall so that it doesn’t waste its time analyzing traffic that the firewall would reject anyways. The next layer of defense should be a network IDS. The firewall will filter out traffic, the IPS will prevent any nefarious traffic that is within its capabilities, and the IDS will act as the last line of defense (before the traffic enters the network) to alert the proper personnel that something might be dangerous. This setup provides layers of security and also eliminates redundant work for each individual component.
In terms of Signature vs Anomaly based IDS, I think signature base IDS is essential, but implementation of anomaly based IDS are optional. Signature based IDS are guaranteed to alert you to known malicious activity with a very low false positive rate. However, an anomaly based IDS will require personnel to filter through a bunch of false positive alerts. It is important to keep in mind that anomaly based IDS can detect previously unknown activity that signature based IDS wouldn’t notice. For this reason, I would prefer both to be implemented. But if you had to chose between the two, I would pick signature based.
Josh Zenker says
I agree, Anthony. It’s a matter of choosing the right tool for the job. There’s no silver bullet to detect or prevent an intrusion. We have to understand the strengths and limitations of each of these systems.
Kevin Blankenship says
You hit exactly where I was going to Anthony. I agree that an effective IDS system requires defense in depth, and using each type of technology contextually. One specific piece doesn’t automatically make your network secure, it’s each piece working where it fits best to create as much coverage as possible.
Ruslan Yakush says
An Intrusion Detection System (IDS) is either a dedicated network device, or one of several tools in a server or firewall that scans data against a database of rules or attack signatures, looking for malicious traffic. The Intrusion Detection System does not take action when a match is detected so it does not prevent attacks from happening. IDS is usually placed offline, separate from regular network traffic to avoid latency of entire traffic.
An Intrusion Prevention System (IPS) has the ability to block or deny traffic based on a positive rule or signature match. IPS perform real-time traffic and port analysis, logging, content searching and matching, and can detect probes, attacks, and port scans. IPS is usually deployed in-line of traffic flow in order to monitor all data in real-time and actually stop malicious traffic if detected.
Host-based systems are very useful when protecting critical servers that are considered to be highly exposed to cyber threats. Network based systems capture and analyze raw traffic packets while host-based systems read host’s event logging components for any suspicious activities. The difference between two is whether these systems look for attack signatures based on network traffic or logs on the hosts.
While signature-based system would monitor traffic and detect malicious activity based on known threats’ signatures within its database, Behavior-based security is a form of threat detection that does not rely on known malicious signatures, but instead uses informational context to detect anomalies in the network.
Anthony Clayton Fecondo says
Ruslan, I didn’t know that IDS are generally offline…that’s an interesting tidbit. I also didn’t know that host IDS search the logs. I assumed they monitored for signatures the same way that network IDS do. Thanks for the insights!
Mengqi He says
Based on where the detection takes place, IDS can be classified as Network IDS or Host IDS. NIDS run at several strategic points within the network to monitor traffic to and from all devices on the network in real time. It captures and analyzes all traffics passing through the network, the matches the traffic to the library of know attacks. Since NIDS monitors all traffics regardless of destination, one advantage of NIDS is that there’s no need to support every type of operating system used on the network. Therefore, NIDS is more portable, and organizations can have more options on types of operating systems on the network. NIDS also provide visibility into the security posture of the network by providing evidence of different classes of traffic. However, there are also some limitations on NIDS. One limitation is that it can only detect known attacks in its library, and that means new attacks may not be detected if the library is not updated. Even if the library is updated, it may still one step behind the latest exploits. Another issue is that NIDS may slowdown the speed of the network as a result of scanning every packets passing through the network. Even though this problem can be mitigated by pacing more NIDS, but it will increase costs. In addition, NIDS cannot scan packets from encrypted traffic.
Unlike NIDS, HIDS run on a particular single host or device on the network, monitoring inbound and outbound packets from it and collecting information about activities on it. HIDS monitors system processes and collects information from logs and audit trails to detect suspicious activities. One advantage of HIDS is that it can indicate who did what by tracing malicious or improper activities to a specific user ID, and figure out whether the attack is successful and where the attack or improper activity is from, inside or outside. However, HIDS cannot provide a complete network picture and cannot see network traffic. It cannot coordinate events happening across the entire network. Another limitation of HIDS is lack of portability and cross-platform support. Since it’s host-based, HIDS have to support multiple operation systems.
Based on employed detection method, IDS can be classified as Signature-based IDS or Anomaly-base IDS. Signature-based IDS refer to the detection of attacks by searching for specific patterns, or signatures, for each intrusion event, and matching them to know signatures. It works in the same way of a virus scanner, and its capability highly depends on the extent of the signature database. It’s very efficient for sniffing out known attacks, but cannot detect new attacks with no available patterns. Anomaly-base IDS refers to the detection of anomalous activities by monitoring system activities and comparing them to normal activities classified in advance, and thus even unknown attacks can de detected. It works like a guard dog, and requires proper training and testing to increase accuracy, but false positives is still a problem.
