Tip

Final five considerations when evaluating intrusion detection tools

Before making an investment in an intrusion detection and prevention system, be sure to read this list of five final considerations to keep in mind during intrusion detection system evaluation.

To protect your enterprise's network, it is critical to select the intrusion detection and prevention system (IDS/IPS) offerings that effectively block attacks and complement your existing security controls.

Below are five final considerations your organization should keep in mind when it's getting ready to seal the final deal on its IDS/IPS purchase.

1. Have you done your homework?

There can be a significant learning curve in assessing existing intrusion detection tools. Consequently, make use of regional value-added resellers (VARs) to help connect you with their subject matter experts as well as manufacturers' representatives and independent consultants. The best VARs are willing to spend the time with an organization, knowing that it will pay off for them in the long run. They do not want to sell you technology that is a bad fit, and they want some form of return business for other projects. They can help you form the questions you need to ask vendors based your organization's needs.

A risk assessment coupled with your industry's compliance regulations helps identify what resources need to be protected and to what degree.

Additionally, a risk assessment cou­pled with your industry's compliance regulations helps identify what resources need to be protected and to what degree. Ensure you have a good un­derstanding of the perceived risks and attendant metrics to help you in your project planning.

When selection time comes, make your decision based on the desired features that address your organization's risks. Use a feature matrix to compare competing products; this can be built simply in a word-processing table or spreadsheet. Depending on your selection process, the feature matrix will have simple check boxes (go/no go) for mandatory features and a weighted numerical range according to desirability for optional features.

2. Do you have the support of your organization's networking group?

The IDS/IPS technology is best deployed with the active participation of an organization's network­ing staff. A good many tasks -- such as configuring network switch span ports or installing a network tap -- should be done by networking specialists. Since IDS/IPS technology is disruptive in nature, the net­work staff has to understand how this technology works.

By working with the networking staff to identify monitoring points, both the security and networking teams can get a better idea of what kind of traffic needs to be detected. The networking staff can help de­termine if specialized equipment -- such as load balancers or network aggregators -- is needed to help detect network attacks while maintaining high net­work availability.

3. Does your project plan consider cost-based alternatives?

Network speeds will also affect how many IDS/IPS sensors can be deployed. Generally speaking, the faster the network segment, the more costly the sensor. In today's market, a 10 GB sensor is three to four times more expensive than a 1 GB sensor.

Sensors must be properly tuned to eliminate false positives and alerting has to be pertinent to the actual threat.

To address this issue, organizations can adopt several approaches; the first being to adopt a phased deployment and spread out the capital expense over several years. Another approach is to use net­work aggregation technology to allow a single IDS sensor to monitor multiple network segments. Still another would be to use the IPS feature in already-deployed unified threat management (UTM) firewalls to monitor some network segments. Finally, if the organization has good open source skills, Snort IDS sensors could be deployed using existing hardware to cover lower-risk areas the commercial IDS/IPS product does not address.

4. Does your project address the wireless threat?

The networking and security teams will also need to determine if separate wireless IDS/IPS sen­sors are required or if the proposed systems can ad­dress wireless security issues. Some wireless access-point controllers have built-in IDS/IPS features, so it may simply be a matter of enabling it in exist­ing equipment.

The two technologies are comple­mentary, as wireless IDS/IPS sensors primarily look for spoofed MAC addresses and rogue access points while conventional IDS/IPS technology addresses many other forms of network-based attacks. This can be especially useful in detecting malicious ac­tivity through privately owned mobile devices rid­ing an organization's access points.

5. Does your project address how security events will be managed?

Organizations must realize that IDS/IPS sensors do require specialized training to operate. Sensors must be properly tuned to eliminate false positives and alerting has to be pertinent to the actual threat. Security staff must be trained to be able to in­terpret and act on the reported events.

Managed security service provider shortcomings include the reliance on canned reporting that doesn't meet the needs of the organization.

The large volume of detected events -- even on properly tuned sensors -- means that some method must be used to correlate and consolidate multiple IDS/IPS events. Many IDS/IPS products offer some kind of management server and console, but these events may also be best interpreted using a security incident and event management (SIEM) platform. A SIEM is especially useful when correlating IDS/IPS events and events from separate security technologies such as UTM, endpoint host-based IDS and endpoint antimalware software.

In addition to training costs and the cost of a SIEM system, the continual nature of automated network-based attacks means that organizations are subject to attacks at any time, so staffing is­sues should be addressed during project planning. A managed security service provider (MSSP) can offer an alternative to 24/7 staffing. The scope and expected duties of an MSSP should be understood before engagement. Another factor to consider is that an MSSP can provide basic incident identifi­cation while an organization's in-house experts can handle incident investigation and remediation, thus extending the capabilities of your organization's security staff.

Shortcomings of an MSSP can include the re­liance on canned reporting that doesn't meet the needs of the organization and a superficial under­standing of the organization's infrastructure and IT services. Organizations can avoid this by en­suring that MSSPs provide pertinent reports and that the organization's network and services are adequately understood within the scope of the engagement.

Conclusion

In-house experts and the willingness of the organi­zation's leadership to make the investment in capi­tal and labor ultimately determine the best fit for an organization. This requires a thorough knowledge of the risks the organization is trying to address as well as a thorough knowledge of the organization's network and existing security controls.

Successful project planning and implementation will need the support of key players both in business units and IT staff. The result will illuminate your network as never before, providing insight into further under­standing the effectiveness of security controls and helping to identify and remediate previously un­known security issues.

Properly fielded intrusion detection and prevention system technology truly shines light into dark places.

About the author:
Bill Hayes is a former oceanography student and military veteran, and a journalism school graduate. After flirting with computer game design in the 1980s, Hayes pursued a full-time career in IT support and currently works as a cybersecurity analyst for a Midwestern utility company as well as a freelance expert consultant and writer.

Next Steps

Learn how to use IDS/IPS tools to secure the enterprise

Review IDS and IPS implementation and deployment best practices

Test your knowledge of IDS and IPS

Dig Deeper on Threat detection and response