IDPs have become a necessary addition to the security infrastructure of nearly every organization. IDPs typically record information related to observed events, notify security administrators of important observed events, and produce reports.
This NIST publication describes the characteristics of IDP technologies and provides recommendations for designing, implementing, configuring, securing, monitoring, and maintaining them.
Securing IDP components is very important because IDPs are often targeted by attackers who want to prevent the IDPs from detecting attacks or want to gain access to sensitive information in the IDPs, such as host configurations and known vulnerabilities.
IDPs are composed of several types of components, including sensors or agents, management servers, database servers, user and administrator consoles, and management networks.
Administrators should maintain the security of the IDP components on an ongoing basis, including verifying that the components are functioning as desired, monitoring the components for security issues, performing regular vulnerability assessments, responding appropriately to vulnerabilities in the IDP components, and testing and deploying IDP updates.
Organizations should consider using multiple types of IDP technologies to achieve more comprehensive and accurate detection and prevention of malicious activity.
The four primary types of IDP technologies—network-based, wireless, NBAD, and host-based—each offer fundamentally different information gathering, logging, detection, and prevention capabilities. For most environments, a combination of network-based and host-based IDP technologies is needed for an effective IDP solution. Wireless IDP technologies may also be needed if the organization determines that its wireless networks need additional monitoring or if the organization wants to ensure that rogue wireless networks are not in use in the organization’s facilities. NBAD technologies can also be deployed if organizations desire additional detection capabilities for denial of service attacks, worms, and other threats that NBADs are particularly well-suited to detecting. Direct IDP integration is most often performed when an organization uses multiple IDP products from a single vendor, by having a single console that can be used to manage and monitor the multiple products.
Evaluators need to understand the characteristics of the organization’s system and network environments, so that an IDP can be selected that will be compatible with them and able to monitor the events of interest on the systems and/or networks. Evaluators should articulate the goals and objectives they wish to attain by using an IDP, such as stopping common attacks, identifying misconfigured wireless network devices, and detecting misuse of the organization’s system and network resources.
http://www.bankinfosecurity.com/regulations.php?reg_id=307&PHPSESSID=a842e1d4d220653dc1dd762d42e04179