Updating Core Cyber Security Infrastructure: Intrusion Detection Systems (IDS)

Any business of any size is reliant on their ability to protect and secure their technology, data and networks from the many threats that they face. Intrusion Detection Systems (IDS) are and have been an integral part of this defense system. The aim of deploying an IDS into a network is to be able to identify if something untoward is happening and hopefully to be able to trap and remediate a problem sooner rather than later.

Standard IDS systems are loaded with rules, and programmed to send alerts when they see something a Systems Administrator might not like to be happening, providing a first line of defence at the perimeter of the network. The alert, however, is a singular event and doesn’t really tell us anything about the bigger picture of the threat.

So, let’s say a system becomes infected with a bit of malware, such as Spyware that masquerades as potentially unwanted applications (PUAs) which is a form of malware—and a risk that many organisations underestimate or dismiss completely. However, spyware can steal user and company information, weaken the security posture of devices, and increase malware infections. A box standard IDS will only flag up seeing the malware chattering on the network, which is great, but we’re missing something: how did it get there, and where else is it?

The CERNE 40Gbps IDS & Event Driven Record from Telesoft uses a specially designed feature called ‘intelligent record’ that answers this question – the alert will trigger a recording of everything going to/from that user’s PC for the last n seconds, filling in the vital missing information.  For example showing where they accessed the dodgy site, then where it was downloaded from, and so on, with this information we know how it got there, and we know where it may have been. This allows SOC teams to respond to the threat in a much more assertive fashion as they have a much better idea and clearer picture of what they are dealing with.