The lack of robust, proactive protection dedicated to monitoring network anomalies such as intrusion detection systems (IDS) and intrusion prevention systems (IPS) is one reason why data breaches occur so often.
Using these tools will help you recognize a suspected attack and find vulnerabilities in your network used by attackers. Without information from IDS logs, it can be challenging to identify device vulnerabilities and assess whether cardholder data has been compromised.
PCI DSS Requirement 11.4 requires intrusion detection or intrusion prevention techniques to compare traffic entering your network with identified vulnerability behaviors, send defined alerts, or stop the attack attempt. Without compliance with PCI DSS Requirement 11.4 or a proactive approach to unauthorized activity detection, attacks or abuse of computing resources may not be detected in real-time.
What are the IPS / IDS Requirements for PCI DSS Compliance?
PCI DSS requirement 11.4 states that you must implement Intrusion Detection Systems (IDS) or Intrusion Prevention Systems (IPS) and other critical continuous detective checks around the Internet and CDE entry points.
IPS is an IDS that can instruct some equipment to automatically block traffic matching a specific network model or signature (attacks). IDS / IPS systems should be kept up to date, and the events they generate should be recorded and monitored.
PCI DSS Requirement 11.4 requires organizations to implement the following controls:
- Use intrusion detection (IDS) or intrusion prevention techniques (IPS) to detect or prevent network intrusions.
- Monitor all traffic at critical points in the cardholder data environment as well as the cardholder data environment.
- Warn personnel of suspected hazards.
- Keep all intrusion detection and prevention engines, baselines, and signatures up to date.
PCI DSS Requirement 11.4 requires that intrusion detection or intrusion prevention techniques compare and send alerts to the traffic to your network with the behavior of known types of threats such as hacker tools, Trojans, and other malware.
Without PCI DSS Requirement 11.4 compliance or a proactive approach to unauthorized activity detection, attacks or abuse of computing resources may go unnoticed in real-time.
Your organization needs an IDS / IPS implementation with an intrusion detection or prevention system. This particular asset or device must be installed around your network and at critical points or connections in your cardholder data environment.
Besides, IDS or IPS must be managed effectively. So from an evaluation perspective, you should make sure that the definitions you use are correctly structured, kept up to date, and organized. Thus, if your organization can prevent or prevent these attacks, staff can be notified immediately and react appropriately to these incidents.
What is Intrusion Detection System (IDS), and What Does It Do?
An intrusion detection system (IDS) is an application that monitors the network for malicious behavior or policy violations. Using a security information and incident management system, any malicious behavior or breach is often centrally recorded and analyzed. Some IDSs may also respond to intrusions detected upon discovery.
The traffic monitoring system at the entry point of your network shows you what’s coming and going but doesn’t let you see remote locations that connect to key components.
Monitoring traffic on the firewall’s public side will not give you information about what is happening inside your network. Monitoring all of the traffic on an internal network such as a LAN or DMZ allows the IDS to monitor user activity or virtual servers but cannot see anything happening on other network parts.
Unless you have unlimited resources, you cannot monitor all activity on the network, so you need to determine which traffic is most important and which part offers the best viewpoint.
IDS can passively monitor multiple segments and control traffic that an IPS would never see, such as traffic remaining entirely within a LAN or DMZ. Therefore, an IDS can identify and warn a machine attacking other desktop machines on the LAN.
By creating alerts in an IDS, you can take the necessary actions as soon as suspicious behavior is detected. In this way, you can quickly prevent the violation experienced by significantly minimizing the organization’s decision-making process’s complexity.
Organizations can also use information collected by their IDS in a court of infringement to show that they have done as much as possible to prevent the violation. An IDS will help you identify a security breach that occurred in real-time.
Note that an IDS is not preventative. IDS monitors the action, collects evidence, and alerts the persons concerned.
What are IDS Detection Types and Classifications?
There is a wide variety of IDSs, from antivirus tools to layered control systems that monitor all network traffic. The most common IDS classifications are:
- Network intrusion detection systems (NIDS): IDS systems that analyze incoming network traffic.
- Host-based intrusion detection systems (HIDS): IDS systems that monitor crucial operating system files.
There is also another type of IDS that can be positioned as a subset. The most popular variants are based on the detection of signatures and anomalies.
- Signature-based IDS: Signature-based IDS detects potential threats by searching for unique patterns, such as byte sequences in network traffic or well-known malicious instruction sequences used by malware. This terminology comes from antivirus software referring to patterns perceived as signatures. Although signature-based IDS can quickly detect known attacks, it cannot detect new attacks, and there is no model for this.
- Anomaly-based IDS: A modern technology designed to detect and respond to unknown threats due to malware proliferation. In order to create a particular reliable operating model, this detection method uses machine learning and then compares the new behavior to this trust model. While this method allows the detection of previously unknown attacks, it can be damaged by false positives. Previously unknown patterns of behavior may be mistakenly identified as malicious.
