• E-mail
• Print
• RSS

Tip: Consider the pros and cons of intrusion detection systems

HIPAA Weekly Advisor, November 1, 2002

Want to receive articles like this one in your inbox? Subscribe to HIPAA Weekly Advisor!

As you consider installing an intrusion detection system (IDS), take a quick check of your organization's needs and readiness to handle both the advantages and disadvantages of an IDS.

Advantages
Visibility. An IDS provides a clear view of what's going on within your network. It is a valuable source of information about suspicious or malicious network traffic. There are few practical alternatives to an IDS that allow you to track network traffic in depth.

Defense. An IDS adds a layer of defense to your security profile, providing a useful backstop to some of your other security measures.

Response capabilities. Although they probably will be of limited use, you may want to enable some of the response features of the IDS. For instance, they can be configured to terminate a user session that violates policy. Obviously, you must consider the risks of taking this step, since you may accidentally terminate a valid user session. However, in certain cases it can be an important tool to prevent damage to the network.

Tracking of virus propagation. When a virus first hits your network, an IDS can tell you which machines it compromised, as well as how it is propagating through the network to infect other machines. This can be a great help in slowing or stopping a virus's progress and making sure you remove it.

Evidence. A properly configured IDS can produce data that can form the basis for a civil or criminal case against someone who misuses your network.

Drawbacks
More maintenance. Unfortunately, an IDS does not replace a firewall, virus scan, or any other security measure. So when you install it, it will require additional maintenance effort and will not remove much, if any, of the existing burden.

False positives. IDSs are famous for setting off false positives-sounding the alarm when nothing is wrong. Although you can tweak the settings to reduce the number of false positives, you'll never completely eliminate the need to respond to false positives.

False negatives. IDSs can also miss intrusions. Technologies are improving, but IDSs don't al ways catch everything.

Staff requirements. Properly managing an IDS requires experienced staff. The less experienced your staff are, the more time they will spend responding to false positives. Therefore you will be creating not only more work for the IT department to handle, but more difficult work in some cases.

Editor's note: Adapted from the November 2002 issue of Healthcare Information Security.

Want to receive articles like this one in your inbox? Subscribe to HIPAA Weekly Advisor!

• E-mail to a Colleague
• Print
• RSS
• Archive