Host Intrusion Detection Systems (HIDSs)
HIDS software is installed on a device or server to monitor suspicious activity. It monitors system calls and file system access to detect malicious requests. It can also monitor configuration information about the device that is held in the system registry.
A HIDS stores all log data locally. It is resource-intensive, so it can affect system performance. A HIDS cannot monitor network traffic that does not reach the host system, but it can monitor operating system and critical system processes specific to that host.
Host Intrusion Prevention Systems (HIPSs)
A HIPS is software that monitors a device for known attacks and anomalies (deviations in bandwidth, protocols, and ports), or finds red flags by assessing the actual protocols in packets. If it detects malicious activity, the HIPS tool can send you an alarm, log the malicious activity, reset the connection, and/or drop the packets.
Endpoint Detection and Response (EDR)
EDR is an integrated security solution that continuously monitors and collects data from an endpoint device. It then analyzes the data and responds to any threats it detects. An antivirus can only block against threats, while EDR can do that and find threats on the device.
DLP tools provide a centralized way to ensure that sensitive data is not lost, misused, or accessed by unauthorized users.
Next-Generation Firewall (NGFW)
NGFW is a network security device that combines a traditional firewall with other network-device-filtering functions. An example is an application firewall using inline deep packet inspection (DPI) on an intrusion protection system (IPS).
The Windows Encrypting File System (EFS) feature allows users to encrypt files, folders, or an entire hard drive. Full-disk encryption (FDE) encrypts the entire contents of a drive (including temporary files and memory). Microsoft Windows uses BitLocker, shown in Figure 39-6, for FDE.
Figure 39-6 BitLocker Unlock Screen
To use BitLocker, the user needs to enable a Trusted Platform Module (TPM) in the BIOS. A TPM is a specialized chip on the motherboard that stores information about the host system, such as encryption keys, digital certificates, and system integrity measurements. When enabled, BitLocker can use the TPM chip.
Similarly, BitLocker To Go is a tool that encrypts removable drives. It does not use a TPM chip, but still encrypts the data, requiring a password to decrypt it. Self-encrypting drives (SEDs) automatically encrypt all data in the drive to prevent attackers from accessing the data through their operating system. SED encryption is implemented in the drive hardware by the manufacturer.
Attackers can strike at any moment, even in the short space of time it takes for a system to start up. It is critical to ensure that systems and devices remain secure when booting up.