IPS can be considered as extensions of IDS. IDS only detects attacks and send alerts, while IPS does the same thing but also take action to respond the attack and stop its further access. IPS is more like a preventative and proactive technology, while IDS is a detective and after-the-fact technology.
I think all these types of IDS and IPS can work together to to improve system and network security. Many of them are complementary and cannot be substituted for each another. For example, organizations can use NIDS on its network with several HIDS only on critical hosts or systems to ensure both network and host security in a cost-effective manner. In addition, an organization can use a combination of Signature-based IDS and Anomaly-base IDS to detect known and unknown attacks with fewer false positives.
Mengxue Ni says
Great post, Emily!
I totally agree with you that organizations can combine different types of IDS and IPS to improve the overal system and network security based on what they need. I think IPS and IDS are both important and should be used in every organization.
Loi Van Tran says
There are two main types of Intrusion Detection Systems:
Host-based IDS (HIDS) are used for analyzing activity within a computer system, typically critical systems. HIDS can look at the data packets within the higher level of the OSI stack for anomalous or inappropriate activity on individual servers and/or workstations.
Network-based IDS (NIDS) is used for monitoring network communications. NIDS cannot see the activity happening within the higher level of the OSI stack.
HIDS and NIDS can further be broken down into the following types:
Signature-based is basically pattern matching like anti-virus software. The signatures on these types of IDS must be continually updated to be effective. Signature based IDS cannot identify new attacks.
Anomaly-based a.k.a heuristic/behavior-based are able to learn from “normal activities” and can use baselines to find deviations from the norm. Because of this, it can detect new attacks unlike signature-based IDS
Rule-based IDS uses artificial intelligence expert systems that process if-then rules to identify combinations of activities within the data packets. It cannot detect new attacks and may require more processing power based on the complexity of the rule.
IDS vs IPS – The main difference between IDS and IPS is the type of control it is. IDS is a detective control meanwhile IPS is a preventive control. IDS systems will detect that something bad is happening and will only send alerts to the admin. The admin will conduct research and respond to alert after the fact. IPS on the other hand will detect that something bad is happening and will stop the traffic from gaining access to the target. IPS can be host-based or network-based like IDS, but it can also be content-based. Content-based IPS can look deep into the packets and conduct protocol analysis or signature matching.
HIDS are typically installed on critical servers due to the administrative overhead. HIDS typically require more processing power since it is analyzing at the higher layers of the OSI stack. Deploying them everywhere would require more computing resources.
Zhengshu Wu says
IDS — A Passive Security Solution
An intrusion detection system (IDS) is designed to monitor all inbound and outbound network activity and identify any suspicious patterns that may indicate a network or system attack from someone attempting to break into or compromise a system. IDS is considered to be a passive-monitoring system, since the main function of an IDS product is to warn you of suspicious activity taking place − not prevent them.
IPS — An Active Security Solution
IPS or intrusion prevention system, is definitely the next level of security technology with its capability to provide security at all system levels from the operating system kernel to network data packets. It provides policies and rules for network traffic along with an IDS for alerting system or network administrators to suspicious traffic, but allows the administrator to provide the action upon being alerted. Where IDS informs of a potential attack, an IPS makes attempts to stop it. Another huge leap over IDS, is that IPS has the capability of being able to prevent known intrusion signatures, but also some unknown attacks due to its database of generic attack behaviors. Thought of as a combination of IDS and an application layer firewall for protection, IPS is generally considered to be the “next generation” of IDS.
Network-based vs. Host-based IPS
Host-based intrusion prevention systems are used to protect both servers and workstations through software that runs between your system’s applications and OS kernel. The software is preconfigured to determine the protection rules based on intrusion and attack signatures. The HIPS will catch suspicious activity on the system and then, depending on the predefined rules, it will either block or allow the event to happen. HIPS monitors activities such as application or data requests, network connection attempts, and read or write attempts to name a few.
Network-based intrusion prevention systems (often called inline prevention systems) is a solution for network-based security. NIPS will intercept all network traffic and monitor it for suspicious activity and events, either blocking the requests or passing it along should it be deemed legitimate traffic. Network-based IPSs works in several ways. Usually package- or software-specific features determine how a specific NIPS solution works, but generally you can expect it to scan for intrusion signatures, search for protocol anomalies, detect commands not normally executed on the network and more.
