Bulletproof’s range of cyber security, data protection and compliance services are your best defence against threats to your business. With nearly a decade of providing trusted security services, we’re continuing our mission of solving the greatest cyber security & compliance challenges through innovation and simplicity. Explore our range of services and find out how Bulletproof can help your business.
Helping people solve their security challenges is what we do, so we’re always keen to hear from you.
Find out more about penetration testing – what it is, when you need it, and why it’s a core component of any business. Discover how pen test helps with compliance, powers best practices, and helps your organisation win new business.
Get peace of mind that your data protection is being managed by trusted, certified consultants. All Bulletproof data protection services are delivered by our highly trained, experienced and qualified staff.
Go beyond compliance with information security services that are designed to give real operational benefits to your business. All delivered by seasoned, certified Bulletproof security consultants.
No matter what your cyber or compliance challenges, Bulletproof is here to help. We like to work with you as a trusted partner to solve problems, not sell services. No pressure tactics and no false promises.
At Bulletproof we love to solve problems with simplicity & innovation. It’s our mission to make compliance & cyber security services accessible to all. We take pride in building and nurturing teams of exceptional talent, so we’re confident that our cyber security & compliance services are the best way to stay one step ahead of the hackers and protect your business.
Helping people solve their security challenges is what we do, so we’re always keen to hear from you, no matter what you have to say.
Keiran Mather
Bulletproof red team demonstrate a novel approach to evade static analysis in Linux malware.
Read More
With cyber-attacks constantly in the news and the threats becoming more sophisticated and prevalent, you are not alone in your concerns about your business’s security. While simple security measures might have been adequate in the past, today, your company will need a multi-layered security approach to prevent it from hackers and other malicious actors. In this article, we are going to look at an application that monitors a host device for suspicious activity, namely a HIDS or Host-Based Intrusion System.
There are two types of Intrusion Detection Systems: Host-Based and Network-Based IDS. In this article, we will discuss host-based systems, but we will also explore the difference between the two. Similar to a burglar or fire alarm in a physical environment, an intrusion detection system will identify potential threats to your network or host. Just like its physical counterparts, when an incident is identified, it will notify someone of the intrusion. In this case, it is likely to be a system administrator or IT security personnel. They will investigate the intrusion and take remedial action if necessary.
An intrusion detection system is a software or tool that monitors traffic on a network or host device and analyses it for signs of malicious intent or policy violations. Common incidents that IDS protects against are malware, unauthorised access attempts, authorised users that attempt to abuse or escalate privileges for which they are unauthorised, and modification of configuration files.
Typically intrusion detection systems work in conjunction with firewalls. The way they deal with traffic is the mirror image of each other. A firewall is configured to allow only specific types of traffic and block the rest. IDS allows all traffic and identifies specific traffic that could be a threat.
A Host-based Intrusion Detection System monitors and sends alerts if suspicious activity is detected on a single host such as a computer, server or another endpoint device. Most HIDS deploy software known as an agent on the host that will monitor and report on activity. Some examples of what a HIDS will monitor are network traffic for that specific host, file access, file modifications, configuration changes, running processes and events, application and system logs.
HIDS are typically installed on critical hosts such as servers that contain sensitive data or that are accessible to the public. But as HIDS agents can be deployed on any single host if required. They are available for use on most servers and computers used by a business.
HIDS uses two methods to identify potential threats.
Signature-based detection looks at data activity and compares it with a database of recognised threats. The downside to signature-based detection is that if the threat isn’t known, for instance, a brand-new type of malicious attack that has only just appeared will not be flagged.
The second method is anomaly-based HIDS rather than checking a database to look for anomalies in usage. An anomaly-based HIDS will sample ‘normal behaviour’ and keep a log of it. Anytime there is a deviation from normal behaviour the HIDS will send an alert. The main issue with anomaly-based detection is that it can flag many false positives.
The simple answer is that HIDS protects against host-level attacks while NIDS (Network-Based Intrusion Detection System) protects against attacks to a network segment. Both intrusion systems operate by examining event and log messages generated by the system. In addition, NIDS works in real-time, monitoring the packets that are going across the network for evidence of interference. In contrast, HID will look at historical data in logged files for system anomalies.
As each intrusion detection system has its benefits, the best strategy would be to incorporate both into your security systems, utilising their combined strengths. If an intruder manages to go undetected by the NIDS, it might be identified by the HIDS.
Host-Based Intrusion Detection offers a wide range of security capabilities, but it has its flaws, just like any other security solution.
While an IDS analyses copied data rather than the actual data, it doesn't interrupt traffic flow, essentially analysing the date offline. In contrast, an Intrusion Prevention System (IPS) monitors data in real-time and makes traffic flow through it. Thus preventing any incoming or outgoing malicious traffic on the network. As with IDS, intrusion prevention systems can be deployed either in the host or the network. Host-based Intrusion Prevention Systems are known as HIPS and Network-based -- NIPS.
So IPS software installed on a host (HIPS) will block activity that it deems malicious and a HIDS will identify the threat but not block it. Basically, HIDS is a passive solution while HIPS is active. Often IPS and IDS solutions will be used in conjunction depending on a business's individual needs.
Host-Based Intrusion Detection Systems can play a part in a robust security system alongside the other IDPS (Intrusion Detection Prevention systems) solutions we briefly discussed. Each has its advantages and disadvantages, and all of them require the knowledge of IT security professionals to use them optimally.
Joe is a blogger and security evangelist who’s been raising the profile of cyber security for a decade. He writes about a variety of cyber and compliance topics, with a keen eye on translating events and data into valuable customer insights. Never boring, sometimes controversial, always insightful.
Bulletproof your business with our next-generation, multi-layered cyber protection that combines managed SIEM with human insight and intelligence.
If you are interested in our services, get a free, no obligation quote today by filling out the form below.
I'd like to receive Bulletproof communications about relevant services and events
For more information about how we collect, process and retain your personal data, please see our privacy policy.