Intrusion Detection System (IDS), Intrusion Prevention System (IPS) and Security information and event management (SIEM) tools are critical part of a corporate or enterprise network.
An Intrusion Detection System (IDS) monitors network traffic and monitors for suspicious activity and alerts the system or network administrator.
There are network based (NIDS) and host based (HIDS) intrusion detection systems. There are IDS that detect based on looking for specific signatures of known threats- similar to the way antivirus software typically detects and protects against malware- and there are IDS that detect based on comparing traffic patterns against a baseline and looking for anomalies.
Network Intrusion Detection Systems (NIDS) are placed at a strategic point or points within the network to monitor traffic to and from all devices on the network.
Host Intrusion Detection Systems (HIDS) are run on individual hosts or devices on the network.
An Intrusion Prevention System (IPS) is a network security/threat prevention technology that examines network traffic flows to detect and prevent vulnerability exploits.
IPS action includes:
- Sending an alarm to the administrator
- Dropping the malicious packets
- Blocking traffic from the source address
- Resetting the connection
Security information and event management (SIEM) combines SIM (security information management) and SEM (security event management) functions into one security management system.A SIEM system collects logs and other security-related documentation for analysis. Most SIEM systems work by deploying multiple collection agents in a hierarchical manner to gather security-related events from end-user devices, servers, network equipment — and even specialized security equipment like firewalls, antivirus or intrusion prevention systems.
SIEM has 7 main capabilities:
- Data Aggregation
- Correlation
- Alerting
- Dashboards
- Compliance
- Retention
- Forensic Analysis