Intrusion Detections and Prevention Systems (IDP) can be a very effective way of blocking inbound hacking, especially when they feed into a Security Information and Event Management (SIEM) or Security Operations Centre (SOC), to provide patterns of behavior. Current IDPs are much more advanced than early models, which were simple, pattern-matching engines against packets. The simplicity of the early generations resulted in low performance, false alarms, and difficulty using the local security intelligence generated by the IDP.
Block IPs of Hackers Before They Start Scanning
Modern IDPs act more like virtual patching systems. When configured correctly, they are able to understand the vulnerability of the services they are protecting, and selectively apply blocking to malicious traffic. Some modern IDPs can also ingest real time global threat intelligence, so that organizations can benefit from a worldwide network of intrusion detection sensors, allowing organizations to block the IPs of hackers before they even start scanning.
IDPs can generate a rich feed of local threat intelligence for use in a SIEM or a SOC. Attackers follow a predictable ‘Cyber Kill Chain of identifying assets before scanning for vulnerabilities and attempting to exploit them. This early warning can tell us a lot about an attacker and what they’re interested in. When a high level of confidence that the traffic is not legitimate has been reached, the IDP, the SIEM, or a SOC operator can automatically or manually adjust firewall rules to block the attacker.
IDPs Provide Effective Security Controls
IDPs can also be an effective security control against internal attacks by disgruntled staff or attackers who have internal access through compromised credentials or remote-controlled end user devices – see diagram below. Monitoring inter-VLAN traffic internally can give early warnings and ability to block stealthy attacks and self-propagating malware such as WannaCry and Petya.
Integrate IDP Into Your Security Strategy
To get the most out of your IDP, it needs to be integrated into a security strategy. You need to understand the risk scenarios to respond to or face an overwhelming volume of alerts. You also need to determine how local and threat intelligence can be used to aid decision-making – to confirm an attack or dismiss it as a false alarm. Once an intrusion attack has been confirmed, the IDP plays a critical role in deciding how to respond, whether this is scripted by API or by a security operator.
SpearHead Networks can help you design an IDP that integrates with your existing infrastructure, or uplift of your capability. Whether you currently don’t have an IDP, or you have one but it’s just there to tick compliance boxes, or even if you are struggling to maintain it, SpearHead Networks can help you simplify the process and get optimal value from it.