When To Use Network IDS / Anomaly Detection
As you build out your cyber security strategy, OT Network Anomaly Detection or Network IDS (Intrusion Detection Software) is certainly on your list of considerations. Navigating which security technology is the best fit for your environment can be a challenge for any team. If you land on Network IDS / Anomaly Detection, there are many vendors that offer solutions including Nozomi Networks, SCADAfence, Dragos, Claroty, and Forescout.
OT Network Anomaly Detection or Network IDS is a program used to monitor network traffic patterns as well as individual packets to determine if malware has infected the system. An IDS provides several benefits for security teams that have been tasked with getting a better understanding of their OT environments. This technology is generally deployed by connecting to a span port on a managed switch and examining the traffic going across the network. The value of examining the traffic is to better understand what devices are communicating on the network, build an inventory of these assets, and then profile what “normal” communication looks like. If there are anomalies that are detected either through this profile or a deep packet inspection (DPI) engine that is embedded in the
sensor software, alerts and associated logs are then either available in the sensor interface or forwarded along to a corporate Security Information and Event Management (SIEM) system for review. Many IDS offerings also include signature-based engines that look for known threats based on patterns.
Deployment Effort | Risk Reduction | Deployment Cost | Business Value | Best For |
Medium | Medium | $$ | High | Medium / Large Enterprises with security teams and analysts |
Benefits
- Visibility: Provides security teams and CISOs visibility into OT networks including end-point identification, network traffic, and alerts when changes to the system are observed.
- No Fundamental Network Changes: Because the sensors are plugged into span ports on the switches, no changes to the network architecture are required for implementation.
- Defense in Depth: Intrusion detection is a fundamental piece of a defense-in-depth strategy.
Challenges
- East/West Traffic: IDS often has trouble picking up issues on east/west traffic through the switches unless there are many sensors deployed in the system.
- Tuning: The system can produce false positives, especially in the initial weeks in service. Tuning of the system is required to reduce the number of false positives which will take time and patience.
- Proper Staffing: IDSs require security analysts to understand what events mean and to react appropriately. These can be either internal resources or outsourced.
- Reactive: While IDS is very important in a defense in-depth strategy, it will only alert you once an intrusion is already in the system. Hardening the network is still essential.
Want to learn more? Check out our OT Defense in Depth Cyber Security Buyer’s Guide.