Cyber security is a moving target, which means attack methods and the sophistication level continue to change where a manufacturer could suffer an intrusion and not even know it for months if not years.
To combat that, there is a new guidance from the National Institute of Standards and Technology (NIST) on using enterprise tools for intrusion detection and prevention on government IT systems.
Intrusion detection and prevention systems (IDPSs) “have become a necessary addition to the security infrastructure of nearly every organization,” according to the draft revision of Special Publication 800-94.
These systems identify possible security incidents and log information about them, as well as respond by alerting managers and attempting to stop the incidents according to established policies. They also can help identify holes in security policies, document threats, and help enforce security policy by recognizing and sending alerts about violations.
Originally published 2007, the guidance underwent an update to reflect the changes in the threat landscape. The past five years have seen the evolution of more stealthy, targeted threats that spread more slowly but are more difficult to detect and can operate within a compromised system over a longer period of time. IDPS also has evolved to use a wider variety of techniques for detecting and responding to incidents.
The new publication provides practical guidance on designing, implementing, configuring, securing, monitoring and maintaining the basic types of IDPS technologies.
The technologies consist of:
• Network-based, which monitors network traffic and analyzes the network and application protocol activity to identify suspicious activity.
• Wireless, which monitors and analyzes wireless network traffic to identify suspicious activity in the wireless networking protocols.
• Network behavior analysis, which examines network traffic to identify threats that generate unusual traffic flows, such as denial of service attacks, certain forms of malware, and policy violations.
• Host-based, which monitors a single host for suspicious activity.
The publication offers five recommendations for selecting and using IDPS:
1. Because attackers target intrusion prevention and detection systems seeking to avoid discovery, a user should secure the IDPS itself. Administrators should maintain security on an ongoing basis, verifying the components are functioning as desired, monitoring them for security issues, performing regular vulnerability assessments, responding appropriately to vulnerabilities, and testing and deploying IDPS updates.
2. Organizations should consider using multiple of IDPS technologies to provide more complete and accurate coverage. Each type of IDPS performs a specific function, and more than one will effectively monitor and protect an enterprise.
3. When using multiple products, consider whether you should integrate them. Integrating products from a single vendor can help enable information sharing between devices. Security Information and Event Management software can also take advantage of IDPS data.
4. Define requirements before evaluating products. Evaluators should have clear goals and objectives for the tools, and should review security policies to create specifications for them.
5. When evaluating IDPS products, consult multiple sources for information in addition to the vendor, including real-world experience and third-party product testing.