Intrusion Detection Systems (IDS) are divided into two categories: Host-based Intrusion Detection Systems (HIDS) and Network-based Intrusion Detection Systems (NIDS).
Intrusion detection has become an important protection method for networks in order to combat security weaknesses inherent in any system that includes a human element. No matter how strong your user access policies are, hackers can always get around them by tricking an employee into disclosing access credentials.
Hackers with access can occupy a corporate system for years without being detected. This type of attack is called an Advanced Persistent Threat (APT). IDSs specifically aim to root out APT’s.
- 1 The importance of log files
- 2 Log file security
- 3 HIDS vs NIDS
- 4 Key HIDS attributes
- 5 HIDS and SIEM
- 6 Intrusion Prevention Systems
- 7 Advanced Threat Protection
- 8 HIDS detection methods
- 9 Recommended HIDS tools
- 10 Selecting a HIDS
A HIDS tool focuses on monitoring log files. Most applications generate log messages and storing these records to files enables you to search through them over time and spot indications of intrusion. One big problem of gathering every log message on your system is that you will end up with a large amount of data. Storing log messages in an ordered manner helps you identify the right file to get data by application and date. So, the first step in being able to get meaningful information out of your logging system is to organize the file names and directory structure of your log file server.
The next step in implementing a HIDS is to get some automated detection. A HIDS will search through log messages for specific events that look like they may have recorded malicious activity. This is the core of a HIDS tool and the detection method that specifies which records to retrieve is set by policies and a rule base.
Many HIDS allow you to write your own alert generating rules. However, what you are really looking for when you choose a security system is a set of pre-written rules that incorporate the expertise of the security experts that write the software.
A HIDS is only as good as the policies that it provides. You can’t be expected to keep up with all of the latest attack vectors while also dedicating time to the everyday tasks of your job and there isn’t any point in trying to know everything if you can get that expertise provided for you by as HIDS tool.
The importance of log files
The volume of log and event messages can be overwhelming and it is tempting to just ignore them. However, the risk of litigation triggered by data disclosure or the damage that can be done to a business through loss of data means that failing to protect data can now ruin your business.
Security and data protection issues have now become integrated into contract requirements and there are many standards that industries now follow in order to reassure stakeholders and keep the business secure. Compliance to data integrity standards includes requirements for log file maintenance.
Depending on which standard your company implements, you will need to store log files for a number of years. So, log file management has now become an important business requirement. While you are setting up a log server, you might as well integrate security measures into it, and that’s what HIDS does.
Log file security
The maintenance of log file integrity is an essential part of HIDS. Event messages can identify intrusion and so log files are targets for hackers. An intruder can cover his tracks by manipulating log files to remove incriminating records. Therefore, a log server that backs up log files and checks for unauthorized alterations is important for data security standards compliance.
HIDS systems cannot effectively protect the resources of your system if its source information is compromised. The protection of log files also extends to the authentication system of your network. No automated protection system of log files would be able to distinguish between authorized and unauthorized log file access without also monitoring the security of user permissions.
HIDS vs NIDS
Host-based intrusion detection systems are not the only intrusion protection methods. Intrusion detection systems are divided into two categories. HIDS is one of those sectors, the other is network-based intrusion detection systems.
Both HIDS and NIDS examine system messages. This amounts to both looking at log and event messages. However, NIDS also examines packet data as it passes along networks. The rule of thumb that splits the responsibilities of intrusion detection between these two methodologies is that NIDS captures live data for detection and HIDS examines records in files.
The advantage of NIDS is that it offers a faster response than HIDS. As soon as a suspicious event occurs on the network, the NIDS should spot it and raise an alert. However, hackers are sneaky and constantly adjust their methods to evade detection. Some activity patterns only become apparent as malicious when considered in a broader context.
Whether it is better to get a HIDS or a NIDS is not a big issue because really you need both.
Key HIDS attributes
By analyzing historical data on activities, a HIDS is able to spot patterns of activity that occur over time. However, even on mid-sized networks, the volumes of log records generated on a daily basis can be very large, so it is important to pick an efficient sorting and searching tool.
Your HIDS will not be worth using if it is too slow. Remember, that new records are accumulating constantly, so a speedy HIDS can often be better than a very well-presented tool. Smart system administrators prefer to compromise on presentation in order to get speed. However, a HIDS tool that is both fast and well-presented is the best deal of all.
HIDS and SIEM
You will encounter the term SIEM a lot when you investigate network security systems. This acronym stands for Security Information and Event Management. This is a composite term that evolved by combining Security Information Management (SIM) and Security Event Management (SEM). Security Information Management examines log files, and so it is the same as a HIDS. Security Event Management monitors live data, making it the equivalent of a NIDS. If you implement a hybrid intrusion detection system, you will have created a SIEM.
