In this article, you will discover:
- What is SOC 2 and an Intrusion Detection System (IDS)
- IDS types, detection methods, and evasion methods
- IDS requirements in SOC 2
What is SOC 2?
SOC 2 (stands for Systems and Organization Controls 2) is a compliance standard developed by the American Institute of CPAs (AICPA) in 2010, providing guidelines for service organizations to protect customer data from unauthorized access, security incidents or vulnerabilities.
It defines requirements to manage and store customer data based on five Trust Services Criteria (TSC):
- Security
- Availability
- Processing integrity
- Confidentiality
- Privacy
SOC 2 is an attestation-based standard where an organization can assert the existence of certain controls, which need to be subsequently verified by a third-party auditor. It’s worth emphasizing that SOC 2 is not a compulsory security framework, because it doesn’t prescribe specific best practices, so technically, there is no official “SOC 2 Certification” – only an attestation report.
More information about SOC 2 can be found in this article.
What is an Intrusion Detection System?
An Intrusion Detection System (IDS) is a device or software application that monitors a network for malicious activity, suspicious activity or security policy violations. Some IDSs are capable of responding to detected intrusion upon discovery. These are classified as Intrusion Prevention Systems (IPS).
IDS Detection Types
IDSs come in various forms, from antivirus software to comprehensive monitoring systems that oversee network traffic. They are categorized based on their placement within a system and the type of activity they monitor:
- Network Intrusion Detection Systems (NIDS): These systems analyze inbound and outbound network traffic, and are strategically positioned at key points in the network, typically just behind firewalls at the network perimeter to identify any potentially harmful traffic breaching the defenses.
- Host-Based Intrusion Detection Systems (HIDS): These systems are installed on specific endpoints like laptops, routers, or servers and monitor the activity occurring on that particular device. They typically operate by periodically capturing and comparing snapshots of critical operating system files, alerting security teams to any alterations or suspicious changes.
While NIDS and HIDS are the most common, security teams can employ other IDSs for specific needs:
- Protocol-Based IDS (PIDS): These systems monitor connection protocols between servers and devices, commonly deployed on web servers to oversee HTTP or HTTPS connections.
- Application Protocol-Based IDS (APIDS): These systems operate at the application layer and monitor application-specific protocols, such as between web servers and SQL databases to identify SQL injections.
- Hybrid IDS: A hybrid intrusion detection system combines two or more intrusion detection approaches, leveraging both system or host agent data and network information to provide a comprehensive view of the system’s security.
IDS Detection Methods
There are various IDS detection methods, with the two most common variants being:
- Signature-based: Signature-based IDS identifies potential threats by recognizing specific patterns, such as byte sequences in network traffic or known sequences used by malware. However, it’s incapable of detecting new attacks with no known patterns.
- Anomaly-based: Anomaly-based IDS utilizes machine learning to establish a baseline of normal network behavior and identifies deviations from this baseline, such as unusually high bandwidth usage or unexpected port openings. While effective at detecting unknown attacks like zero-day exploits, anomaly-based IDSs may produce false positives, flagging activities like legitimate user access to sensitive resources as potential threats.
IDS Evasion Techniques
Understanding how cyber criminals attempt to breach secure networks can provide insights into how they circumvent IDS systems. Common tactics employed to evade IDS detection include:
- Distributed Denial-of-Service (DDoS): overwhelming IDS resources with malicious traffic from multiple sources to take them offline, allowing hackers to slip through undetected.
- Spoofing: faking IP addresses and DNS records to mask the origin of traffic and make it appear legitimate.
- Fragmentation: Dividing malware or other malicious payloads into smaller packets to obscure their signatures and avoid detection. Hackers may strategically delay or send packets out of order to prevent the IDS from reconstructing them and identifying the attack.
- Encryption: Leveraging encrypted protocols to bypass IDS detection, particularly when the IDS lacks the corresponding decryption key.
- Operator Fatigue: generating a large volume of IDS alerts to overwhelm incident response teams, diverting their attention from real threats.
Importance of Intrusion Detection
Modern networked business environments require a high level of security to ensure safe and trusted communication of information between various organizations. An intrusion detection system acts as an adaptable safeguard technology for system security after traditional technologies fail. Cyber attacks will only become more sophisticated, so it is important that protection technologies adapt along with their threats.
Intrusion Detection for SOC 2
Among the Five Trust Services Criteria (TSC) outlined in SOC 2, Intrusion Detection Systems (IDS) are crucial for meeting the Security TSC requirements.
The Security principle pertains to safeguarding system resources from unauthorized access, which includes measures to prevent system abuse, data theft, software misuse, and unauthorized data alteration or disclosure. Utilizing IT security tools like network and web application firewalls, intrusion detection systems, and two-factor authentication helps in averting security breaches that could result in unauthorized access to systems and data.
Moreover, the Security principle includes nine “points of focus,” with CC5.1, CC6.1, CC6.6, CC7.1, and CC7.2 being particularly pertinent to IDS requirements.
CC5.1 The entity selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels.
Control activities include a range and variety of controls and may include a balance of approaches to mitigate risks, considering both manual and automated controls, and preventive and detective controls.
Intrusion Prevention Systems (IPS), a type of IDS, are among such preventive controls while IDS represents a detective control.
CC6.1 The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity’s objectives.
Here are some suggested controls:
(1) Identify and authenticate users
(2) Restrict authorized user access to system components, or portions thereof, authorized by management, including hardware, data, software, mobile devices, output, and offline elements
(3) Prevent and detect unauthorized access
You can utilize network-, host-, and cloud-based intrusion detection systems for ongoing monitoring across both on-premises and cloud environments (such as AWS, Azure, Office 365, and G Suite). These systems help identify and mitigate various threats and anomalies, including ransomware and malware.
CC6.6 The entity implements logical access security measures to protect against threats from sources outside its system boundaries.
Boundary protection systems (e.g., firewalls, demilitarized zones, intrusion detection or prevention systems, and endpoint detection and response systems) needs to be configured, implemented, and maintained to protect external access points.
CC7.1 To meet its objectives, the entity uses detection and monitoring procedures to identify (1) changes to configurations that result in the introduction of new vulnerabilities, and (2) susceptibilities to newly discovered vulnerabilities.
The IT system includes a change-detection mechanism (for example, file integrity monitoring tools) to alert personnel to unauthorized modifications of critical system files, configuration files, or content files.
As part of host-intrusion detection, File Integrity Monitoring identifies and notifies you of modifications and access to crucial system and application binaries, configuration files, and Windows Registry entries on your critical servers.
CC7.2 The entity monitors system components and their operations for anomalies that are indicative of malicious acts, natural disasters, and errors affecting the entity’s ability to meet its objectives. Analyze anomalies to determine whether they represent security events.
Detection policies, procedures, and tools (such as Intrusion Detection Systems) need to be defined and implemented on infrastructure and software to identify potential intrusions, inappropriate access, and anomalies in the operation of or unusual activity on systems.