Posted On: May 20, 2020

Is Your IDPS Set Up Properly? 10 Questions to Ask Your Team

New regulations, such as general data protection regulation (GDPR), have prompted organizations to make intrusion detection and prevention systems (IDPS) a staple of their security strategies. Here’s what you need to know to protect your data.

It takes an average of 191 days for a company to detect a breach.

If you don’t catch intrusions before or as they happen, cybercriminals can spend months siphoning away at your data. The longer hackers spend on your network, the harder it is to repair the damage.

An typical data breach costs a company $3.86 million and takes 69 days to contain, according to IBM.

Your costs can include everything from the resources needed to fix gaps in your security systems to the ongoing impact of brand damage, particularly the loss of customer and shareholder trust.

But as cybercriminals become more sophisticated, it’s getting harder to prevent breaches.

It’s not a matter of if you will be attacked, but when and how often.

How to Stop Threats in Their Tracks

More organizations are using intrusion detection and prevention systems (IDPS) to reduce their risk of a data breach.

The National Institute of Standards and Technology (NIST) defines intrusion detection as, “the process of monitoring the events occurring in a computer system or network and analyzing them for signs of possible incidents, which are violations or imminent threats of violation of computer security policies, acceptable use policies, or standard security practices.”

According to NIST, combining intrusion detection and prevention into a single system serves two purposes:

  1. Automate the intrusion detection process
  2. Stop possible incidents

IDPS includes a combination of hardware appliances and software that you can install on a server or firewall. Once installed, it monitors your network and looks for anomalous activity patterns that may indicate an attack. It does this by consulting a regularly-updated library of known vulnerabilities and comparing your traffic to a pre-calculated baseline.

Meanwhile, its prevention systems automatically block potential threats. For example, an IDPS can block traffic from a malicious IP address and alert you of the activity. Not only will an IDPS minimize your risk of a data breach, but it also gives you greater visibility into your systems.

The Biggest IDPS Mistake (and 10 Questions to Ask Before You Go All In)

Companies often invest millions in an IDPS only to find out – months or even years later – that it’s not working.

But installing the technology doesn’t mean you are protected.

An IDPS is like a guard dog. You may think that it is watching over your data, but in reality, you have an empty house without the dog. Just because you set up an IDPS, it doesn’t mean that the technology is functional and protecting you.

There are 10 questions you must ask to ensure that your IDPS is actually guarding your network.

  1. How often do you check your IDPS?

An IDPS isn’t set-it-and-forget-it. You must check it daily to confirm that it is monitoring your systems 24/7.

    • When was the last time you looked at your IDPS?
    • How often do you test it to verify that it is protecting your business? 
  1. How many intrusion events have you had in the past 30 days?

Most security professionals don’t know how many events they’ve had in the past month. But without this information, you are putting your organization at risk.

Check your IDPS to see how many events it has driven off your network in the past quarter. If you have more than 300 employees, you should find at least one event per quarter. If you don’t see anything, something is misconfigured.

Also, find out if any intrusion events led to notable outcomes.

  1. How often is your IDPS updated and how do you pull your definitions?

 Even if your IDPS updates regularly, it may not pull the latest definitions.

I’ve seen systems that update every day but pull definitions that are three years old. Your system may show that it’s “up-to-date within 24 hours.” But this doesn’t mean anything if it re-applies the same definitions that it’s used for years.

Is your IDPS pulling the latest definitions? It might be not apparent if your IDPS is misconfigured.

  1. What do you currently have licenses for and what is actually enabled in your system?

IDPS licensing models can be complicated and misleading. Therefore, you may think that you have the correct licenses when you don’t.

How does this happen?

Many security teams buy an IDPS to meet an audit standard and assign the purchase to someone who isn’t an expert in the technology. The buyer may choose the cheapest version just to pass an audit – even if they don’t know what they’re getting.

Then, months later, they realize that they don’t have the proper licenses and their IDPS isn’t performing any inspections. With these systems, you need to license specific functionality such as URL filtering, IDPS signatures, and DNS signatures. All of these licenses are confusing and difficult to track.

Check your IDPS to ensure you have the proper licenses and that your system is performing inspections. 

  1. What is the current throughput of your IDPS?

If your networking team can’t answer this question, it shows that they never use the technology.

Knowing your IDPS throughput is like knowing the mileage on your car. Staying on top of this number helps you stay informed about the health of your systems and network.

Your team should have a general idea of your current throughput and how it has trended over the past quarter. Have you seen an uptick in threats during the past few weeks or months?

To check your throughput, simply open a status screen in your IDPS software. If the number is 0, your system isn’t working.

  1. Are your IDPS policies canceling each other out?

If the policies that you apply to your IDPS devices overlap, they may cancel each other out. For example, if you re-define a pre-filter object, it may bypass all of your existing policies. Then, your devices won’t run.

Test every policy to make sure that they don’t overlap and prevent their own functionality. Do any of your policies override each other? And do your policies and pre-filtered configuration settings allow for full inspection of your IDPS solution?

  1. Is your IDPS solution at the top of the Gartner Magic Quadrant or verified by analysts?

It’s important to choose a top-tier IDPS that has been verified by analysts.

If you ever need to defend your intrusion detection strategy in court, you must prove that you use one of the top IDPS products in the market and made the best efforts to protect your customer data. It’s hard to defend yourself if you’ve bought unproven or discount technology.

  1. Who is accountable for your IDPS?

Many chief information officers (CIOs) don’t have a dedicated security team. So, they ask their networking team to look after the IDPS and may assign the task to a junior engineer.

Then, the networking team doesn’t receive any alerts. Since everything is quiet, they assume the IDPS is running smoothly.

No news is not good news. If you’re not receiving alerts, your IDPS isn’t working.

  1. Do you have a dedicated team assigned to your IDPS?

You will get the most value from your IDPS when you assign a dedicated team to look after it. Networking teams are like electricians who can run wires and start the power. But if you want to redesign your power grid, you’d bring in an electrical engineer.

Complex security technology such as an IDPS requires an experienced and devoted team.

  1. What is your security budget and how much have you devoted to IDPS?

When you plan your security budget, consider outsourcing your IDPS management to a partner.

IDPS is an ideal candidate for outsourcing, as it’s more cost effective to work with a partner than to hire an in-house expert. The salary of a cyber security analyst with intrusion detection skills can run $120,000 annually.

Your IDPS partner will ensure that your critical system is monitored 24/7, continuously updated, and always functional. They can provide a variety of services, depending on your environment and needs such as monitoring on-premises, in the cloud, or a hybrid version. In many cases, IDPS administration can be performed entirely remotely.

A partner can also help you get up-and-running quickly. If your team doesn’t have IDPS experience, it can take you months to get started and test all of your policies. An experienced partner can install and configure your IDPS in about 10 hours. They can also complete your testing in weeks – not months.

Is Your IDPS Doing Its Job?

If you can’t answer the above questions (or if you’re not happy with your responses), your IDPS probably isn’t functional.

Since managing the complex technology can place a huge burden on time-strapped IT teams, look for a solution provider who can manage your IDPS. A security partner can configure your system in a fraction of the time that it would take you to do it in-house while providing you with continuous, high-quality protection.

Is your IDPS doing its job? Or are you wasting millions on non-functional technology that puts you at risk?

Download the IDPS configuration checklist to discover the exact steps you must take to block threats and keep your data out of cyber criminals’ hands.