What is Intrusion Prevention System (IPS), and What Does It Do?
You can use an intrusion prevention system (IPS) for more preventive measures that monitor network activity for malicious activity, log and report this information. This way, you can prevent and block intrusions detected. The intrusion prevention system will block malicious packets, blocking traffic from the malicious source’s address and resetting connections.
See Also: What are the Firewall Requirements for PCI DSS?
In most respects, an IPS (Intrusion Prevention System) is an IDS, except that it can operate on existing inline traffic. IPSs must be inline by their definition and therefore can only see traffic entering and leaving a zone.
A significant concern with IPS is that an IPS will prevent a legitimate business or revenue-generating traffic from occurring. IPS actions include dropping, reset, blocking, or custom scripting, all occurring immediately after signature matching.
This potentially harmful behavior makes the person responsible for the protection now liable for lost revenue if the IPS degrades valid traffic. As long as you also use the main components that distinguish IPS, you can get positive results in IPS devices’ experience.
Make sure your IPS systems are capable of “failing.” If any part of the software malfunctions or even loses power, traffic must continue to pass through it. Nobody wants a barrier that prevents data flow.
Also, keep in mind that only a limited number of dangerous signatures should handle the traffic. To help with false-positive rates, you should have very well defined certain intervals that allow for more efficient direction-oriented signatures.
You will need to spend a lot of time checking the alarm and the event’s performance to make sure the signatures allow it to act as planned. With every signature change, you need to pre-examine each signature the seller decides to spend more time on and understand how it will affect your traffic.
What are IPS Detection Methods and Classifications?
Intrusion prevention systems (IPS) can be divided into four main types:
- Network-based intrusion prevention system (NIPS): Discovers unreliable traffic by analyzing the protocols’ effectiveness on the entire network.
- Wireless intrusion prevention system (WIPS): Identifies unreliable traffic by analyzing network protocol traffic on the entire wireless network.
- Host-based intrusion prevention system (HIPS): A secondary application package that monitors a single host for malicious behavior and analyzes events occurring on that host.
- Network behavior analysis (NBA): Examines network activity to find threats that generate unusual traffic flows. Distributed denial of service attacks is the most common threat to identifying with various types of malware and policy violations.
Most intrusion prevention systems use one of three detection methods:
- Signature-based detection: Signature-based IPS tracks network packets and compares them to predetermined attack patterns known as “signatures.”
- Statistical anomaly-based detection: An anomaly-based IPS can monitor network traffic and compare it with projected traffic patterns. To work effectively, what is “normal” must be defined within the network.
- Stateful protocol analysis detection: This IPS approach detects protocol anomalies by comparing the observed activities with predetermined standard activity profiles.
What are the Differences Between IDS, IPS, and Firewalls?
Both IDS and IPS refer to a defined threat database and then identify or react to the threat based on that database. While the IDS needs an administrator to look at the results of those detected, an IPS can take immediate action to block the threat.
In many ways, both IDS and IPS are an application, and they send notifications to the administrator to take necessary action.
A firewall is usually designed to block all traffic, and then you set it to allow different types of traffic to pass through. In the reverse direction, IDS and IPS run, making all traffic and then only labeling or blocking particular traffic.
An IPS can seem more useful than an IDS because it merely “does more.” But listening to passive network behavior is still vital. Too much traffic on your network may appear suspicious, but it is normal.
Therefore, if your vehicle only blocks traffic or responds automatically to traffic, it can result in false positives that interfere with regular network traffic. You need to customize your IDS or IPS to eliminate false positives and negatives and maintain as consistent as possible in both cases.
As a result, you can combine a firewall with an IDS or IPS, and most manufacturers support such unified builds. Set your firewall only to allow different traffic types to pass through, and then use IDS or IPS to detect irregularities or problems with the traffic you allow. The combination and effective use of these tools give the network a substantial security margin.
None of the three devices are “set and forget.” New malware and vectors appear every day for exploitation and detection. Regardless of your decision, you will always have to work on ongoing customization and update and maintain your policies, especially in IPS.
Updates can be applied to all listed vehicles automatically. However, automatic updates do not eliminate the need for human analysis. Each day, you must take a certain amount of time to check the devices.
Besides these, you should also have data loss prevention (DLP) tools. DLP software monitors outgoing data streams for sensitive or essential data formats that cannot be sent through a firewall and prevent data from leaving your system.
Make sure you implement this correctly so that your DLP understands where the data is allowed to go. It can block necessary transfers to third-party organizations if very restrictive rules are set.
It is an excellent way to make the traffic on your network transparent by analyzing your system traffic and taking necessary actions as soon as possible.
