When you're making a mental shift away from legacy, on-prem security thinking, you may be wondering what an effective, modern security solution looks like. You may already know that you should prioritize detection and not focus solely on prevention, but what exactly goes into a best-case intrusion detection solution?
The graphic below should help you understand the five key components of intrusion detection. When considering what types of solutions to invest in, you want to make sure you have all of these bases covered from a technical point of view:
Beyond these core capabilities, we recommend that you keep the following seven major requirements in mind in order to focus on the holistic goals of an IDP.
1. Enables SecOps
We talk about it a lot, but it's not just lip service. We practice what we preach and employ a SecOps mentality - in which development, operations, and security work in sync at all times, rather than as separate teams or disciplines. When you choose an intrusion detection platform, it should enable security and DevOps to integrate their practices and thereby save time, increase efficiency, and improve your overall security posture.
2. Supports Complex Environments
For a variety of reasons, organizations do not always exist entirely in the cloud. Many find themselves with infrastructures that include cloud, multi-cloud, hybrid, on-premise, and containerized environments. So what do you need to do to protect these complex environments? To achieve security (and compliance), you need visibility, regardless of where your data resides. Visibility is the only way to make sure you know when a security event takes place so you can remediate it as quickly as possible. So when you go to choose an IDP, make sure you select one that offers visibility across complex environments, not just in the cloud.
3. Detects in Several Modes
Without a network perimeter to monitor, you need a variety of detection types to catch all the threats that will come your way. This includes the ability to detect at the levels of: behavior on the host, cloud configuration auditing, vulnerabilities, file integrity monitoring, and threat intelligence. A good IDP can do all of this and then some.
4. Identifies All Attacks
In addition to several types of detection, the ideal intrusion detection platform also needs the ability to detect multiple types and points of attack. This includes spotting both internal and external threats (which can look very different) and being able to detect an attack at many different stages, from initial reconnaissance, to exploitation, to vector-hopping. This is the best way to ensure that you catch any and all attacks, not just the ones you already know how to spot.
5. Alerts on Anomalous Behavior
Anomalous behavior is the best way to identify a threat in action (often before it even becomes a real threat). Strong IDP solutions should be able to baseline what is normal for your environment (which of course changes over time) so that it is possible to detect anomalous behavior in real-time. From there, it should be a straightforward process for you to investigate the anomalous behavior and determine whether it is harmless or indicative of an evolving threat.
6. Provides Unified Data
Your incident response depends heavily on your data collection capability. If you use multiple point solutions, you will have fragmented data points, and this will increase Mean Time to Resolution (MTTR). Your goal is to keep MTTR low, and to do this, you need to invest in an IDP that unifies your data and provides a comprehensive picture of your infrastructure and all activity within it.
7. Maintains Compliance
Last but not least, we'd be remiss not to mention that a strong IDP will support continuous compliance with major standards like PCI DSS, HIPAA, SOC 2, and more. While many platforms support security, some do not also provide the controls, monitoring, and auditability necessary to maintain compliance with these complex and necessary frameworks. Do yourself a favor and invest in an IDP that will make life easier when it comes to compliance.
A Modern Intrusion Detection Platform Helps Reduce Risk Over Time
You may have noticed that the ultimate goal of all seven requirements above is to reduce your risk level over time. The more visibility you have, the closer to real-time your alerting is, and the stronger your ongoing monitoring is, the lower your overall risk will be.