Page 1213 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 1213
persistent threats (APTs) sponsored by nation-states. APTs are
discussed in several chapters of this book, such as Chapter 14. One of
the ways these attacks are detected is with egress monitoring, or
monitoring the flow of traffic out of a network.
Intrusion Detection and Prevention Systems
The previous section described many common attacks. Attackers are
constantly modifying their attack methods, so attacks typically morph
over time. Similarly, detection and prevention methods change to
adapt to new attacks. Intrusion detection systems (IDSs) and intrusion
prevention systems (IPSs) are two methods organizations typically
implement to detect and prevent attacks.
An intrusion occurs when an attacker can bypass or thwart security
mechanisms and gain access to an organization’s resources. Intrusion
detection is a specific form of monitoring that monitors recorded
information and real-time events to detect abnormal activity
indicating a potential incident or intrusion. An intrusion detection
system (IDS) automates the inspection of logs and real-time system
events to detect intrusion attempts and system failures. Because an
IPS includes detection capabilities, you’ll often see them referred to as
intrusion detection and prevention systems (IDPSs).
IDSs are an effective method of detecting many DoS and DDoS
attacks. They can recognize attacks that come from external
connections, such as an attack from the internet, and attacks that
spread internally such as a malicious worm. Once they detect a
suspicious event, they respond by sending alerts or raising alarms. In
some cases, they can modify the environment to stop an attack. A
primary goal of an IDS is to provide a means for a timely and accurate
response to intrusions.
An IDS is intended as part of a defense-in-depth security
plan. It will work with, and complements, other security
mechanisms such as firewalls, but it does not replace other security
mechanisms.
