The early intrusion detection systems generated logs that were then aggregated and correlated. However, this required using different technologies, adding a heavy workload, and resulting in different implementations and configurations.
Today, cloud and SaaS technologies allow small businesses and startups to simplify the implementation of intrusion detection systems. There are different types of probes:
Monitoring everything can be expensive, and the wider the monitored perimeter, the more human resources are needed to manage alerts, false positives, and other issues. The first step is to determine the most probable and serious attack scenarios that could affect your organization.
What is the technical level of the attacker? Consider the type of hacker profile that could target your services. There's no point in protecting against advanced cyber attacker groups if you are a small company. You can adjust your Intrusion Detection System (IDS) according to the attacker's profile. If their resources are relatively basic, you can implement a less advanced IDS.
What are the most probable attacks? Define the attacks that your assets could be subjected to. You can refer to the "OWASP Top Ten" for a list of the most common attacks.
What is the impact of such an attack? Determine if the defined attacks can have a significant impact on your systems. For example, in the case of open-source code, its leak might not have as strong an impact as leaking code that is supposed to be secret.
I recommend looking at the first step of the MITRE matrix (a knowledge base of adversary tactics and techniques) for a more in-depth analysis of attack scenarios.
After evaluating the attack scenarios you face, determine which environment(s) you need to protect.
Monitor all environments that could be targeted.
Define what the attacker is targeting. List the systems, information, processes, and users to protect. Visualize all assets in your infrastructure susceptible to cyberattacks by the attackers identified above.
What are the environments in your infrastructure? Do you have testing environments in addition to your development and production environments? If so, identify all entry and exit points and monitor these two environments. The attacker might target your development environment to later attack the production environment and gain access to customer data.
If the environments are poorly segmented, you may need to monitor everything to detect the attack as early as possible.
An infrastructure hosted in the cloud allows you to use SaaS-type solutions.
If you are with one of the major cloud providers (AWS, GCP, or Azure), they already have implemented solutions that handle data collection at a relatively low cost. You also have SaaS-type solutions for other providers to collect and aggregate data.
For an on-premises deployment, the previous solutions are not the most suitable. You can install a detection system directly at the entry/exit point, such as Suricata.
As you know, many regulations can impact your deployment strategies (e.g., LPM for Critical Infrastructure Operators, PCI DSS for payment services, HIPAA for healthcare companies, and other GDPR rules). Through our various missions protecting healthcare data hosts (HDS), we have noticed that this is always a concerning and time-consuming point for CTOs.
After identifying the environments to protect, you must verify whether you can send your data outside of your infrastructure. Your intrusion detection system might be located outside your infrastructure, and these data could be intercepted or diverted, leading to a risk of leakage. Check if regulations limit your choices.
Once you have an idea of the assets you want to protect and the potential threat scenarios, you need to define the resources available to you.
Setting up an IDS generally involves three major steps:
First, there is the "implementation" part. You need to integrate your detection system into your infrastructure to monitor your assets.
Then, you need to configure it. During the setup of your detection system, it will use default rules that you will probably want to modify. Such configuration requires considerable human effort. Based on the questions you asked earlier, you can define and likely reduce your monitoring perimeter, which will help lighten this part of the work.
Finally, the "run" part is the most important because a detection system needs to be maintained throughout its operation. You must regularly update it with the appearance of new attacks. New deployed services may require adjustment of your system's detection rules.
You need to define the human and financial factors at your disposal. If you don't have enough personnel to manage a detection system, you can opt for SaaS solutions. They handle updates and hardware management.
However, a SaaS solution can be quite expensive (depending on the size of your infrastructure) and is not suitable if you have a limited budget.
We present different types of solutions that we have observed during our infrastructure audit and penetration testing missions.
Dedicated SOC: This is a solution where a team is dedicated to managing and handling alerts from the intrusion detection system. They then report important information and malicious activities and take appropriate actions. Such a solution requires significant human resources.
Shared SOC: This solution allows you to delegate the management of your detection system to other teams. This may require external teams to access your infrastructure, or you may send them your data for processing.
SaaS Tool: There are various SaaS-type solutions for intrusion detection, such as PrismaCloud, LaceWork, and Sysdig. Licenses generally cost quite a bit (at least €20k/year). Some of the system management work is taken care of. However, you still need someone/team dedicated to monitoring alerts.
Combination of Open-source Components and Managed Services: If you are with a cloud provider that offers intrusion detection system solutions, you can use them. They integrate easily with your other services and are relatively inexpensive. In our various infrastructure protection missions, we generally install GuardDuty with a Falco system (for Kubernetes clusters) to collect and aggregate data. Then, we export them to Slack or Opsgenie.
To find the best solution for your company, you must first consider probable attack scenarios. Next, determine the environments and assets to protect. Then, create a list of the resources at your disposal, as this will limit your solution choices.
Conducting an infrastructure audit can help you assess what is critical and assist you in making this decision.