3 Tips for Intrusion Security Planning

Gartner vice president Paul E. Proctor wrote the book—literally—on intrusion detection. But a lot has changed since 2000, when he penned the Practical Intrusion Detection Handbook, a 359-page tome with tips on choosing vendors, setting up policies and justifying related costs.

The intrusion detection systems of old sat inside the network, watching the incoming traffic. They could spot malicious packets like worms, viruses or spyware and alert technology managers, but they couldn’t stop those threats from pervading the network. That’s where intrusion prevention came into play. Prevention systems not only sit inline and detect bad traffic; they can block the packets completely.

But those aren’t the only tools at a security manager’s disposal. Proctor continues to watch the evolving security market and offers these tips for technology managers looking to step up their network protection.

1. Avoid Blocking Blunders

Intrusion prevention systems can deliver value at relatively low risk, Proctor says, but technology managers need to tweak what the system will or will not block. Some packets crucial to an application’s performance could get snapped up and spit out unless the system is configured to let them through. “The risk still remains that if you turn on the wrong things, you can basically break applications,” he says.

2. Turn Up the Volume

Vendor products can include 3,000 or so signatures, which are patterns of unwanted network activity. Once you figure out which applications—and, therefore, which patterns–you need to allow, activate as many signatures as you can, Proctor says. This will cover your bases in blocking the maximum amount of threats.

3. There’s No Silver Bullet

Vendors and users can tout the success of prevention systems all they want, Proctor says, but those systems alone cannot effectively guard your network. The right approach, he explains, is to employ multiple systems, including technologies such as detection and prevention, firewalls, anomaly-based monitoring (which takes a sample of normal traffic behavior and audits network flow against it), and security information and event management (which centralizes system logs and checks for patterns).