NIST offers practical guidance on intrusion detection and prevention systems to help counter the new breed of stealthy, targeted attacks.
Cyberattack methods have changed a lot in recent years, with the developement of under-the-radar approaches that are increasingly difficult to defend against.
New guidance from the National Institute of Standards and Technology on using enterprise tools for intrusion detection and prevention on government IT systems reflects that development.
Intrusion detection and prevention systems (IDPSs) “have become a necessary addition to the security infrastructure of nearly every organization,” according to the draft revision of Special Publication 800-94.
These systems are intended primarily to identify possible security incidents and log information about them, as well as respond by alerting managers and attempting to stop the incidents according to policies that have been established. They also can help to identify holes in security policies, document threats, and help enforce security policy by recognizing and sending alerts about violations.
Originally published 2007, the guidance is being updated to reflect the changes in the threat landscape since then. The past five years have seen the evolution of more stealthy, targeted threats that spread more slowly but are more difficult to detect and can operate within a compromised system over a longer period of time. IDPS also has evolved to use a wider variety of techniques for detecting and responding to incidents.
The new publication provides practical guidance on designing, implementing, configuring, securing, monitoring and maintaining the basic types of IDPS technologies. They are:
• Network-based, which monitors network traffic and analyzes the network and application protocol activity to identify suspicious activity.
• Wireless, which monitors and analyzes wireless network traffic to identify suspicious activity in the wireless networking protocols.
• Network behavior analysis, which examines network traffic to identify threats that generate unusual traffic flows, such as denial of service attacks, certain forms of malware, and policy violations.
• Host-based, which monitors a single host for suspicious activity.
The publication offers five general recommendations for selecting and using IDPS:
1. Because intrusion prevention and detection systems often are targeted by attackers seeking to avoid discovery, IDPS should itself be secured. Administrators should maintain security on an ongoing basis, verifying that the components are functioning as desired, monitoring them for security issues, performing regular vulnerability assessments, responding appropriately to vulnerabilities, and testing and deploying IDPS updates.
2. Organizations should consider using a multiple of IDPS technologies to provide more complete and accurate coverage. Each type of IDPS performs a specific function, and more than one is likely to be needed to effectively monitor and protect an enterprise.
3. When using multiple products, consider whether they should be integrated. Integrating products from a single vendor can help enable information sharing between devices. Security Information and Event Management software can also take advantage of IDPS data.
4. Define requirements before evaluating products. Evaluators should have clear goals and objectives for the tools, and should review security policies to create specifications for them.
5. When evaluating IDPS products, consult multiple sources for information in addition to the vendor, including real-world experience and third-party product testing. The credibility of the sources also should be considered.
Comments on the publication should be sent to email@example.com by Aug. 31.