There is a vogue in cybersecurity that says one should accept that the perimeter is no longer the impermeable castle wall and that users should accept that you can’t keep the bad guys out.
That would make intrusion detection systems even more important.
In the old days a malware attack would breach the perimeter and immediately set about trying to spread a virus or search for data and try to steal it.
Today there is much emphasis on bad actors who place sleeping malware onto systems which will simply rest there until activated by some trigger or some action.
PaloAlto networks describes an intrusnion detection system thus: An Intrusion Detection System (IDS) is a network security technology originally built for detecting vulnerability exploits against a target application or computer.
Some intrusion detection systems look for signatures. Other explore patterns against libraries of activity. Host detection systems can take an image of an entire system.
A recent study from Tripwire evaluated the confidence of IT professionals regarding the efficacy of seven key security controls, which must be in place to quickly detect a cyber attack in progress. Study respondents included 763 IT professionals from various industries, including 134 participants from financial services.
According to the Identity Theft Resource Center’s 2015 Breach List report, the number of data breaches within the banking, credit and financial sectors nearly doubled between 2014 and 2015. Despite this increase, the majority of IT professionals in financial services displayed high levels of confidence in their ability to detect a data breach, even though they were unsure how long it would take for their security tools to discover key indicators of compromise. While sixty percent of financial respondents either did not know or only had a general idea of how long it would take to isolate or remove an unauthorized device from their organizations’ networks, eighty-seven believed they could perform this task within minutes or hours.
Additional financial services findings include:
– Only thirty-seven percent said their automated tools were able to identify locations, department and other critical details of network devices with unauthorized configuration changes.
– Eighty-two percent believe they could detect configuration changes to a network device on their organizations’ networks within minutes or hours. However, fifty-nine percent acknowledged they did not know exactly how long it would take to do this.
– Ninety-two percent believe vulnerability scanning systems would generate an alert within minutes or hours if an unauthorized device was discovered on their network. However, seventy-seven percent say they automatically discover eighty percent or less of the devices on their networks.
– Twenty-nine percent do not detect all attempts to access files or network-accessible file shares without the appropriate privileges.
– Forty percent said less than eighty percent of patches are successfully fixed in a typical patch cycle.
"Compliance and security are not the same thing," said Tim Erlin, director of IT security and risk strategy for Tripwire. "While many of these best practices are mandated by compliance standards, they are often implemented in a ‘check-the-box’ fashion. Addressing compliance alone may keep the auditor at bay, but it can also leave gaps that can allow criminals to gain a foothold in an organization."
Tripwire’s study is based on seven key security controls required by a wide variety of compliance regulations, including PCI DSS, SOX, NERC CIP, MAS TRM, NIST 800-53, CIS 20 Critical Controls and IRS 1075. These controls also align with the United States Computer Emergency Readiness Team (US-CERT) recommendations and international security guidance such as the Australian Signals Directorate’s Strategies to Mitigate Targeted Cyber Intrusions.
The recommendations and guidance include:
– Accurate hardware inventory
– Accurate software inventory
– Continuous configuration management and hardening
– Comprehensive vulnerability management
– Patch management
– Log management
– Identity and access management
A good intrusion detection system should alert an administrator immediately a breach is made.
And it should be able to scale. Companies such as HP and IBM report that they are attacked literally millions of times each day.