Why Not To DIY Your Intrusion Detection System
Designing and implementing an IDS is not a trivial task, considering the numerous choices one faces during the process. Such systems require specialists who have a good overview over the entire application domain, and know how to configure each piece properly.
Not all business systems are created equal. Each is unique, and has different security needs. Maybe that’s why there are so many types of intrusion detection system (IDS), including
• Host based
• Application/stack based
• Cloud based
• Rule based
• Signature based
• Perimeter based
• Anomaly based
• Virtual machine based
• Hybrid IDS — a combination of two or more of these
Like too much of a good thing, this array can be overwhelming.
And then, you have so many factors to consider when making your selection. What kind of technology are you working with? What level of technology are you targeting? What type of detection do you most need, and how can you make up for any deficiencies?
If you decide on signature-based detection, for instance, you’ll need a large database of suspicious URLs for your IDS to watch for and alert you to. And a signature-based IDS will miss URLs that aren’t in your database.
And once you’ve narrowed your options, you most likely won’t find a ready-made solution that’s perfect for your enterprise — because the perfect IDS solution doesn’t yet exist.
One Size Does Not Fit All
Meeting your organization’s individual security needs requires a custom approach. If you buy an off-the-shelf solution, you’ll need to personalize it. And you may quickly discover that retrofitting it to your own security architecture is more hassle than it’s worth.
Ready-made solutions don’t tend to perform well, according to research from Cornell University. They rely on datasets whose information may be irrelevant and redundant; each will detect only certain kinds of attacks and miss others; and their datasets quickly become outdated, reducing their ability to respond to new attacks. Also, every time the application provider issues an update, you’ll need to update your system, which increases your costs.
Your best bet is to build an IDS from the ground up. Then you can map your security must-haves to the capabilities of your existing systems, networks, devices, and applications, and use the information to design a solution that integrates well with your security information and event management (SIEM) system and other applications and controls.
The problem with building your own? It’s complicated.
You’ll need on your team an interdisciplinary suite of skills that’s difficult to find in a single person or even a group, including
• A thorough knowledge of the application for which you’re building your IDS
• Deployment skills
• A grasp of statistics
• An understanding of machine learning (ML): how it works and how to design it
• Development skills
Unless yours is a very large company with unlimited resources, you likely don’t have the needed expertise on hand to develop, deploy, and maintain an IDS. But as advances continue in ML and other forms of artificial intelligence, IDS is getting more and more attention — which means more resources are available to assist you than ever before.
For such a complex and fluid solution as IDS, “do it yourself” isn’t the wisest approach. Don’t try to go it alone. Custom-build your own IDS system, yes — with help from trusted experts.