An intrusion detection and prevention 系统 (IDPS) is a network monitoring strategy that works by both passively monitoring traffic and actively blocking suspicious or malicious behavior once it is flagged.
An IDPS can also be described as a visibility tool that sits off to the side of the network and monitors traffic. It consists of a management console and sensors that – when encountering something matching a previously detected attack signature – report the activity to the console.
The last point above is key in discerning the difference between these two strategies that may look similar on the surface. IDPS detects known attack signatures and is able to quickly match current activity to that past attack. 的主要功能之一 MDR程序 is to detect new or unknown types of attacks and respond with countermeasures to those novel threats.
进入过程的杂草, the mission of IDPS is to scan whole networks of endpoints and 系统s linked together. It takes a macro view and matches up well to modern enterprise attacks perpetrated by large threat groups. 杀毒 主要扫描网络上的文件, ensuring the integrity and appropriateness of each file to exist on the network – and quickly quarantining them if not.
国内流离失所者系统的外观和行为可能会以微妙的方式有所不同, 取决于所收集的遥测数据的最终用途. 让我们来看看 国家标准与技术研究所描述 IDPS系统跨一些关键场景的功能:
A network-based IDPS monitors network traffic for network segments, 分析网络活动,识别可疑活动. 它可以识别许多不同类型的事件, 最常部署在网络之间的边界, 比如防火墙或远程访问服务器.
A host-based IDPS monitors characteristics of events occurring within a host for suspicious activity. 这包括监控网络流量, 系统日志, 运行的进程, 应用程序活动, 文件访问和修改, 系统和应用程序配置也会发生变化. Host-based IDPSs are most commonly deployed on critical hosts like public servers.
A wireless IDPS monitors wireless network traffic and analyzes protocols to identify suspicious activity. It can’t identify suspicious activity in an application or higher-layer network protocol. It is most commonly deployed within range of an organization’s wireless network, 但也可以监控未经授权的无线网络.
An NBA 系统 examines network traffic to identify threats generating unusual traffic flows, like 分布式拒绝服务攻击,某些形式的 恶意软件,以及违反政策. NBA 系统s are most often deployed to monitor flows on an organization’s internal networks, and can also be used to monitor external traffic flow away from the organization.
国内流离失所者的内部工作是什么? 下面的列表并不是每个过程的详尽描述, but it is fairly inclusive of the protocols that can be executed in the event of suspicious activity.
Heuristic detections identify malicious code by matching specific behavior instead of exact patterns in that code. 它监视代码运行的方式, and determines dangerous behavior based on more complex sets of rules.
Admins can gain insight into current 系统 behavior with statistical analysis that looks at logs, 趋势预测, 以及故障排除工作. Anomalous events can be detected sooner and response plans put into action faster with advanced statistical analysis.
Application-layer protocol analysis is at the core of this technique, comparing an uncorrupted protocol to activity that could be suspicious, 最终目的是发现异常并拒绝访问.
This process applies insight to network events with the goal of detecting compromised credentials, 横向运动, 以及其他恶意行为. 这通常适用于如何 用户的行为 在网络上与静态威胁指标.
检测 and response methodologies are clearly required to stop ever-evolving threats and breaches. 然而, prevention processes can mitigate what could otherwise be a bigger problem for a security organization. Prevention techniques include putting a stop to in-progress attacks, 监视安全环境中的变化, and actively modifying the content of an attack to mitigate its effects.
尽可能以最卫生的方式开展国内流离失所者技术, it's a good idea to leverage some best practices when standing up an intrusion detection and prevention 系统.
这种类型的 评估 will allow security teams to properly manage and patch vulnerabilities that pose risks to the network, protecting organizations from threat actors and the possibility of a breach. The 评估 will help to define what a vulnerability looks like on a network as well as gain visibility into the overall structure of the network so analysts can define what “good” looks like.
Signature-based detections typically “live in the moment” and aren’t great at detecting unknown attacks. They can compare signatures to known behaviors and catch suspicious activity in that manner, so it’s important to regularly update both signatures and rules that govern specific network security objectives.
Firewalls typically generate the data that will then be analyzed by a 安全信息和事件管理(SIEM) 系统. This firewall data can come in the form of logs, network traffic, and alerts. This symbiotic relationship helps to build a picture of what healthy network behavior looks like.
剩下的在 合规 内部和外部政策(例如.e. 政府强制政策)对网络健康至关重要. Scheduling regular network 评估s and audits can ensure 合规 with secure configurations, 密码策略, 访问控制要求. Assessing network security against internally constructed benchmarks can and will help mitigate threats.