In this guide, we cover the industry’s leading Intrusion Detection and Prevention Systems (IDPS), along with a summary of key features to look for as you evaluate solutions.
Top Intrusion Detection and Prevention Systems
The McAfee Network Security Platform (NSP) is a next-generation intrusion detection and prevention solution that protects systems and data wherever they reside, across data centers, the cloud and hybrid enterprise environments. It offers intelligent bot analytics, improved endpoint application monitoring, flow data analysis, self-learning DoS profiles and an analytics function for identifying potentially malicious hosts.
Trend Micro TippingPoint identifies and blocks malicious traffic, prevents lateral movement of malware, ensures network availability and resiliency and enhances network performance. Digital Vaccine threat intelligence security filters cover the entire vulnerability footprint, not just specific exploits. Its in-depth analysis of traffic ensures high accuracy of threat detection and provides contextual awareness to give security teams a better understanding of how to remediate a threat.
The Darktrace Enterprise Immune System is machine learning and artificial intelligence (AI) technology for cyber defense. It iteratively learns a unique “pattern of life” for every device and user on a network, and correlates these insights to spot emerging threats that would otherwise go unnoticed. Darktrace’s award-winning threat visualizer provides holistic visibility into the network security infrastructure and complete oversight of the AI’s alerts and actions.
Cisco’s Next-Generation Intrusion Prevention System comes in software and physical and virtual appliances for small branch offices up to large enterprises. NGIPS offers URL-based security intelligence, AMP Threat Grid integration, and is backed by the company’s Talos security research team. The Firepower Management Center provides contextual data on threats to help teams identify what kind of threat they are facing and helps find the root cause of the issue.
AT&T Cybersecurity Unified Security Management (USM) – formerly AlienVault – delivers threat detection, incident response, and compliance management in one unified platform. Continually updated threat intelligence from both AlienVault Labs and the AlienVault Open Threat Exchange keeps the system up-to-date on malicious actors, threats, tools and methods. It also delivers context on the latest alarms and vulnerabilities to save teams the time of doing the research themselves.
Palo Alto Networks is likely most famous for its powerful next-generation firewalls. The Palo Alto Networks Threat Prevention product was developed to accelerate the capabilities of their NGFW through intelligent scanning and prevention. Threat Prevention can inspect all traffic with full user context, automatically preventing known threats, regardless of port, protocol or SSL encryption. Its threat intelligence is automatically updated every day.
The NSFocus Next-Generation Intrusion Prevention System (NGIPS) provides threat protection that blocks intrusions, prevents breaches and safeguards assets. It uses a multi-layer approach to identify and address known, zero-day and advanced persistent threats to protect from malware, worms, spyware, backdoor trojans, data leakage, brute force cracking, protocol attacks, scanning/probing and web threats.
Blumira Automated Detection & Response platform enables teams to more efficiently defend against cybersecurity threats in near real-time. It is designed to cut through the noise of false positive alerts and only focus attention on true malicious behavior to ease the burden of alert fatigue. Beyond identifying threats, Blumira’s automated threat response works in near-real-time to stop insider and external threats. The system also includes step-by-step playbooks to guide remediation efforts.
Primary Intrusion Detection and Prevention System Functions
Intrusion Detection and Prevention Systems (IDPS) operate by monitoring network traffic, analyzing it and providing remediation tactics when malicious behavior is detected. They look for matching behavior or characteristics that would indicate malicious traffic, send out alerts and block attacks.
Having both the capabilities of detection and prevention are vital to effective security infrastructure. Detection only identifies malicious behavior but won’t take action to block or prevent attacks when one is detected. It will solely log these alerts. Prevention systems can adjust firewall rules on the fly to block or drop malicious traffic when it is detected but they do not have the robust identification capabilities of detection systems.
IDPS tools can detect malware, socially engineered attacks and other web-based threats, including DDoS attacks. They can also provide preemptive intrusion prevention capabilities for internal threats and potentially compromised systems.
The primary functions of IDPS solutions can be broken down into four main categories:
- Monitoring: IDPS monitors IT systems using either signature-based or anomaly-based intrusion detection to identify abnormal behavior and signature malicious activity.
- Alerts: After identifying potential threats, IDPS software will log and send out alert notifications to Inform administrators of abnormal activity.
- Remediation: IDPS tools provide blocking mechanisms for malicious threats, giving administrators time to take action. In some cases, IT teams may not be required to take action at all after an attack is blocked.
- Maintenance: Besides monitoring for abnormal behavior, IDPS tools can also monitor the performance of IT hardware and security components with health checks. This ensures a security infrastructure is operating properly at all times.