Intrusion Prevention Systems
As an intrusion detection system, a HIDS is an important element of network protection. However, it doesn’t provide all of the functionality that you need in order to protect your company’s data from theft or damage. You also need to be able to act on the information that an IDS provides.
Threat remediation can be carried out manually. You may have network management tools at your disposal that will assist you in blocking off intruders. However, linking detection and remediation together creates an intrusion prevention system (IPS).
Both intrusion detection and intrusion prevention strategies work on the assumption that no firewall or antivirus system is infallible. IDS is the second line of defense and many IT security experts warn that no one should rely on a strategy of protecting the network at its boundaries because any security system can be undermined by user mistakes or malicious employee activities.
“Intrusion prevention system” is a bit of a misnomer because IPS’ close off security breaches once they have been detected rather than making a system so watertight that no intrusion could possibly occur in the first place.
Advanced Threat Protection
Another term that you might see when addressing advanced persistent threats is ATP. This stands for Advanced Threat Protection. In its basic form, an ATP system is the same as an IDS. However, some ATP providers stress threat intelligence as a defining characteristic of their systems. Threat intelligence is also a part of the definition of an IDS and a SIEM system.
In a HIDS, threat intelligence is based on the rule base of data search terms and system tests that identify malicious activity. This can be provided in the form of coded checks or adjustable rules set as policies. Threat intelligence can also be formulated within an IDS through AI. However, the policy forming strategies of automated systems can only be as comprehensive as the inference rules hard-wired into them at their creation.
ATP providers stress their central threat awareness services as a defining feature. These services are offered either as an additional subscription to the ATP software or are included in the purchase price. This is an information sharing element that enables the ATP software provider to distribute new policies and detection rules based on the successful identification of new attack vectors by other organizations. Some HIDS providers include this service and some HIDS are supported by user communities that share new detection policies. However, HIDS providers are not as strong on this threat information distribution element of their services as ATP providers.
HIDS detection methods
Both HIDS and NIDS can be divided into two subcategories according to their detection methods. These are:
- Anomaly-based detection
- Signature-based detection
There is no direct mapping between NIDS and HIDS for either of these two strategies. That is, it cannot be said that NIDS relies more on one of these methods and HIDS is all about the other detection methodology. Both HIDS and NIDS can use either or both of these detection strategies.
A HIDS with a signature-based strategy works in the same way as antivirus systems; a signature-based NIDS operates like a firewall. That is, the signature-based approach looks for patterns in data. A firewall looks for keywords, packet types, and protocol activity on incoming and outgoing network traffic, while a NIDS performs the same checks on traffic traveling within the network. An antivirus program will look for specific bit patterns or keywords in program files and a HIDS does the same for log files.
An anomaly would be unexpected behavior by a user or process. An example of this would be the same user logging into the network from Los Angeles, Hong Kong, and London all on the same day. Another example would be if a server’s processors suddenly started working hard at 2:00 AM in the morning. An anomaly-based HIDS would look through log files for records of these unusual activities; an anomaly-based NIDS would try to spot these irregularities as they happen.
As with the choice between HIDS and NIDS, the decision on whether to go for signature-based detection or anomaly-based IDSs is solved by going for both.
Recommended HIDS tools
You can narrow down your search for a host-based intrusion detection system by reading through our recommendations. This list represents the best of breed for each aspect of a HIDS.
You will find free tools in the list, some of which have very poor user interfaces, but made it onto the list because they have very fast data processing speeds. You will also find tools on the list that include general log file management procedures and were specifically written to comply with well-known data security standards. Other tools are comprehensive and give you everything you need in a HIDS both in the backend and in the interface.
Here is our list of the six best HIDS tools:
- SolarWinds Log & Event Manager (FREE TRIAL)
- Papertrail (FREE PLAN)
- ManageEngine Event Log Analyzer
You can read an outline of each of these HIDS tools in the following sections:
SolarWinds has created a HIDS that has automated remediation capabilities, making this an intrusion prevention system, the Log & Event Manager. The tool includes compliance audit reports to help you keep on track with PCI DSS, SOX, HIPAA, ISO, NCUA, FISMA, FERPA, GLBA, NERC CIP, GPG13, and DISA STIG.
Log file protection features that are built into this utility include encryption in transit and storage, and folder and file checksum monitoring. You can forward log messages and backup or archive entire folders and files. So, the log file management and integrity features of this tool are exceptional.
The tool will constantly monitor your log files, including those that are still open for new records. You don’t have to issue queries manually, because the Log and Event Manager will raise alerts automatically whenever a warning condition is detected. There is also an analysis tool within the package that enables you to performs manual checks on data integrity and spot intrusion with a human eye.
