Host Based Intrusion Detection Systems

Host based intrusion detection systems (HIDS) is a intrusion detection system that is placed on a single host system. This involves an agent being installed on the host system that monitors and reports the system configuration and application activity. Some common abilities include log analysis, integrity checking, policy enforcement and, rootkit detection. Most HIDS can be customized for specific use-cases allowing you to build custom rules right out of the box.

In the market today, there are many HIDS available to be implemented into your infrastructure. In this post will be focusing on solutions that could be used by both startups and enterprise level businesses. The three HIDS that we will be discussing are Threat Stack, Tripwire, and OSSEC. We decided to focus on these solutions due to the market share that they hold, and if they included an open-source solution.

Threat Stack

Threat Stack is a SaaS offering that strives to provide “continuous security monitoring for public, private, and hybrid cloud infrastructures…”. This includes protecting servers and data protection. Treat Stack features workload insights, infrastructure monitoring, compliance reporting, threat intelligence, and vulnerability management. It works by creating a Threat Stack account and then installing the agent on one of the supported Linux Operating Systems (Windows not supported). All logs and alerts are sent back to the Threat Stack server and then can be viewed using the Threat Stack web interface.

Tripwire

Tripwire is a “software security and data integrity tool useful for monitoring and alerting on specific file change(s)..”. Unlink Threat Stack, Tripwire does work on Windows Operating Systems, but requires the paid enterprise version. Tripwire creates a baseline of all files in an encrypted file and then monitors the files for changes. It works by installing the Tripwire server application on a Linux server for the open-source version, and Windows/Linux for the enterprise version. Agents are installed on the servers and configured to know what files should be monitored.

Tripwire is available in an enterprise and open-source version. The open-source version is very limited and does not generate real-time alerts. The enterprise version is a full-version of the software and can be setup to send out real time alerts upon intrusion detection. Tripwire Enterprise starts are $699 plus a node licensing fee on top of that.

OSSEC

OSSEC is a “scalable, multi-platform, open-source Host-based Intrusion Detection System…”. OSSEC has a powerful correlation and analysis engine that integrates log analysis, file integrity checking, Windows registry monitoring, and much more. OSSEC has a real-time alerting engine that can send notifications a variety of ways including Email, Slack, and PagerDuty. It works by installing the OSSEC server application on a Linux based host, and then installing the agents of a variety of host Operating Systems. The agent can be installed on Windows, Linux, and macOS. The agents and server communicate by sending encrypted messages using the Blowfish algorithm and compressing using zlib.

OSSEC is completely open-source and has a very active community. OSSEC can also be integrated with the ELK Stack giving you a powerful search and web ui. Alternatively, OSSEC has created its own web ui that can be downloaded and configured from the OSSEC Github account.

Comparison

Platform Pros Cons
Threat Stack – Workload Insights
– Infrastructure Monitoring
– Deployment using Chef/Puppet/Ansible/Salt
– Compliance Reporting (Advanced/Pro Version)
– Vulerability Management
– Only Supports Linux
– No open-source version
Tripwire – Monitors files and reports unauthorized chanegs
– Creates baseline of all the files and then monitors for changes
– Open-source version is Linux only
– Open-source version does not generate real-time alerts upon intrusion dection
– All aleart for the open-source version are saved in log files
– Open-source version cannot detect any intrusinos already on the system prior to installation.
OSSEC – Agent runs on Windows, Linux, and macOS
– Server and agent communicates via encrypted messages
– Advance log analysis engine
– Can be integrated with Slack and PagerDuty
– Can be integrated with the ELK Stack
– Upgrading to newer versions can be difficult
– When upgrading, previous defined rules are overwritten by default values

Conclusion

Depending on the specific use-cases and the level of service that you are needing will guide you to which solution would be best for your company. If you are looking for a very good all around solution that has community support but no enterprise level support then OSSEC would be the best option. If you are needing the peace-of-mind of having a support team available to you at anytime then Threat Stack would probably be the next best option. Either way, adding a host-based intrusion detection system would not only help in your compliance efforts, it would also add an extra layer of monitoring and security giving you a deeper insight into your infrastructure.