Intrusion Detection Software: Should I go Open Source, Appliance or Managed Service

By Patrick Stump | September 18, 2017
IDS-featured-image-v2

You know you need Intrusion Detection Software (IDS) or Intrusion Prevention Software (IPS).

The question is which IDS/IPS Solution is right for your Organization?

You can use a “Free” open source tool, buy an expensive appliance, or just contract a managed service. How do you choose?

Intrusion Detection Questions

In this article, we provide a break down on the items you need to think about.

  • Cost of an IDS Sensor

  • Do you have the expertise to set it up correctly?

  • Are you going to take the time to look at the events and logs EVERY DAY?

  • Do you have the time and experience to research the events and take action?

Cost of a Sensor

When considering the cost of a sensor, are you buying an appliance or going to try to setup your own from open source?

Build from Open Source

As a Linux zealot, let me remind you of the saying, “Linux is free if your time has no value.” The same can be said for free intrusion detection software! If you already know how Linux and Intrusion Detection Software works, and you have a good bit of time on your hands to play with all the settings, this may be a viable and rewarding option for you. However, if this would be your first time working with either… here be dragons.

Intrusion Detection Software for Windows?

Yeah it’s out there, but if you want to setup open source network intrusion detection software… you’re going to WANT to run it on linux!

Free is not always Free!

To get the daily signatures updates, there is usually an annual or monthly fee, so while the software is free, you will still need to pay.

Using Good Hardware Costs $$$

Do yourself a favor, don’t say, “Hey, I have that old server we can use. Linux will run on it.” Buy a good server, and preferably use something with an intel chipset on the network card.

IDS-image-1-v1
In the long run, managed service is the most cost effective IDS option.

Buy an Appliance

Likewise, buying an appliance outright can be costly, and then there is usually an annual support contract to keep the patches and signatures up-to-date. If you buy an appliance, make sure you have time to manage all the patches and updates, and of course review and act on all the events!

Managed Service

You will typically pay more than $0 and less than the cost of the appliance for a year of service. The cost of the appliance is spread out over your term of services, so it’s a little easier to swallow the monthly cost than the huge expense of an appliance up front.

Employees’ Time vs Monthly Service Cost

When comparing costs, calculate how much of your time (or your employees’ time) will be saved from not having to manage and deal with everything involving the IDS sensor(s). Unless you have trained staff who are dedicated to security, chances are you will pay less overall with a managed service.

Can You Set it Up Correctly?

Be honest with yourself here. For Open Source and Appliance, you need a good understanding of the software and cyber security principals. If you haven’t done it before, the first month of tuning any IDS can be a frustrating time.

IDS-image-2-v2
It can be a challenge to choose and set up the IDS or IPS software.

Open Source

Choosing the best IDS or IPS software is a topic all its own. There are a TON of pages devoted to how to setup SNORT, SURRICATA, and Bro software and then tune them for your environment. All the information you need is out there. Now, how much time do you want to spend doing it? If this is a learning project for you, you’ll enjoy it. If this is a “get it done” situation, open source is probably not the right option for you.

Open Source Intrusion Detection vs Prevention

With the exception of the Bro software (The Bro Network Security Monitor), most open source IDS projects have intrusion prevention system software as well.

Two good projects to look at are:

  • Snort

  • Surricata

Appliance

This is a mixed bag. Any good appliance should be easy to setup, however with something as complicated as network security, you need fine tuned controls. All too often people buy the fancy appliance, then it either alerts too much or not enough. No fancy User Interface will get you past a sound understanding of Network Security Principals. However, if you are a Cyber Security professional already and have the cash for the appliance, this may be the way to go. i.e. You know what you want, and how you want it to behave.

Managed Service

In short, you need to know how to plug in power and a network cable, maybe set a span port on a switch. If the sensor is delivered in a Virtual Machine, probably less than that. This is where the managed service is focused. You don’t need to know anything, just plug it in and go back to your work. If you are not looking to make a living as a security professional, this is the option for you.

Time to Manage IDS

Can you hear that sucking sound… it’s the vacuum of the new project taking your time away. Hopefully you are starting to see a theme at this point. All these factors are about how much time you want to spend on this project.

An IDS is another system in your network. Another system to manage, update, check, watch for security alerts, patch, monitor, on and on.

IDS-image-3-v1
With the managed service, you no longer have to spend time setting up, updating and checking your IDS.

Open Source

For the most part you should be able to put the Linux base on auto update, then just focus on the IDS process itself. It’s not like automatic updates have ever messed up a program that has hundreds of customized rules… Right?

If you are used to looking at log files and parsing to find the issue, this won’t be a problem for you. You are probably still good to go here, but don’t underestimate how many signatures are lacking in the subscriptions and how many custom rules you are going to have to write. Oh and you might want to use git or something similar to keep revision control.

Appliance

This shouldn’t be too bad. No, really. If you have picked a good vendor, they mostly likely test all of their upgrades and updates to deal with this. You just need to figure out your maintenance windows, keep backups, and press the “I believe” button. However, depending on the number of custom rules you have, it could get tricky every once in a while.

Managed Service

Simple, you don’t manage it. Go have fun.

Time to Look at the Logs

Mostly, this is about how you visualize or process the alerts. This shouldn’t be too different for Open Source or appliance.

Again, be honest with yourself. If you are not going to look at the logs EVERY day, just go with a managed service. It does no good to go back weeks after a breach and say, “Oh, if I was looking I could have stopped them right after they got in.”

Open Source and Appliance

Email, Syslog, Kibana, SIEM, Splunk, tail, less, etc, etc, etc. How do you want to review alerts? Pick something that you can use to quickly setup reports and weed through the false positives.

Managed Service

You don’t review logs, that’s what you are paying someone for!

Research the Alerts

Wait! What? I thought ALL the information you needed was in the event alert from the IDS? Don’t fall for this trap. We hear it from disillusioned IDS owners all the time when we are called in. After they get through the volumes of logs, then they have to research the hits and see if it is a false positive.

Open Source and Appliance

This will be the same effort for both. If your job is Network Security then you are probably good to go here. Underestimate this time commitment at your own peril.

Managed Service

Not to sound like a broken record, but Done and Done. Again, this is why you are paying the service. They do the research, or know it already and just send you a ticket.

Conclusion

If you are up for a research project and don’t have strict timelines, building your own IDS from Open Source can be hugely rewarding. If your job is to run Network Security and review everything already, Open Source or Appliance will work well for you, just don’t underestimate the time (and frustration) commitment.

Now, if you need Intrusion Detection System(s), don’t have the staff, training, or time, I highly recommend a managed service. You’ll end up paying less than buying the appliance, training and staffing it yourself, and since that is all the managed service does, you’ll get better results.

What’s your goal?

Learn how to build an IDS: Go Open Source, you’ll have a blast.

Add a tool for the Network Security Team Members: Open Source or Appliance

Get it done and do my other work: Managed Service

About Patrick Stump

The CEO and founder of Roka Com, Patrick has been a key player in both offensive cyber intrusion and security operations with multiple branches and agencies of the United States Government (USG), the military, and commercial industry.

Connect with Patrick on LinkedIn