入侵侦测及防御系统(IDPS)

监视和防止恶意活动和破坏.

InsightIDR产品

什么是入侵检测和防御系统? 

An intrusion detection 和 prevention 系统 (IDPS) is a network monitoring strategy that works by both passively monitoring traffic 和 actively blocking suspicious or malicious behavior once it is flagged.

An IDPS can also be described as a visibility tool that sits off to the side of the network 和 monitors traffic. It consists of a management console 和 sensors that – when encountering something matching a previously detected attack signature – report the activity to the console.

国内流离失所者和. 管理检测和响应(耐多药)

The last point above is key in discerning the difference between these two strategies that may look similar on the surface. IDPS detects known attack signatures 和 is able to quickly match current activity to that past attack. 的主要功能之一 耐多药程序 is to detect new or unknown types of attacks 和 respond with countermeasures to those novel threats.

国内流离失所者和. 杀毒

进入过程的杂草, the mission of IDPS is to scan whole networks of endpoints 和 系统s linked together. It takes a macro view 和 matches up well to modern enterprise attacks perpetrated by large threat groups. 杀毒 主要扫描网络上的文件, ensuring the integrity 和 appropriateness of each file to exist on the network – 和 quickly quarantining them if not.

境内流离失所者的种类

国内流离失所者系统的外观和行为可能会以微妙的方式有所不同, 取决于所收集的遥测数据的最终用途. 让我们来看看 国家标准与技术研究所描述 IDPS系统跨一些关键场景的功能:

基于网络的国内流离失所者

A network-based IDPS monitors network traffic for network segments, 分析网络活动,识别可疑活动. 它可以识别许多不同类型的事件, 最常部署在网络之间的边界, 比如防火墙或远程访问服务器.

基于主机的国内流离失所者

A host-based IDPS monitors characteristics of events occurring within a host for suspicious activity. 这包括监控网络流量, 系统日志, 运行的进程, 应用程序活动, 文件访问和修改, 系统和应用程序配置也会发生变化. Host-based IDPSs are most commonly deployed on critical hosts like public servers.

无线国内流离失所者

A wireless IDPS monitors wireless network traffic 和 analyzes protocols to identify suspicious activity. It can’t identify suspicious activity in an application or higher-layer network protocol. It is most commonly deployed within range of an organization’s wireless network, 但也可以监控未经授权的无线网络.

网络行为分析(NBA)系统

An NBA 系统 examines network traffic to identify threats generating unusual traffic flows, like 分布式拒绝服务攻击,某些形式的 恶意软件,以及违反政策. NBA 系统s are most often deployed to monitor flows on an organization’s internal networks, 和 can also be used to monitor external traffic flow away from the organization.

IDPS技术

国内流离失所者的内部工作是什么? The below list isn't exhaustive of each 和 every process involved, but it is fairly inclusive of the protocols that can be executed in the event of suspicious activity. 

Heuristic-Based检测

Heuristic detections identify malicious code by matching specific behavior instead of exact patterns in that code. 它监视代码运行的方式, 和 determines dangerous behavior based on more complex sets of rules.

统计分析 

Admins can gain insight into current 系统 behavior with statistical analysis that looks at logs, 趋势预测, 以及故障排除工作. Anomalous events can be detected sooner 和 response plans put into action faster with advanced statistical analysis.

协议分析 

Application-layer protocol analysis is at the core of this technique, comparing an uncorrupted protocol to activity that could be suspicious, 最终目的是发现异常并拒绝访问.

行为分析 

This process applies insight to network events with the goal of detecting compromised credentials, 横向运动, 以及其他恶意行为. 这通常适用于如何 用户的行为 在网络上与静态威胁指标.

积极预防和应对 

Detection 和 response methodologies are clearly required to stop ever-evolving threats 和 breaches. 然而, prevention processes can mitigate what could otherwise be a bigger problem for a security organization. Prevention techniques include putting a stop to in-progress attacks, 监视安全环境中的变化, 和 actively modifying the content of an attack to mitigate its effects.

国内流离失所者最佳做法

尽可能以最卫生的方式开展国内流离失所者技术, it's a good idea to leverage some best practices when st和ing up an intrusion detection 和 prevention 系统. 

进行全面的网络评估

这种类型的 评估 will allow security teams to properly manage 和 patch vulnerabilities that pose risks to the network, 保护组织免受 威胁的演员 还有漏洞的可能性. The 评估 will help to define what a vulnerability looks like on a network as well as gain visibility into the overall structure of the network so analysts can define what “good” looks like.

定期更新IDPS签名和规则 

Signature-based detections typically “live in the moment” 和 aren’t great at detecting unknown attacks. They can compare signatures to known behaviors 和 catch suspicious activity in that manner, so it’s important to regularly update both signatures 和 rules that govern specific 网络安全 目标.

防火墙和SIEM系统之间的协作

Firewalls typically generate the data that will then be analyzed by a 安全信息和事件管理(SIEM) 系统. This firewall data can come in the form of logs, network traffic, 和 alerts. This symbiotic relationship helps to build a picture of what healthy network behavior looks like.

进行定期评估和审计 

剩下的在 合规 内部和外部政策(例如.e. 政府强制政策)对网络健康至关重要. Scheduling regular network 评估s 和 audits can ensure 合规 with secure configurations, 密码策略, 访问控制要求. Assessing 网络安全 against internally constructed benchmarks can 和 will help mitigate threats.

阅读更多

入侵检测系统:阅读最新的博客文章

用例:痛点:监控远程员工