Intrusion Detection Software: Should I go Open Source, Appliance or Managed Service
You know you need Intrusion Detection Software (IDS) or Intrusion Prevention Software (IPS).
The question is which IDS/IPS Solution is right for your Organization?
You can use a “Free” open source tool, buy an expensive appliance, or just contract a managed service. How do you choose?
Intrusion Detection Questions
In this article, we provide a break down on the items you need to think about.
Cost of an IDS Sensor
Do you have the expertise to set it up correctly?
Are you going to take the time to look at the events and logs EVERY DAY?
Do you have the time and experience to research the events and take action?
Build from Open Source
As a Linux zealot, let me remind you of the saying, “Linux is free if your time has no value.” The same can be said for free intrusion detection software! If you already know how Linux and Intrusion Detection Software works, and you have a good bit of time on your hands to play with all the settings, this may be a viable and rewarding option for you. However, if this would be your first time working with either… here be dragons.
Free is not always Free!
To get the daily signatures updates, there is usually an annual or monthly fee, so while the software is free, you will still need to pay.
Using Good Hardware Costs $$$
Do yourself a favor, don’t say, “Hey, I have that old server we can use. Linux will run on it.” Buy a good server, and preferably use something with an intel chipset on the network card.
In the long run, managed service is the most cost effective IDS option.
Buy an Appliance
Likewise, buying an appliance outright can be costly, and then there is usually an annual support contract to keep the patches and signatures up-to-date. If you buy an appliance, make sure you have time to manage all the patches and updates, and of course review and act on all the events!
You will typically pay more than $0 and less than the cost of the appliance for a year of service. The cost of the appliance is spread out over your term of services, so it’s a little easier to swallow the monthly cost than the huge expense of an appliance up front.
Employees’ Time vs Monthly Service Cost
When comparing costs, calculate how much of your time (or your employees’ time) will be saved from not having to manage and deal with everything involving the IDS sensor(s). Unless you have trained staff who are dedicated to security, chances are you will pay less overall with a managed service.
It can be a challenge to choose and set up the IDS or IPS software.
Choosing the best IDS or IPS software is a topic all its own. There are a TON of pages devoted to how to setup SNORT, SURRICATA, and Bro software and then tune them for your environment. All the information you need is out there. Now, how much time do you want to spend doing it? If this is a learning project for you, you’ll enjoy it. If this is a “get it done” situation, open source is probably not the right option for you.
This is a mixed bag. Any good appliance should be easy to setup, however with something as complicated as network security, you need fine tuned controls. All too often people buy the fancy appliance, then it either alerts too much or not enough. No fancy User Interface will get you past a sound understanding of Network Security Principals. However, if you are a Cyber Security professional already and have the cash for the appliance, this may be the way to go. i.e. You know what you want, and how you want it to behave.
In short, you need to know how to plug in power and a network cable, maybe set a span port on a switch. If the sensor is delivered in a Virtual Machine, probably less than that. This is where the managed service is focused. You don’t need to know anything, just plug it in and go back to your work. If you are not looking to make a living as a security professional, this is the option for you.
With the managed service, you no longer have to spend time setting up, updating and checking your IDS.
For the most part you should be able to put the Linux base on auto update, then just focus on the IDS process itself. It’s not like automatic updates have ever messed up a program that has hundreds of customized rules… Right?
If you are used to looking at log files and parsing to find the issue, this won’t be a problem for you. You are probably still good to go here, but don’t underestimate how many signatures are lacking in the subscriptions and how many custom rules you are going to have to write. Oh and you might want to use git or something similar to keep revision control.
This shouldn’t be too bad. No, really. If you have picked a good vendor, they mostly likely test all of their upgrades and updates to deal with this. You just need to figure out your maintenance windows, keep backups, and press the “I believe” button. However, depending on the number of custom rules you have, it could get tricky every once in a while.
Simple, you don’t manage it. Go have fun.
Open Source and Appliance
Email, Syslog, Kibana, SIEM, Splunk, tail, less, etc, etc, etc. How do you want to review alerts? Pick something that you can use to quickly setup reports and weed through the false positives.
You don’t review logs, that’s what you are paying someone for!
Open Source and Appliance
This will be the same effort for both. If your job is Network Security then you are probably good to go here. Underestimate this time commitment at your own peril.
Not to sound like a broken record, but Done and Done. Again, this is why you are paying the service. They do the research, or know it already and just send you a ticket.
If you are up for a research project and don’t have strict timelines, building your own IDS from Open Source can be hugely rewarding. If your job is to run Network Security and review everything already, Open Source or Appliance will work well for you, just don’t underestimate the time (and frustration) commitment.
Now, if you need Intrusion Detection System(s), don’t have the staff, training, or time, I highly recommend a managed service. You’ll end up paying less than buying the appliance, training and staffing it yourself, and since that is all the managed service does, you’ll get better results.
What’s your goal?
Learn how to build an IDS: Go Open Source, you’ll have a blast.
Add a tool for the Network Security Team Members: Open Source or Appliance
Get it done and do my other work: Managed Service