Host-based IDS (e.g. OSSEC, Wazuh) monitors file and process changes. Centralize logs and use SIEM or alerting for anomalies. Combine with network-level detection. Tier-III providers often offer managed detection options.
Host-based IDS (HIDS)
- What it does: Monitors file integrity (changes to critical files), processes, and sometimes log patterns. Alerts on suspicious or unauthorized changes.
- Tools: OSSEC, Wazuh, Tripwire, AIDE. Some are open source; deploy an agent on each server or use a central manager.
- Tuning: Reduce false positives by excluding known volatile paths (e.g. caches, logs) and tuning rules. Maintain a baseline.
Log centralization and SIEM
- Centralize: Send logs (auth, app, firewall, IDS) to a central system (ELK, Splunk, Loki, or managed SIEM). Enables correlation and search across servers.
- Alerting: Define rules for anomalies (e.g. failed logins, privilege escalation, unexpected outbound). Escalate to the right team.
- Retention: Keep logs long enough for investigation and compliance; balance storage cost.
Network-level detection
- NIDS: Network IDS (e.g. Suricata, Zeek) inspects traffic for known attacks or anomalies. Often run at the perimeter or on a mirror port.
- Combine: HIDS + NIDS + logs give a fuller picture. Tier-III or managed providers may offer managed detection and response (MDR).
Summary
Use HIDS (e.g. Wazuh) for file and process monitoring; centralize logs and add SIEM/alerting. Combine with NIDS where possible. Tune to reduce false positives; consider managed detection from the provider.
