Why Intrusion Detection Does Not Go Far Enough

February 2, 2017

This is the second installment in a three-part security series by OnX Director of Product Management, Chris Munoz.

Intrusion detection technology can give you a good idea of what’s happening on your network. You can configure it to send out alerts if certain unusual traffic patterns crop up. Since users interact with computer networks in relatively the same way over time, intrusion detection software can help you identify anomalies that might point to an intruder.

But intrusion detection has its limits. Think about a home burglar alarm suddenly going off. After the panic fades, the homeowner realizes the alarm is only saying (well, blaring) one thing: Something or someone has triggered it. How do they know whether to call the cops or blame the neighbor’s dog?

Home security companies like to combine cameras with burglar alarms to show what’s going on at the point of intrusion. In network security, log management technology is the equivalent of a security camera.

Everything happening on a network creates packets of data that gets logged. Devices, software and users all generate data. Network traffic data flows far too fast to be interpreted by the human brain, but computers can track several logs in real time and correlate them to find patterns that humans would inevitably miss.

Sophisticated log management software can help system engineers diagnose problems and find solutions in minutes rather than hours or days. One side benefit of log management is that it can paint a picture of unauthorized traffic on your network, particularly if you combine it with intrusion-detection hardware or software.

Intrusion Detection Is Not A Cure-All

A ransomware attack in early 2016 dubbed “SamSam” was so severe — and, frankly, frightening — that the FBI sent out an alert to watch out for it. The problem was hackers discovered a huge security hole in a popular piece of open-source networking software and used it to launch ransomware attacks on hospitals.

As if that wasn’t worrisome enough, this exploit enabled hackers to get into networks undetected by intrusion-flagging technology. The hackers’ traffic looked like that of ordinary system users, so there was nothing to detect.

False alarms are another potential limitation of intrusion detection technology. If you want to avoid wasting a lot of time chasing false positives, you have to tune the technology carefully.

Considering Security As A Service

The threat environment changes daily or weekly. That might not seem like a big deal if you can afford to staff a team of security experts around the clock. But lots of IT managers are under constant pressure to hold down costs and headcount while continuously improving their core IT services.

That’s why we’ve seen a rise in Managed Security Services Provider (MSSP) offerings. There’s just too much going on in the security arena to keep up without adding extra people.

When you partner with an experienced MSSP, you’re tapping into a team of experts who spend all of their time figuring out how to fend off the cleverest hackers. They’ll know how to deliver the best combination of intrusion detection, log management and perimeter defense. And they’ll know how hackers can circumvent these systems.

That’s too much for a lot of companies to deal with if security is not their core business.

Blog