It’s a virtual certainty that an organization will be faced with security incidents. Technology is constantly shifting, evolving and expanding the attack surface in various ways, while attackers are adapting and escalating the threat landscape. Cybersecurity is an ongoing struggle to deal with changes from both sides of that equation — it’s more or less inevitable that unauthorized or malicious activity will occur inside your network. The question is, how can you detect that suspicious malicious activity quickly and respond effectively to avoid or minimize potential damage?
There are a variety of tools designed with this purpose in mind — the primary ones being IDS, IPS, DLP, SIEM, and NBAD. Some are evolutions or enhancements of others; others are narrowly focused on specific types of behavior or malicious activity. All of them are intended to give you the means to identify suspicious or malicious activity on your network and act as an early warning system to alert the IT team so the appropriate response can be initiated.
Network Security Tools
IDS (Intrusion Detection System)
The IDS is the grandfather of this genre of tools. An IDS monitors vulnerabilities in a system and analyzes activity on the network to search for patterns and indicators of compromise of known threats. There are two main types of IDS: NIDS (Network Intrusion Detection System) monitors an entire subnet at the network level, while HIDS (Host Intrusion Detection System) protects an individual host system. By definition, IDS simply raises flags for suspicious or malicious activity and sends alerts to the IT team. It does not take any action to avoid or prevent the activity.
IPS (Intrusion Prevention System)
An IPS is an evolution of the IDS. The functions and capabilities of an IPS are very similar to those of an IDS, with the primary difference being that an IPS can also take action to block the suspicious or malicious activity and prevent the attack. IPS is also sometimes referred to as an IDPS (Intrusion Detection Prevention System).
DLP (Data Loss Prevention)
For most organizations, the most important thing to safeguard is data. Data is also the primary target of most attacks — whether it’s bank or credit card information of customers, sensitive personal data of employees, or confidential intellectual property and corporate data. DLP (Data Loss Prevention—sometimes referred to as Data Loss Protection or Data Leak Prevention as well) deals specifically with protecting data and ensuring that sensitive or confidential data is properly secured and does not become compromised or exposed. DLP can generally enforce data handling policies depending on how data is tagged or classified, and in many cases can also automatically detect things like credit card numbers or Social Security numbers based on the format of the data to alert the IT team and prevent unauthorized disclosure.
SIEM (Security Incident and Event Management)
A SIEM tool is designed to help organizations manage the overwhelming volume of signals and data, and correlate threat information for a centralized view of the IT infrastructure. SIEMs come in many shapes and sizes, but most promise to monitor, record, and analyze network activity to identify potential security incidents or events in real-time and alert the IT team so appropriate action can be taken.
[Related Reading: MDR vs. SIEM]
NBAD (Network Behavior Anomaly Detection)
One way to identify suspicious or malicious activity is to simply look for activity that is out of the ordinary. NBAD establishes a baseline of what “normal” looks like on a given network and provides real-time monitoring of traffic and activity on the network to detect any unusual activity, events, or trends. Anomaly detection can be useful for identifying emerging threats and zero-day attacks because it looks for abnormal activity rather than relying on a signature or indicators of compromise of specific threats.
Taking Action to Combat Malicious Activity
Each of these tools has its own pros and cons. The effectiveness of each tool is generally a function of how well it is implemented and configured in the first place. Ultimately, though, what is more important than the tool itself or the suspicious or malicious activity it detects is whether or not you have the right expertise and resources available to respond appropriately.
Properly configured network security tools are valuable for monitoring and analyzing an enormous volume of traffic in a rapidly changing hybrid or multi-cloud environment to sift through the noise and find the potentially malicious. But with any malicious network activity report, there are also inevitably false positives and potential threats that slip through. It’s crucial to have skilled cybersecurity professionals capable of monitoring the output of the network security tools to determine which alerts require action and take immediate steps to prevent or contain the threat.