Although this software will only install on Windows Server, it will collect log data from other operating systems, including Linux and Unix. You can get a 30-day free trial of the SolarWinds Log & Event Manager.
SolarWinds runs a Cloud-based log management service, called Papertrail. This is a log aggregator that centralizes your log file storage. Papertrail can manage Windows event logs, Syslog messages, Apache server log files, Ruby on Rails program messages, and router and firewall notifications. Messages can be viewed live in the system dashboard as they travel to log files. As well as managing log files, the tool includes analytical support utilities.
Log data is encrypted both in transit and at rest and access to log files is guarded by authentication. Your files are held on the Papertrail server and SolarWinds takes care of backups and archiving, so you can save money on buying, managing, and maintaining file servers.
Papertrail employs both anomaly and signature-based detection methods and you benefit from policy updates learned from threats aimed at other Papertrail customers. You can also assemble your own detection rules.
SolarWinds offers Papertrail on subscription with a range of plans, the lowest of which is free.
ManageEngine’s Event Log Analyser is both a HIDS and a NIDS. The log management module collects and stores Syslog and SNMP messages. Metadata about each Syslog message is also stored.
Log files are protected by both compression and encryption and access is protected by authentication. Backups can be restored automatically when the analyzer detects log file tampering.
The dashboard is customizable and different screens and features can be allocated to different user groups. Reporting includes compliance audits for PCI DSS, FISMA, and HIPAA among others. You can also activate system compliance alerts.
The Event Log Analyzer runs on Windows or Linux and can integrate with ManageEngine’s infrastructure management tools. It is free to monitor up to five devices, but customers with larger networks have to pay.
OSSEC is a free open source HIDS produced by Trend Micro. It also includes system monitoring features that are normally attributed to NIDSs. This is a very effective processor of log file data, but it doesn’t come with a user interface. Most users put Kibana or Graylog on the front of OSSEC.
This tool will organize you log file storage and protect files from tampering. Intrusion detection is anomaly-based and is implemented through “policies.” These rule sets can be acquired for free from the user community.
The OSSEC software can be installed on Windows, Linux, Unix, or Mac OS. It monitors Windows event logs and also the registry. It will guard the root account on Linux, Unix, and Mac OS. Support is available for free from the active user community, or you can pay Trend Micro for a professional support package.
Sagan is a free HIDS that installs on Unix, Linux, and Mac OS. It is capable of collecting Windows event log messages, even though it doesn’t run on Windows. You can distribute the processing of Sagan to keep the overhead on your log server’s CPU light. The system uses both anomaly and signature-based detection methods.
You can set actions to occur automatically when an intrusion is detected. The tool has a few unique features that some of the more prominent HIDS lack. These include an IP geolocation facility that will enable you to raise alerts when activities of different IP addresses are traced to the same geographical source. The tool also allows you to set time-related rules to trigger alerts. The system was written to be compatible with Snort, which is a network detection system, giving Saga NIDS capabilities when combined with a network data collector. Sagan includes a script execution facility that makes this an IPS.
Splunk offers both HIDS and NIDS features. The base package of this tool is free to use and it doesn’t include any network-based data alerts, so it is a pure HIDS. If you are looking for an anomaly-based HIDS, this is a very good option. The top edition of Splunk is called Splunk Enterprise and there is a Software-as-a-Service (SaaS) version of this, which is called Splunk Cloud. Between the Free version and the Enterprise edition sits Splunk Light, which has some service limitations. There is also an online version of Splunk Light, called Splunk Light Cloud.
Splunk has workflow automation features that make it an intrusion prevention system. This module is called the Adaptive Operations Framework and it links automated scripts to trigger alerts. The automation of solutions to detected problems is only available with the higher paid options of Splunk.
The dashboard of Splunk is very attractive with data visualizations such as line graphs and pie charts. The system includes a data analyzer in all of the editions of Splunk. This enables you to view records, summarize, sort, and search them, and get them represented in graphs.
Selecting a HIDS
There are so many log management tools with analysis capabilities available on the market that you could spend a very long time assessing all of your HIDS options. With the list in this guide, you now have a lot of the research done and the next step is to focus on those tools that run on the operating system of your server. If you want to use Cloud-based services, then Papertrail and Splunk Cloud should interest you most.
Fortunately, all of the tools in our list are either free to use or are available on free trials, so you can install a couple of candidates to run them through their paces without any financial risk.
Do you currently operate a HIDS? Which system did you opt for? Do you think it is important to pay for a tool or are you happy using a free utility? Leave a message in the Comments section below and share your experiences with the community.