IDS vs. IPS
While many in the security industry believe IPS is the way of the future and that IPS will take over IDS, it is somewhat of an apples and oranges comparison. The two solutions are different in that one is a passive detection monitoring system and the other is an active prevention system. The age-old debate of why you want to would be passive when you could be active comes into play. You can also evaluate the implementation of a more mature IDS technology, versus the younger, less established IPS solutions. The drawbacks mentioned regarding IDS can largely be overcome with proper training, management, and implementation. Plus, overall an IDS solution will be cheaper to implement. Many, however, look at the added benefits of the intuitive IPS systems and believing that IPS is the next generation of IDS choose to use the newer IPSs as opposed to the IDSs. Adding to the muddle, of course, will be your initial decision of choosing host-based or network-based systems for either IDS or IPS security solutions.
Much like choosing between standard security devices like routers and firewalls, it is important to remember that no single security device will stop all attacks all the time. IPS and IDS work best when integrated with additional and existing security solutions.
reference: http://www.webopedia.com/DidYouKnow/Computer_Science/intrusion_detection_prevention.asp
Mengxue Ni says
Great post, Zhengshu!
Nice explanation of these terms! It’s good that you mentioned many believe IPS is the way of the future and that IPS will take over IDS. I think IDS is still useful today, Most organizations still rely on IDS, they both have pros and cons. Organizations can choose whichever based on the business needs.
Mengxue Ni says
IDS tools aim to detect computer attacks and/or computer misuse, and to alert the proper individuals upon detection. An IDS installed on a network provides much the same purpose as a burglar alarm system installed in a house. Through various methods, both detect when an intruder/attacker/burglar is present, and both subsequently issue some type of warning or alert.
IDS vs. IPS
Intrusion detection(IDS) is a form of passive network monitoring, in which traffic is examined at a packet level and results of the analysis are logged. Intrusion prevention(IPS), on the other hand, is a more proactive approach, in which problematic patterns lead to direct action by the solution itself to fend off a breach.
Host-based vs network-based vs application based
Host-based intrusion detection techniques revolve around individual hosts by monitoring the hard drive and both inbound and outbound packets, and constantly comparing the results against a pre-created image of the host and the host’s expected packet flow.
Application-based intrusion detection techniques widen the scope to an application in an abstract sense — meaning, everything in the infrastructure that’s involved in the way that application functions, but only that application. These solutions are used for applications that perform particularly crucial functions for the organization, because the potential consequences of a breach are high.
Network-based intrusion detection techniques expand the scope of coverage still further to all devices on a network or subnetwork (sometimes, multiple instances of solutions collaborate to accomplish this, due to the volume of traffic). Because they are the most general, they sometimes miss problems the other two might detect.
Anomaly-based
Also called behavior-based, these solutions track activity within the specific looking for instances of malicious behavior — at least, as they define it, which is a difficult job, and sometimes leads to false positives. For instance, outbound URLs of Web activity might be considered, and sites involving certain domains or URL length/contents might automatically be blocked, even though it’s a human being trying to go there (not malware), and that user has a business-legitimate reason.
Signature-based
This approach, also known as knowledge-based, involves looking for specific signatures — byte combinations — that when they occur, almost invariably imply bad news. Read: malware itself, or packets sent by malware in the attempt to create or leverage a security breach. These solutions generate fewer false positives than anomaly solutions because the search criteria is so specific, but they also only cover signatures that are already in the search database (which means truly novel attacks have good odds of success).
https://www.alienvault.com/blogs/security-essentials/intrusion-detection-techniques-methods-best-practices
Kevin Blankenship says
IDS tools are useful for detecting and logging malicious behavior. IPS (Intrusion Prevention system) tools are helpful in removing and blocking malicious packets. Both can be placed anywhere in a network.
A host–IDS operates on a machine level, looking for suspicious behavior within a workstation or piece of hardware. A network-IDS sits somewhere within an organizations network and watches for malicious behavior coming in or going out.
A signature based IDS looks for information based on a database of know malicious signatures and matches there to incoming/outgoing packets. This is very rule-based.
An anomaly-based IDS relies on statistical analysis to determine unexpected behavior within the network. It is good for catching outlying behavior, but can also lead to false positives if not trained properly.
Each of these IDS solutions has a place within an organization’s network. They all have strengths and weaknesses, but can compliment or offset each other if deployed appropriately
Sachin Shah says
Kevin great points about the drawbacks. I think you hit the nail on the head about anomoly based can lead to false positives if the baseline or configuration is not correct. Also the rule based would be extensive in the amount of rules that need to be accounted for.
