Criteria for choosing an IDS / IPS solution for PCI DSS

Whether you opt for an NIDS or NIPS solution in an appliance, as a software or as a firewall module, a series of criteria that must be taken into account when choosing and deploying a solution are described below. Incident monitoring in a PCI DSS compliance environment:

• You must have signature-based detection, anomaly analysis and support for state inspection (stateful protocol analysis)
• It should be able to analyze the perimeter of the PCI DSS network and the segments that are considered critical. In this case, analyze the option of deploying different sensors in the critical areas to be monitored
• The solution should allow customization of alerts and detection criteria, in order to manage false positives and add new detection / prevention controls additional to those provided by the manufacturer
• The solution must allow to be updated on a regular basis, both for its components and for its signatures. Keep in mind that rebooting of the equipment is often required to finalize the updates, so it is essential to manage your updates based on what is described in requirement 6.4.5 to avoid unavailability of the control that can lead to a vulnerability in the environment
• In the case of appliances, keep in mind the scalability of the device and the density of network ports, including management ports

Likewise, it is recommended:

• Before putting an IDS / IPS solution into production, define a “learning” period in which the device can capture, analyze and obtain statistical information on the normal behavior of the network in order to establish thresholds for anomaly detection
• If an inline IDS / IPS solution is deployed, keep in mind that this equipment can become a single point of failure, so it may be necessary to install devices in high availability in case of failures and perform periodic analyzes of equipment performance to prevent bottlenecks
• When monitoring traffic coming from open public networks, ensure that the IDS / IPS sensor can access the traffic in clear text, otherwise it will not be possible to monitor encrypted traffic
• Ideally, the solution should be able to link to the centralized event registration system (req. 10.5.3 and 10.5.4) and send alerts using different channels (email, SMS, etc.)
• It is recommended to validate if the solution allows integration with other security devices, such as the reconfiguration of rules in firewalls and switches in response to the detection of an intrusion
• Analyze the security features of the solution for self-defense in case of targeted attacks
• If virtualization solutions are available, consider the need to monitor the network segments on this type of platform (including virtual switch)