Intrusion Detection and Prevention

With the continuous change of the internet, we need to constantly adapt our security methodologies. Years ago, Intrusion Detection (IDS) was king, then Intrusion Prevention (IPS) took over. For a few years some people thought Intrusion Detection was dead. Gartner predicted in 2003 that IDS would be obsolete by 2005. A few short years later Gartner went back on their prediction and stated Intrusion Detection is a must have on the network. CLEARNETWORK has always had the view that BOTH are needed! Here is why.

The main difference between IDS and IPS is that they address different phases of an attack. Intrusion Prevention is all about stopping attacks. IPS scans traffic for thousands of vulnerability exploits, known malicious domains and other vectors of attack, and if found, it blocks the traffic. Remember, there is no magic bullet, and time and time again we hear of companies being hacked, therefore resulting in millions of their customer records being stolen. Prevention is only a piece of the security puzzle.

Intrusion Detection is focused on what happens after an infection. The very presence of an infection/intrusion means that a compromise has already occurred and your IPS has failed to prevent in this case.

Instead of just searching for exploits, the game has shifted to finding signs of internal reconnaissance, malware spreading internally, signs that user credentials have been compromised, or that data is being harvested. At a fundamental level, modern Intrusion Detection must detect very different things (occurrences) than IPS. Intrusion Detection today means log file analysis, network traffic analysis, host file change control etc. IDS today encompasses all the information centers available.

Today’s cyber-attacks are long, multi-step operations that evolve over time and evolve over multiple devices. Isolated events that appear benign can only be revealed as malicious when they are viewed in a temporal and network context.

CLEARNETWORK uses the latest detection methodologies and approaches. Although there are no silver bullets, a modern and effective monitoring program must have the flexibility to develop and use a wide variety of detection strategies without being married to just one approach.

CLEARNETWORK's Network Security Monitoring has become the superset for all detection methods.