Intrusion Detection Systems: Monitoring for Active Threats
An Intrusion Detection System (IDS) monitors network traffic or system activity for suspicious patterns and alerts when potential attacks or policy violations are detected. Unlike preventive controls that block attacks, an IDS is a detective control — its value is in detecting and enabling response to attacks that bypass other defences.
Types of IDS
- Network IDS (NIDS): Monitors network traffic for suspicious patterns — protocol anomalies, known attack signatures, unusual data volumes
- Host-based IDS (HIDS): Monitors activity on individual systems — file system changes, running processes, log events, system calls
- Cloud-native threat detection: AWS GuardDuty, Azure Defender, GCP Security Command Center — cloud-native services that analyse API calls, network flows, and user behaviour for threats
Intrusion Detection vs. Prevention
An Intrusion Prevention System (IPS) can actively block detected threats, while an IDS only alerts. WAFs are a form of application-layer IPS. In practice, many modern systems combine both — cloud-native security services can block as well as detect.
What We Monitor
- Failed authentication spikes across multiple accounts (credential stuffing)
- Authentication from unusual geographies or IP reputation flags
- Abnormal API call patterns (unusual volumes, unusual endpoints)
- Data exfiltration patterns (large data transfers to unexpected destinations)
- Infrastructure changes outside of deployment pipelines
- Unexpected process execution or outbound connections from application servers
Alerting and Response
An IDS is only valuable if alerts are acted upon. We configure alerts to route to the appropriate channel (PagerDuty, Slack, email) with severity-based escalation and defined response procedures.