Monitoring technologies, a key element in cyber security

Cristina del Carmen Arroyo Siruela    4 November, 2021

IDS (Intrusion Detection System), IPS (Intrusion Prevention System) and SIEM solutions are fundamental elements in event monitoring and cybersecurity.

IDSs and IPSs are intrusion detection and prevention systems that employ a set of methods and techniques to reveal suspected malicious activity on one or more computer resources, and in the case of IPSs, take action when such potential malicious activity is detected.

IDSs respond to malicious activity by generating alarms. These malicious activities are detected by signature pattern matching, although it depends in a more concrete way on the class of IDS. IPSs analyse network traffic in real time and prevent attacks by taking actions according to their configuration and technology.

Unlike firewalls, IDSs and IPSs analyse data packets comprehensively, both headers and payload, looking for known events.

SIEMs are hybrid solutions comprising a SIM (Security Information Management) part and a SEM (Security Event Manager) part. This technology confers the capacity to analyse in real time the security alerts (previously configured) of what is happening in the network or systems.  

IDS, detecting intruders

 These systems aim to detect and monitor events occurring in the network. This helps to understand attacks, improve protection and estimate the impact of attacks.

To detect intrusions in a system, IDSs use 3 types of information: an event history, the current system configuration and, finally, active system processes or rules.

These elements perform 2 main functions:

  • Prevention, by means of sensors or probes installed in equipment or information elements that allow network traffic to be “listened” to.
  • Generation and notification of alarms, in the event of what it identifies as a pattern of intrusive behaviour or malicious activity on the network.

There are different types and typologies, depending on several factors such as the approach, the origin of the data, the structure of the IDS itself or the behaviour of the IDS.

 Within the focus IDS, 3 categories are established.

  • Anomaly detection, which uses knowledge-based techniques and statistical methods, as well as machine learning systems.
  • Usage or signature detection, which focus on monitoring network activity and comparing usage and signatures with their own database of attack signatures.
  • Hybrids, considered the most reliable, combine the two previous typologies, i.e., both anomaly detection and signature detection.

According to the data source, the following classes are established:

  • HIDS (Host-based Intrusion Detection Systems), based on the monitoring of data and events generated by users, in most cases via syslog, and identifying threats at host level.
  • NIDS (Network Intrusion Detection Systems), installed on devices in promiscuous mode and dedicated to passively listening and monitoring what happens on the network, acting as a sniffer, but with the capacity to generate alarms.
  • Hybrids, which are a combination of HIDS and NIDS, taking the best of each type. They allow local detection of malicious activity on systems, sensors on each network segment and take advantage of both architectures.
  • On the other hand, according to the structure of the IDS, they can be centralised, with sensors that send the information to a central system or distributed. The latter are based on the installation of distributed systems using nodes that collect events and then communicate them to a central node.

On the other hand, according to the structure of the IDS, they can be centralised, with sensors that send the information to a central system or distributed. The latter are based on the installation of distributed systems using nodes that collect events and then communicate them to a central node. 

IPS: the best defence is an attack

The behaviour of IPSs is often associated with the behaviour of firewalls, but their level of complexity and completeness is higher.

These elements analyse the entire contents of the packets, both header and payload, for malicious activity and when detected, proceed according to the configuration of the element, either generating an alarm, discarding packets or disconnecting connections.

Its main features are:

  • Automated reaction to incidents through real-time analysis.
  • Application of filters as attacks in progress are detected.
  • Automatic blocking of attacks carried out in real time.
  • Reduction of false alarms of network attacks.
  • Ability to detect applications and implement network security policies at the application layer.

There are several classes according to the technology:

  • HIPS (Host Intrusion Prevention System) are those aimed at protecting hosts from possible attacks via IP addresses.
  • NIPS (Network Intrusion Prevention System) focus on monitoring the network for suspicious traffic.

On the other hand, and in a more particular way, WIPS (Wireless Intrusion Prevention System) are dedicated to wireless networks, with the same functions as a NIPS, but for a wireless environment. And NBA (Network Behaviour Analysis), based on network behaviour, in order to analyse unusual traffic.

Differences between IDS, IPS and Next Generation Firewalls (NGFW)

IDSs and IPSs have in common that they analyse packets in their entirety, not just the headers. This is not the case for firewalls, which analyse only the packet headers.

The response of a firewall is based on the application of a set of configured rules, always depending on the source, destination addresses and ports. Firewalls can deny any traffic that does not meet specific criteria, even if it is legitimate and non-malicious traffic.  

On the other hand, when an IPS detects malicious activity after packet analysis, it can raise an alarm, discard packets or disconnect connections, depending on the action configured for that event. When IDSs detect malicious activity, they generate an alarm or notification.

Next generation firewalls (NGFWs) are solutions with superior capabilities to traditional firewalls.

While traditional firewalls detect suspicious traffic and block access to the network according to a predefined blacklist or according to rules they have established, NGFWs include additional functions such as intrusion prevention and deep packet inspection, as well as application blocking or management.

SIEMs, monitoring solutions

These solutions have multiple capabilities for collecting, analysing and presenting the information they gather, mainly from security devices (firewalls, sensors, IDS, IPS, etc.) and network traffic (servers, databases, etc.).

They are often the main tool used in SOCs (Security Operations Centres) for incident detection and response. The main capabilities of a SIEM are:

  • Correlation and alerting: processing of incoming data to transform the data into information, as well as analysis after correlation, generating security alerts.
  • Integration of sources and multiple data: Allows receiving and managing information received from sources.
  • Dashboards: They have environments that allow the generation of dashboards with the information represented in tables and graphs.
  • Storage and retention: Some have long-term data storage capacity, essential for forensic analysis.
  • Scalability: They can be configured by means of hierarchies that allow increasing or decreasing resources and elements according to the needs of the moment.

The main advantages of having a SIEM in place include:

  • Early detection of incidents, due to the fact that the analyses are carried out in real time, providing information at all times and allowing rapid action to be taken to avoid a greater impact.
  • Forensic analysis capacity, making it possible to identify the origin of an incident, how it happened and to take actions to improve and prevent incidents.
  • It allows the centralisation of information, in such a way that it facilitates the management of the elements integrated in the SIEM.
  • Allows for the identification of anomalous events, operational problems or events that could trigger an incident.

Leave a Reply

Your email address will not be published. Required fields are marked *