Host-based as well as network-based intrusion detection systems suffer from the following disadvantages:
§ IDSs typically yield a high amount of false positives triggered by legitimate traffic on your network and systems. Resources must be dedicated to research and tune your IDS on a regular basis to make it functional. Parsing through the noise generated by these innocuous alerts to identify real security events proves to be a continual challenge for most organizations.
§ Active monitoring of IDS is a significant drain on resources. The promise of IDS is early detection of malicious activities. To do that, you have the option of staffing resources 24/7/365 (or outsourcing the function) to monitor network IDS, or to set up an automated alerting (paging) mechanism. Otherwise, you fall back on reactive monitoring, which is to have one resource analyze IDS logs from the day before to spot suspicious events.
§ The cost factor to host-based IDS is high due to the per-seat pricing model typical in this arena. For every server, workstation, and laptop you want to protect, there is a host IDS cost associated with it.
Let us also evaluate the issues around intrusion prevention systems.
§ IPS is intrusive by nature and may disrupt business. Unless you have a stable network with minimal changes, deploying IPS could work against your resiliency and be the cause of business downtime.
§ IPS is high maintenance. You must constantly tune your IPS to adapt to the dynamic nature of your network and systems. You also must dedicate resources to identify and fix potential IPS-related issues. Basically, IPS will be in the line of fire every time there is an unaccountable outage on the network or system. If you deploy host-based IPS (H-IPS), you need to include it in the testing life cycle of every project due to the potential nuances it may have on identifying legitimate system calls as incidents. You must dedicate resources to troubleshoot with developers or system engineers to weed out H-IPS as the cause of issues.
From a cost-versus-risk perspective, you need to ask the question of whether the protection offered by IDS and IPS is worth the price of deployment and ongoing maintenance. Here are some guidelines around pragmatic approaches to IDS and IPS:
§ Deal with the high count of false positives by looking into a correlation engine. There are different flavors of this technology from all the major vendors, but basically the idea is built around a central repository that takes in logs or events from various security devices (firewalls, IDS, system logs) and applies a layer of heuristics to the data to determine the validity of a security event. Some correlation engines will go as far as to incorporate a network scanning application to actively verify that the vulnerability actually exists. This is a worthwhile investment considering the significant cost savings that can be gleaned from the resource hours needed to do similar types of correlation manually, consistently, and constantly.
§ Calculate the cost of switching to a managed service provider (MSP) if you are currently operating your IDS in-house. Intrusion detection is one of the most viable candidates for MSP due to the sheer resource commitment needed to monitor events 24/7/365 and some clear advantages that you cannot obtain internally.
§ One key benefit of using an MSP for intrusion detection is that it monitors threats across the nation (maybe the world) and you may be able to benefit from early notification of developing issues before they hit your area.
§ Second, it has dedicated staff who specialize in monitoring and can more accurately weed out false positives and identify real events. You can make use of the staff as an extension of your security organization by leveraging their subject matter expertise.
§ Third, some MSPs offer guarantees to provide you with timely notification and acceptable service levels, and they will often share some of the risk with your company if an incident does occur.
§ Fourth, you have more flexibility in tailoring your intrusion-detection offerings if you need to scale appropriately or when you are not getting satisfactory results from your provider. MSPs are accommodating and are typically willing to work with you to put together a package that meets your needs. If you have IDS deployed, some of them are willing to monitor and manage your pre-existing IDS. If you do not have IDS, they can lease or include physical devices as part of your monthly fees.
§ A key thing to consider when selecting an intrusion-detection MSP is to ask for dedicated resources. Make sure that you have the same group of people watching your network rather than a rotating staff. Also, ask to have direct access to that dedicated group as opposed to going through several levels of support before talking to a skilled person. Choose an MSP that provides written guarantees and appealing service level agreements (SLAs).
§ Finally, negotiate an "out" clause in your contract so that when the MSP fails to meet expectations continually, you can select another provider without getting locked in for the entire term of the contract (MSPs usually want at least two or three years).
If you do not have resources to procure a correlation engine or engage and intrusion-detection MSP, look into leveraging other parts of your company for 24/7/365 monitoring. Work through executive management to inculcate security roles into the jobs of network operations center (NOC) teams, system administrators, database administrators, and any personnel who have their eyes on the real-time status of your network, systems, or applications.
IPS is a case-by-case type of technology. If you have a stable network with minimal changes or a strict change control process, it may be a viable solution for you. If you have tuned your correlation engine to a point where the false-positive count is virtually zero, then by all means deploy IPS. We recommend selective deployment of IPS in strategic areas that are not in the core network route to avoid the potential of major disruptions. As a side note, there are some intrusion-protection MSPs that provide guarantees around 100 percent accuracy of their IPS devices, but we would advise you to read the abundant fine print attached to that claim.
