A commonly used category of risk management tool is known as an intrusion detection system (IDS). These can either consist of a physical device or a piece of software. An IDS monitors network traffic, and other network or system activities, to detect malicious activity or policy violations. These systems can be used for real-time monitoring, or can be used to generate reports that can be reviewed by individuals involved in risk management. Some systems will provide alerts and notifications from real-time monitoring so steps can be taken to block or eliminate an intruder as soon as possible.
|
Intrusion Detection Tool |
Snort |
Advanced Intrusion Detection Environment (AIDE) |
Bro IDS |
|
1. Maturity of Tool |
Created in 1998 |
Created in 1999 |
Used for over a decade, utilizing over 15 years of research |
|
2. Market Acceptance or Relevance |
Most widely deployed IDS/IPS. Millions of downloads, nearly 400,000 registered users. In 2009 entered InfoWorld’s Open Source Hall of Fame. |
Used on many UNIX-like systems as baseline control and for rootkit detection. |
Use of policy scripts means this software could be effective for any organization/industry as long as the scripts are tailored for a specific use. |
|
3. Licensing Models |
Open source; annual subscription, cost per sensor. |
Open source only |
BSD License – open source |
|
4. Platform Compatibility |
Windows, Unix (including OS X and multiple versions of Linux) |
Any modern Unix platform |
Any modern Unix platform |
|
5. Ease of Installation |
Simple to install via executable file. |
Code must be compiled to be installed. Database must be created to maintain comparison information |
Code must be compiled to be installed. |
|
6. Other Characteristics |
Uses a simple command line interface. Performs real-time traffic and packet analysis on IP networks. |
File and directory integrity checker. Database is created to provide a baseline to run a direct comparison with current files or directories. |
Passively watches network traffic. Policy scripts must be written to create event handlers to automate activities when certain events occur. |
Intrusion detection systems are readily available for any organization to utilize. There are a number of open-source solutions that will provide an organization with all the necessary tools to perform intrusion detection. Many of these tools are easily customizable to fit the needs of the specific organization. A downside to using open-source tools for many organizations is the lack of support. Of the IDS tools discussed, only Snort provides support in the form of an annual subscription. The other IDS tools require an organization to implement, maintain and support on their own, which could be inconvenient for some organizations. If that is the case, it make more sense for an organization to pursue a commercial IDS solution.