Re-evaluate IDS/IPS for Edge/IOT Networks

Introduction

An intrusion detection system (IDS) is a solution that watches and analyzes network events to find security problems and threats that are about to happen. An intrusion prevention system (IPS) is a solution that finds intrusions and then takes the next step to stop any threats that were found.

People sometimes mix up the terms IPS and IDS, which is understandable since most security products support both and IPS is basically an extension of IDS. The main difference between an IPS and an IDS is that an IPS tries to stop threats before they happen, while an IDS just looks for them.

For many, IDS and IPS are considered key components of any safe network, but one of the issues that organizations face is a number of alerts given such large volumes of network traffic data, which humans cannot keep up with in time, letting bad actors take their time.

IDS and IPS should be able to detect and protect against all abnormal or anomalous behavior and patterns using monitoring, detecting, and response protocols of unauthorized activities within a system or network. But as the reality shows, there are still gaps in the IDS/IPS.

How should organizations look at the larger picture and the products as part of a larger equation of cybersecurity strengthening?

In this article, we’ll address five critical considerations to take into account when dealing with IDS and IPS cybersecurity solutions. Before diving in, here’s a short roundup of some common terminology that will be used throughout the article:

• IDS/IPS: cyber security products for detecting and protecting against threats in network traffic.
• FP (false-positive outputs) occurs when IDS/IPS generates an alert with an attack label on absolutely normal traffic, in other words, it is wrong.
• FN (false-negative outputs) occurs when IDS/IPS does not recognize the attack at all and believes that it is normal traffic and does not generate an alert.
• Traffic chunk is the minimum possible volume of data for analysis models. As a rule, this is a time interval of 1-10 seconds during which traffic is aggregated and further analyzed by ML analysis models.
• Flow is a chunk of traffic that is created for each Source_IP - Destination_IP protocol pair separately and analyzed by models independently.

With these definitions out of the way, let’s get started!

5 Things to Consider For IDS/IPS in Edge/IOT Cybersecurity

1. In IDS and IPS cybersecurity products, the FP and FN rates are critical since traffic volumes are massive and constantly growing. Also, the number of attacks on Edge networks and IoT infrastructures is increasing every year, leading to a colossal volume of alerts that security teams typically process manually and cannot physically respond to effectively in time.
2. Equally critical, early attack detection is pivotal in helping organizations avert breaches. Thus, modern IDS and IPS solutions must analyze traffic constantly and in small chunks (flows). This practice leads to tens of millions of analyzed chunks (flows) per day and in this scenario, even a 99.99% accuracy in detection does not mitigate risks fully because the number of FP alerts from millions of analyzed chunks can easily escalate. For instance, 0.01% of 10 million equals to 1000 alerts. This will require quite a lot of resources — both human and time to analyze all of them.
3. Another problem for many IDS and IPS solutions is the incorrect detection of attack types. For instance, a common scenario happens when the detection of multiple types of port scans is implemented as a rule set. In this case, if TCPs or UDPs are flooded with Denial of Service (DoS) or Distributed Denial of Service (DDoS) attacks, the rule set for port scan detection will trigger an alert that will lead to a false understanding of the situation. Port scans usually have a low threat level, and DDoS attacks can be very dangerous.
4. The accuracy of IDS and IPS solutions heavily relies on the type of infrastructure and devices, Edge network, servers, and more, included in the infrastructure. A single attack can be dramatically damaging for low-power IoT devices but relatively safe for powerful servers. In other words, modern IDS and IPS solutions must adapt to the customer’s traffic infrastructure and adapt. Popular IDS and IPS solutions usually require months of configuration and hundreds of thousands of thresholds for different sets of rules / parts of them. Security experts should be involved in the process, as they literally manually tune them.
5. Intelligent alert grouping for escalation, incident analysis, and pipeline automation is also critical when detecting and preventing cyber-attacks. When generating alerts, incident escalation by existing IDS and IPS solutions is performed with the help of rules and time to write and adapt said set of rules. Incident escalation creates more complex FP/FN cases that are difficult to describe with a single number. For example, when alerts fall into the wrong incident or a grouping is incomplete, detection and protection work becomes significantly more complex, slowing down security teams.

These considerations help illustrate how efficiency of IDS/IPS systems in detecting and preventing different types of attacks or threats depends on specific system capabilities and the approach taken to address threats.

Organizations are at a crossroads where it’s imperative to select specific detection, protection, and response capabilities embedded in their IDS/IPS systems for true effectiveness that help know when an attack has reached the perimeter but also how to protect against it and act accordingly.

Re-evaluating the capabilities of your IDS/IPS will help organizations pinpoint the many different areas where rule-based IDS/IPS systems are lacking, and also see the gaps that can be filled with an effective detection and response solution that is AI-driven to minimize or eliminate any form or threat or impact bad actors could have if left unchecked.

Security leaders should understand their organization’s cybersecurity needs and the level of monitoring before choosing the right IDS/IPS solution going forward that will help them meet their security demands. Security leaders should also account for their security department to decide if they are in need of an automated, all-encompassing cybersecurity solution or if they’d prefer a hybrid solution.

As organizations scale and require faster solutions, a combination of AI-based IDS and IPS systems will yield the most effective protection.

Care to learn more about the differences between rule-based systems and AI-based IDS/IPS systems? Head to our follow-up blog that goes in-depth and technical about why rule-based detection and protection systems simply aren't enough.