NIST Revising Guide on Detection, Prevention Software
Intrusion detection and prevention software has become a necessary addition to the information security infrastructure of many organizations, so the National Institute of Standards and Technology is updating its guidance to help organizations to employ the appropriate programs.
NIST is seeking comments from stakeholders on the guidance, Special Publication 800-93, Revision 1 (Draft): Guide to Intrusion Detection and Prevention Systems, before publishing a final version.
SP 800-93 describes the characteristics of intrusion detection and prevention software technologies and provides recommendations for designing, implementing, configuring, securing, monitoring and maintaining them. The types of intrusion detection and prevention technologies differ primarily by the types of events that they monitor and the ways in which they are deployed. The NIST publication addresses four types of intrusion detection and prevention software technologies:
- Network-based, which monitors network traffic for particular network segments or devices and analyzes the network and application protocol activity to identify suspicious activity.
- Wireless, which monitors wireless network traffic and analyzes it to identify suspicious activity involving the wireless networking protocols themselves. “IDPS for wireless is an important type for all organizations to have because of the growth of mobile devices and employees’ desire to use their own wireless device for work,” the guidance co-author Karen Scarfone says.
- Network Behavior Analysis, which examines network traffic to identify threats that generate unusual traffic flows, such as denial of service attacks, certain forms of malware and policy violations such as client system providing network services to other systems.
- Host-based, which monitors the characteristics of a single host and the events occurring within that host for suspicious activity.
Intrusion detection systems automate the intrusion detection process whereas intrusion prevention systems have all the capabilities of an intrusion detection system and also can attempt to stop possible incidents. These technologies offer many of the same capabilities, and administrators can usually disable prevention features in intrusion protection products, causing them to function as intrusion detection software.
NIST says organizations that implement the following recommendations should facilitate more efficient and effective intrusion detection and prevention system use:
- Organizations should ensure that all intrusion detection and provision system components are secured appropriately because these systems are often targeted by attackers who want to prevent them from detecting attacks or want to gain access to sensitive information in the intrusion detection and prevention system, such as host configurations and known vulnerabilities.
- Organizations should consider using multiple types of intrusion detection and prevention technologies to achieve more comprehensive and accurate detection and prevention of malicious activity. The four primary types of intrusion detection and prevention technologies – network-based, wireless, network behavior analysis and host-based – each offer fundamentally different information gathering, logging, detection and prevention capabilities.
- Organizations planning to use multiple types of intrusion detection and prevention technologies or multiple products of the same technology type should consider whether or not the systems should be integrated. Direct intrusion detection and prevention system integration most often occurs when an organization uses multiple products from a single vendor, by having a single console that can be used to manage and monitor the multiple products. Some products can also mutually share data, which can speed the analysis process and help users to better prioritize threats.
- Before evaluating intrusion detection and prevention products, organizations should define the requirements that the products should meet. Evaluators must understand the characteristics of the organization’s system and network environments, so that a compatible intrusion detection and prevention system can be selected that can monitor the events of interest on the systems and/or networks.
- When evaluating intrusion detection and prevention products, organizations should consider using a combination of several sources of data on the products’ characteristics and capabilities. Common product data sources include test lab or real-world product testing, vendor-provided information, third-party product reviews and previous experience from individuals within the organization and trusted individuals at other organizations.