Intrusion Detection System (noun) [Word Notes]

Cyberwire Host

You're listening to the Cyberwire Network powered by N2K. When it comes to mobile application security, good enough is a risk. A recent Survey shows that 72% of organizations reported at least one mobile application security incident last year and 92% of responders reported threat levels have increased in the past two years. Guard Square delivers the highest level of security for your mobile apps without compromising performance, time to market or user experience. Discover how Guard Square provides industry leading security for your Android and iOS apps at www.guardsquare.com.

Rick Howard

The word is intrusion detection. Spelled intrusion as in unwanted entry. Detection as in identifying the presence of something and system as in a technology for a specific purpose. Definition A system that monitors for malicious or unwanted activity and either raises alerts when such activity is detected or or blocks the traffic from passing to the target. Example sentence the intrusion detection system flagged malicious use of cobalt strike. Origin and context Dr. Dorothy Denning is one of the early computer science and security pioneers. According to Purdue University, where she received her PhD, Denning's early research in the 1970s and 1980s laid the early foundations of cryptology, information warfare and data security. She published one of the early college textbooks on Cybersecurity in 1982 and she invented the idea of lattice based access controls, an early model for restricting access to data, in 1975. But in 1984 she and a colleague Peter Neumann developed the first intrusion detection expert system for SRI International, which could analyze host and network data. Two years later in 1986, she published her paper An Intrusion Detection Model, which laid the foundation for the first commercial intrusion detection tools. Today, intrusion detection systems can be either host based or network based and look for malicious intrusions and either with known signatures or by looking for anomalies. A host based IDS is placed on a single system and its purview is restricted to a single computer. A network based IDS inspects traffic traversing across the entire network. In the early 1990s, network intrusion detection systems were stand alone hardware boxes that security practitioners placed in the security stack that normally sat between the user and and the Internet. Today, standalone systems still exist, but also modern firewalls have that functionality built in as an added subscription service. Intrusion detection systems have been a staple of security stack deployments since the early days, but unfortunately they're not perfect. Configured improperly, they can generate volumes of false positives that SOC analysts have to sift through, and there is always the possibility that the system doesn't notice an attack in progress, a false negative, as they say. Nerd Reference There is an excellent YouTube channel called Professor Messer that produces quality and free content that explains all things related to it and computer security. If you're studying for some certification, browsing the shows on the Professor Messer channel might well be worth your time. In 2017, James Messer, the host, did a segment on intrusion detection systems.

Security Analyst

Many security professionals incorporate a network based intrusion detection system or ids, or a network based intrusion prevention system or IPS on their networks. This is designed to watch traffic going through the network and if this device identifies an exploit against an operating system, it identifies a buffer overflow, a database injection across site script. It's either going to inform you that that happened if you're using an ids or block the traffic if you're using an ips. There are many different ways to engineer your IPS into your network. One way is to configure it as a passive monitoring device. This means that the IPS will receive a copy of the traffic and be able to then make a decision on what to do once it's received that information. Because it is acting as a passive monitor, it's obviously not sitting in the midd of the communication and able to block traffic. If a security professional is looking for more control over these traffic flows, then they'll probably configure their IPS for inline monitoring. All traffic then is going to pass through the IPS and the IPS is going to make a decision on whether that traffic is allowed through the network or not. There are thousands of rules that you can configure and it's up to you to enable the rules that are important for you and then determine what the disposition of each one of these rules is going to be. A significant challenge you have with intrusion prevention systems is that they're going to give you a lot of alerts and a lot of messages and unfortunately a number of these messages are not going to be accurate. We call these false positives where the system has told us that there has been an intrusion onto the network, but in reality it's a case of mistaken identity and there was not an intrusion at all. Perhaps even worse than a false positive on an IPS is a false negative. So this is when malicious traffic came through the ips, but the IPS did not identify it as malicious.

Rick Howard

Wordnotes is written by Tim Nodar, executive produced by Peter Kilpe and edited by John Petrick and me, Rick Howard. The mixed sound, design and original music have all been crafted by the ridiculously talented Elliot Peltzman. Thanks for listening.

Cyberwire Host

If you only attend one cybersecurity conference this year, make it RSAC 2026. It's happening March 23rd through the 26th in San Francisco, bringing together the global security community for four days of expert insights, hands on learning and real innovation. I'll say this plainly, I never miss this conference. The ideas and conversations stay with me all year. Join thousands of practitioners and leaders tackling today's toughest challenges and shaping what comes next. Register today@rsaconference.com cyberwire26. I'll see you in San Francisco. Most security conferences Talk about Zero Trust. Zero Trust World puts you inside this is a hands on cybersecurity event designed for practitioners who want real skills, not just theory. You'll take part in live hacking labs where you'll attack real environments, see how modern threats actually work, and learn how to stop them before they turn into incidents. But Zero Trust World is more than labs. You'll also experience expert LED sessions, practical case studies, and technical deep dives focused on real world implementation. Whether you're Blue team, Red Team, or responsible for securing an entire organization, the content is built to be immediately useful. You'll earn CPE credits, connect with peers across the industry and leave with strategies you can put into action right away. Join us March 4th through the 6th in Orlando, Florida. Register now at ztw.com and take your zero trust strategy from Theory to execution.