What Is an Intrusion Detection System?
By Tobias Geisler Mesevage
An intrusion is any activity that is designed to compromise your data security. This can be through more menacing and pervasive formats like ransomware or unintentional data breaches by employees or others connected to your network.
An intrusion may include any of the following:
- Malware or ransomware
- Attempts to gain unauthorized access to a system
- DDOS attacks
- Cyber-enabled equipment destruction
- Accidental employee security breaches (like moving a secure file into a shared folder)
- Untrustworthy users –– both team members and those outside of your organization
- Social engineering attacks –– such as phishing campaigns and other ways of tricking users with seemingly legitimate communication
There are hundreds of ways that your MSP clients can experience data insecurity through an intrusion. There are much fewer methods for ensuring data safety with confidence and dependability. One trusted data security solution for MSPs is using an intrusion detection system.
What is an intrusion detection system?
Imagine you’re a security expert tasked with monitoring public safety for a metropolitan city’s large event. You can accomplish this in several different ways. You would likely have an aerial view and officers scattered throughout the event, scanning nearby groups, and assessing each person’s level of threat from close up. You would be wise to hire security experts who know what to look for based on their experience with known attackers who can flag behavior others may not notice.
This is, essentially, what your intrusion detection system (IDS) does day after day with your data packets, monitoring traffic to keep your network safe and secure from threats.
These are the three main types of intrusion detection systems:
- A network intrusion detection system (NIDS) is a security expert who has seen it all. It compares the data on your network to known attacks on an entire subnet and flags any suspicious traffic.
- A network node intrusion detection system (NNIDS) works similarly to the NIDS, except on a micro level. It checks each node connected to the network for threats and malicious activity. NNIDS is the security guard checking bags of each person walking into the event.
- A host intrusion detection system (HIDS) is the eye in the sky, checking on the whole event. A HIDS examines all of the system’s nodes and hosts to gather a more complete picture and then runs security checks for malicious activity based on that entire picture. Some security experts suggest that this type of IDS is the most effective as it can detect threats that originate within the network as well as external threats.
These are the types of intrusion detection system that MSPs can expect their clients to ask about, or at least that MSPs should know at a cursory level. Clients may not understand how a firewall works alongside an intrusion detection system. Learn why they need both.
Firewall security versus intrusion detection techniques
Your MSP clients need a firewall, a barricade keeping blatant malicious activity from entering your network. Of course, network attacks are becoming more sophisticated and occasionally occur from within your network, and that requires a higher level of scrutiny for each data packet traversing your network. Within intrusion detection systems there are two intrusion detection techniques: either noting suspicious activity or requiring strict security clearance for network entrance.
Here are the two intrusion detection techniques explained:
- Signature-based intrusion detection: As long as your network has a reliable database of stored signatures, checking packets against signatures (known identity) will keep your network safe. On the downside, signature-based IDS will cost your clients in CPU when using advanced signatures, which are better because they’re harder to falsify.
- Anomaly-based intrusion detection: One of the most important benefits of an anomaly-based IDS is its ability to detect the precursors to attacks: sweeps and probes toward network hardware. It also looks for anything out of the ordinary, within the network and from outside of it. The cons of an anomaly-based IDS are the cost of setup and requirement of connection to a security operation center. Because it is more comprehensive, it requires a bit more involvement. It is also arguably more effective than a signature-based IDS.
Intrusion detection vs. intrusion prevention
An IDS is the first line of defense –– detecting threats. Now, it’s time to bring in the S.W.A.T. team and neutralize the threat. Intrusion prevention systems are typically paired with an intrusion detection system to create the ultimate tool in threat detection and prevention. An intrusion detection and prevention system, like the one in the Datto Networking Appliance (DNA), detects threats and uses deep packet inspection features to detect and prevent intrusions in your and your clients’ networks.
With growing threats and more entry points than ever, your MSP’s network security features need to be robust and proactive.
Learn how to bolster your MSP’s network security offering with Datto’s MSP security toolkit, Ransomware Made MSPeasy.