Intrusion detection systems (IDS) vs. Intrusion prevention systems (IPS)
As previously mentioned, a truly holistic IDPS tool requires both detection and prevention capabilities. When browsing for solutions, you will likely come across both intrusion detection systems (IDS) and intrusion prevention systems (IPS). These are standalone products and should not be confused with IDPS, which will help you avoid large holes in your security infrastructure.
IDS tools are only designed to detect malicious activity and log and send out alerts. They are not capable of preventing an attack. The alerts they raise always require human intervention.
IPS, on the other hand, responds based on predetermined criteria of types of attacks by blocking traffic and dropping malicious processes. Unfortunately, IPS tools lead to more false positives as they have inferior detection capabilities compared to IDS.
IDPS solutions incorporate the strengths of both systems into one product or suite of products.
Types of IDPS
The types of IDPS can be classified according to what they are designed to protect. They generally fall under two types: host-based and network-based.
Host-based IDPS is software deployed on the host that solely monitors traffic to connect to and from that host. It typically only protects a single, specific endpoint. In some cases, it may also monitor system files stored on the host for unauthorized changes and processes running on the system.
Network-based IDPS, also sometimes called network intrusion detection systems (NIDS), are deployed in a place where it can monitor traffic for an entire network segment or subnet. Their functionality somewhat resembles firewalls, which are only able to prevent intrusions coming from outside the network and enforce access control lists (ACLs) between networks.
NIDS are designed to detect and alert on potential malicious internal traffic moving laterally throughout a network; this makes it a great tool for a zero trust security framework. The traffic is analyzed for signs of malicious behavior based on the profiles of common types of attacks.
Intrusion detection methodologies
These systems identify potential threats based on built-in rules and profiles. The most common are signature-based and anomaly-based detection methodologies.
Signature-based intrusion detection
Signature-based intrusion detection looks for instances of known attacks. When malicious content is identified, it is analyzed for unique features to create a fingerprint, or signature, for that specific attack. This signature could be in the form of a known identity or pattern of behavior. Signature-based systems then compare this fingerprint to a database of pre-existing signatures to identify the specific type of attack. The downside to these systems is that they must be updated regularly to be able to recognize new and evolving types of attacks.
Anomaly-based intrusion detection
Anomaly-based intrusion detection builds an initial model of “normal” behavior for a specific system rather than creating fingerprints. The system will then compare all real-time behavior against the previously created normal model to identify behavioral anomalies. These instances of abnormal behavior are used to identify potential attacks and trigger alerts.
Contrasting signature-based vs. anomaly-based IDPS
There are issues with both of these systems individually. Signature-based detection has low false positives but can only detect known attacks. This makes them vulnerable to new, evolving attack methods.
Anomaly-based detection can lead to high false positives as it alerts on all anomalous behavior. But it has the potential to catch zero-day threats. Fortunately, many IDPS products combine both methodologies to complement their strengths and weaknesses.
Challenges when managing IDPS
You may experience some challenges when it comes to IDPS software tools. Here are a few to keep top-of-mind:
- False positives: You will almost surely run into the problem of false-positive alerts, which can waste time and resources. Be vigilant when you’re notified of potentially malicious behavior, but also be aware that it’s not a guarantee of an attack.
- Staffing: Cybersecurity is so essential to modern organizations that there is currently a shortage of available security professionals. Before implementing an IDPS system, ensure you’ve put together a team that has the capabilities to effectively manage it.
- Genuine risks: Beyond just managing an IDPS, there will be cases where administrator intervention is required. An IDPS can block many attacks but not all. Make sure teams keep their knowledge-up-to-date on new types of attacks so they’re not blindsided when one is identified.
|Features||McAfee NSP||Trend Micro TippingPoint||Darktrace Enterprise Immune System||Cisco Firepower NGIPS||AT&T USM||Palo Alto Networks Threat Prevention||Blumira Automated Detection & Response||NSFocus NGIPS|
|Signature based||Yes||No||No (Pattern of Life)||Yes||Yes||Yes||No||Yes|
|Anomaly based||Yes||Yes||No (Pattern of Life)||Yes||Yes||No||Yes||Yes|
|Price||Starts from $10,995||Starts at $6,000||Darktrace offers a 30-day trial that is valued at between $10,000 and $20,000. Contact the vendor directly for a quote.||Firepower 4120 tested by NSS Labs sells for around $100,000||Starts at $5,595||Contact vendor for quote||Starts $1,200/mo||Contact vendor for quote|