Antivirus or Host IDS, Your Last Line of Defense

May 26, 2016 | Don Shin
X

Get the latest security news in your inbox.

Subscribe via Email

No thanks. Close this now.

Protecting servers that are running your business applications and storing your critical data should be the most important responsibility for security professionals. Antivirus and Host IDS (HIDS) are effective last line of defense for preventing and detecting malicious actors targeting your servers after perimeter defenses have failed or bypassed.

Layering these technologies into your defense is smart, because history has shown that no prevention system is 100% effective and the ingenuity of the bad actors are limitless.

While antivirus is well-known as the go-to tool for blocking malware infections on endpoints and infamous for making systems crawl during malware scans, HIDS should also be a part of your IT threat detection defenses because HIDS spot IOCs on the server after prevention defenses fail.

So which should you use antivirus or HIDS as the last line of server defenses?

The question shouldn’t be antivirus vs HIDS, but rather antivirus + HIDS. These technologies are complementary:

  • Antivirus is a prevention tool that attempts to block installation of malware through known signatures and malware heuristics
  • HIDS is a lightweight host-based detection tool that alerts admins and SIEMS to changes to the server by monitoring logs, directories, files, and registries.

What makes HIDS so effective in detecting intrusions is that it watches for the exact actions that the malware has to take in the course of server infections. After all, malware has to add, modify, and/or delete programs, services, configuration, or registry settings in order to accomplish its objectives. In other words, HIDS tells you when an attack has succeeded and it is time for you to respond.

By using both antivirus and HIDS, you are helping to minimizing the attack surface, then maximizing your threat detection capabilities so that you can respond to the realities of prevention systems.

Okay, that’s great, but we all live in the real world with budget and performance constraints. What If you can’t afford layered prevention that includes antivirus? Then you had better get really good at detecting and responding to intrusions. HIDS is an affordable detection technology that will go a long way in helping you build a layered defense in depth.

AlienVault USM HIDSAntivirus
No added cost for AlienVault USMCan be costly, typically licensed per host

Low host overhead, typically

~ 1% CPU

~10MB footprint

Host CPU intensive

AlienVault USM HIDS

  • Log analysis based intrusion detection
  • File integrity checking
  • Registry keys integrity checking (Windows)
  • Signature based malware/rootkits detection
  • Real-time alerting and active response

You can learn more about HIDS by watching this webinar or or test drive AlienVault USM in our online demo environment.

Don Shin

About the Author: Don Shin
Don has over 20 years of experience in product management and marketing, focused around the networking, security and semiconductors industries. His background includes roles with Ixia, Freescale and AMD, among other technology companies. At AlienVault, Don enjoys developing technical resources to help customers understand how to best leverage the AlienVault platform to solve their security challenges.
Read more posts from Don Shin ›

‹ BACK TO ALL BLOGS

Watch a Demo ›
GET PRICE FREE TRIAL