Ryan P Boyce says
When it comes to determining what types intrusion detection systems to use in an organization it is important to first determine what the organizations information systems are doing. In other words, it is crucial to determine the functionality of each piece of the information system. This can typically be done identifying the most sensitive areas of the information system such as production databases or development environments where critical applications are being developed. A business impact analysis will help determine what parts of the system the organization can least afford to lose. From here, proper detection and prevention systems can be put in place based on cost and need. Perhaps the most critical piece to an organization is the database. Without proper database functionality, applications cannot run and sensitive data cannot be accessed. It may be in the company’s best interest, then, to monitor a database environment with based a host-based and network-based intrusion detection system. They might want to be sure that a host is not making calls to the database that shouldn’t and a NIDS or IPS will do this. To prevent malicious code from executing on the DB host, a HIDS should be utilized. In a different scenario, the business impact analysis might dictate several of the company’s sandbox environments are very low in terms of cost if they were to be lost. In the interest of cost and maintenance of the systems, the company might choose to place these environments behind a simple IPS. The nature of each part of the information system as dictated by a Business Impact Analysis will determine the best approach in selecting an IDS/IPS architecture.
Sachin Shah says
Host Based IDPS (HIDS) is a system that monitors a computer system on which it is installed to detect an intrusion and/or misuse, and responds by logging the activity and notifying the designated authority.
Network Based IDPS (NIDS) is a hardware appliance installed on the network and strategically positioned at various points on the network to monitor traffic going to and from network devices.
Signature based – monitors network traffic for suspicious patterns in data packets or signatures of known network intrusion patterns
Anomaly Based – uses a baseline of the system in a normal state and then tracks whether unusual or suspicious activity is present
IDS vs IPS – Intrusion Detection System and Intrusion Preventive System. IDS analyzes whole packets and when a known event is detected a log message is generated detailing the event. Whereas an IPS also analyzes whole packets, and when a known event is detected the packet is rejected.
I think the key difference between all the IDS is structure and price of network infrastructure. HIDS is on every computer on the network where as a NIDS is more expensive and strategically placed. IPS vs IDS is whether you just want logging or proactive rejections. These are different flavors and each server their own purpose. I also like the anomoly based as we learned last semester about baseline, etc.
https://www.upguard.com/articles/top-free-network-based-intrusion-detection-systems-ids-for-the-enterprise
Joseph Nguyen says
Great discussion above.
HostIDS can monitor anything within that hosts, anything from processes and events, like system logs, processes, file access/modification, system and application change. An agent is installed and sent theses monitored events to the central server via SNMP protocol. The central server can monitor several hosts as well.
Hosts can be from different OS like Windows, UNIX, Apple. Note that some specific compliance PCI or HIPAA require agentless monitoring.
NetworkHostIDS is a HostIDS that can also monitor network protocols within that host, and it becomes NetworkHostIDS.
NetworkIDS is concentrating mainly on application layers protocol like HTTP, DNS, FTP, SMTP but also on the network and transport layers like TCP/UDP ports. The placement optimal where it can capture the most protocols in that traffic. Usually around Firewall or routers.
HostIDS and NetworkIDS can be based on Signature Based or Anomaly Based. The Anomaly-Based IDS is more proactive, based on heuristics or rules rather than Signatures or patterns, useful for detecting unknown/unusual threats based on behavioral attributes using AI techniques.
IPS vs IPS:
Intrusion Prevention System can be everything IDS are capable of plus the ability to block attacks by modifying rules in real time.
Note that the future might be a device that has all of those features in one ideally! Or it might be the technologies that are currently used by Google to protect its corporate perimeters without firewall and maybe be without the need of IDS/IPS. More on how Google did that (https://www.youtube.com/watch?v=d90Ov6QM1jE)
Marcus A. Wilson says
There are quite a few options when it comes to selecting a IDS to prevent unauthorized access to your systems. Network based IDS monitor raw packets to detect an attacker targeting the company network. There are host based-based IDS that monitor event and security logs at the operating system level. If the IDS notices any matching patterns based on established rules it will send out an alert. At an even more granular level there are several different approaches to an IDS strategy such as statistical-based IDS and rule-based IDS,
To figure out what type of IDS product and strategy to use, an organization should conduct a risk assessment. This will provide a holistic view and full understanding of all the risks that may impact the organization. There are two types of risk assessments that a organization can use. Quantitative analysis to understand the probability and event will occur and the associated loss when the event occurs. Qualitative analysis is used to understand the estimated potential loss using known threats, vulnerabilities, and controls
Another step in determining the best IDS approach is understanding the requirements of the organization. Implementing an IDS requires support from senior leadership and requires a commitment of resources to security. By securing the buy-in from management it frees up the resources to implement the system and controls needed.
The next step is understanding the organization’s IT environment. The organization needs to know where the critical network points are and the appropriate places to place senors for the IDS. There is a good way to know exactly where key resources should be focused.
The final step is a cost/benefit analysis. Before making a final decision on an IDS the organization should make sure that they are not going to spend more on the implementation of an IDS than it would cost if they were to be compromised. If the cost of the compromise is less than the cost of the IDS system it would be a better option to just accept the risk.
https://www.sans.org/reading-room/whitepapers/detection/choosing-intrusion-detection-system-suits-organization-82