Protecting servers that are running your business applications and storing your critical data should be the most important responsibility for security professionals. Antivirus and Host IDS (HIDS) are effective last line of defense for preventing and detecting malicious actors targeting your servers after perimeter defenses have failed or bypassed.
Layering these technologies into your defense is smart, because history has shown that no prevention system is 100% effective and the ingenuity of the bad actors are limitless.
While antivirus is well-known as the go-to tool for blocking malware infections on endpoints and infamous for making systems crawl during malware scans, HIDS should also be a part of your IT threat detection defenses because HIDS spot IOCs on the server after prevention defenses fail.
So which should you use antivirus or HIDS as the last line of server defenses?
The question shouldn’t be antivirus vs HIDS, but rather antivirus + HIDS. These technologies are complementary:
- Antivirus is a prevention tool that attempts to block installation of malware through known signatures and malware heuristics
- HIDS is a lightweight host-based detection tool that alerts admins and SIEMS to changes to the server by monitoring logs, directories, files, and registries.
What makes HIDS so effective in detecting intrusions is that it watches for the exact actions that the malware has to take in the course of server infections. After all, malware has to add, modify, and/or delete programs, services, configuration, or registry settings in order to accomplish its objectives. In other words, HIDS tells you when an attack has succeeded and it is time for you to respond.
By using both antivirus and HIDS, you are helping to minimizing the attack surface, then maximizing your threat detection capabilities so that you can respond to the realities of prevention systems.
Okay, that’s great, but we all live in the real world with budget and performance constraints. What If you can’t afford layered prevention that includes antivirus? Then you had better get really good at detecting and responding to intrusions. HIDS is an affordable detection technology that will go a long way in helping you build a layered defense in depth.
|AlienVault USM HIDS||Antivirus|
|No added cost for AlienVault USM||Can be costly, typically licensed per host|
Low host overhead, typically
~ 1% CPU
|Host CPU intensive|
AlienVault USM HIDS
- Log analysis based intrusion detection
- File integrity checking
- Registry keys integrity checking (Windows)
- Signature based malware/rootkits detection
- Real-time alerting and active response