What is intrusion detection?
The concept of intrusion detection has been around for many years and will continue to be needed so long as malicious actors try to breach networks and steal sensitive data. New advancements in technology and “buzz words” can sometimes make intrusion detection sound extremely complex, confusing you with where to start and how to implement a proper intrusion detection framework.
While the methodology behind intrusion detection is vast, the concepts stay the same. Intrusion detection is essentially the following: A way to detect if any unauthorized activity is occurring on your network or any of your endpoints/systems.
Get your free course catalog
We use intrusion detection to identify any unwanted activity occurring on our network or endpoints to catch a threat actor before they cause harm to our network or the business.
There are many topics to cover when dealing with intrusion detection, but in this article, we will focus on breaking down the methodology into three categories:
- Types of intrusion detection systems
- Intrusion detection vs. intrusion prevention
- Types of free intrusion detection software
Types of intrusion detection systems
Let's start with the types of intrusion detection. If you've ever Google searched "intrusion detection," you might have been flooded with vendors, scholar papers and articles on cybersecurity and detection technology. While it's great that there are so many resources on the topic, sometimes it's hard to find some of the basics.
When you boil it down, you can break intrusion detection into two main categories: signature-based and signature-less (anomaly-based) detection. There are many forms of signature-based and anomaly detection; however, we will only touch on the basics for the sake of this article.
Signature-based detection involves detecting known bad vulnerabilities and attacks. You must have a list of rules (aka "signatures") of known threats to detect for this to work. Signature-based detection is probably the most common and oldest type of detection. While this might cover the basics, it's also good to implement some form of anomaly detection. This is where the system detects threats that have NOT been previously identified before. This type of detection is more complex and usually involves some form of machine learning algorithm to accomplish.
Intrusion detection vs. intrusion prevention
Now that we’ve talked a bit about types of intrusion detection let's discuss some common misconceptions. As you go about your journey in cybersecurity, you will hear the terms IDS (intrusion detection system) and IPS (intrusion prevention system) interchangeably.
These terms and technologies are similar in almost every way except one. An IDS only detects and alerts threats; it does NOT block anything. On the other hand, an IPS will attempt to block the traffic or threat once it's identified. Many vendor products include both IDS and IPS capabilities in their offerings.
We will dive into what's available from a technology perspective in further articles and place these tools. For now, know that if you are using an IDS, it only detects activity and will not take any action.
IDS or IPS? Decisions, decisions. Initially, the recommendation is that you start with IDS. With an IDS, you can learn more about your network (or host if you're using a host-based IDS). If you jump straight into IPS and start blocking things, you might end up blocking something mission-critical for the business. Then you might get an angry call from the powers that be asking why employees can't access specific resources. Even if you purchase a product with IDS and IPS capabilities, most organizations will run the IPS in IDS mode for a few weeks to ensure they are not blocking legitimate traffic.
Types of free intrusion detection software
You can use many different open-source tools for intrusion detection. We will only cover a few network intrusion detection tools in this article, but we will go into more depth on what tools do what, how to install/use them and use-cases for each in the following articles.
- Snort: Probably one of the most common network IDS and what many vendors build on top of.
- Suricata: Another popular open-source network detection tool. It has both IDS and IPS capabilities.
- Zeek: An open-source, network monitoring tool.
Getting started with intrusion detection
Hopefully, this article provided you with some basic knowledge behind intrusion detection and why it's crucial for network and endpoint security. To properly defend your network from malicious hackers and spot intruders before it's too late, some form of intrusion detection is necessary.
Implementing an intrusion detection system or an intrusion prevention system can help your overall security posture so long as the system is properly maintained and tuned. A cybersecurity engineer or security analyst needs to be involved in the system's setup, configuration, and maintenance to effectively deploy and gain value from these tools.
Join us in the next blog on intrusion detection best practices, where we cover who is typically responsible for implementing, tuning and maintaining an IDS within an organization.
Want to learn more? Take my Advanced Intrusion Detection courses in Infosec Skills.
- Expert instruction
- Hands-on labs
- Unlimited access
In this Series
- What is intrusion detection?
- What is zero trust architecture (ZTA)? Pillars of zero trust and trends for 2024
- A deep dive into network security protocols: Safeguarding digital infrastructure 2024
- Asset mapping and detection: How to implement the nuts and bolts
- The Pentagon goes all-in on Zero Trust
- How to configure a network firewall: Walkthrough
- 4 network utilities every security pro should know: Video walkthrough
- How to use Nmap and other network scanners
- Security engineers: The top 13 cybersecurity tools you should know
- Converting a PCAP into Zeek logs and investigating the data
- Using Zeek for network analysis and detections
- Suricata: What is it and how can we use it
- Intrusion detection software best practices
- How to use Wireshark for protocol analysis: Video walkthrough
- 9 best practices for network security
- Securing voice communications
- Introduction to SIEM (security information and event management)
- VPNs and remote access technologies
- Cellular Networks and Mobile Security
- Secure network protocols
- Network security (101)
- IDS/IPS overview
- Exploiting built-in network protocols for DDoS attacks
- Firewall types and architecture
- Wireless attacks and mitigation
- Wireless network overview
- Open source IDS: Snort or Suricata? [updated 2021]
- PCAP analysis basics with Wireshark [updated 2021]
- What is a firewall: An overview
- NSA report: Indicators of compromise on personal networks
- Securing the home office: Printer security risks (and mitigations)
- Email security
- Data integrity and backups
- Cost of non-compliance: 8 largest data breach fines and penalties
- How to find weak passwords in your organization’s Active Directory
- Monitoring business communication tools like Slack for data infiltration risks
- Firewalls and IDS/IPS
- IPv4 and IPv6 overview
- The OSI model and TCP/IP model
- Endpoint hardening (best practices)
- Wireless Networks and Security
- Networking fundamentals (for network security professionals)
- How your home network can be hacked and how to prevent it
- Network design: Firewall, IDS/IPS
- Work-from-home network traffic spikes: Are your employees vulnerable?
- RTS threshold configuration for improved wireless network performance [updated 2020]
- Web server protection: Web server security monitoring
- Web server security: Active defense
- Web server security: Infrastructure components
- Web server protection: Web application firewalls for web server protection
- Web server security: Command line-fu for web server protection
Get certified and advance your career
- Exam Pass Guarantee
- Live instruction
- CompTIA, ISACA, (ISC)², Cisco, Microsoft and more!
