IDS-001 recommended General Security Monitoring

Intrusion detection system evaluated/deployed

Some IDS solution in place (WAF, SIEM, cloud-native security, or open-source); appropriate for project scale and budget

Question to ask

"How long would an active breach go unnoticed?"

Verification guide

Severity: Recommended (Critical for big projects)

Projects should have some form of intrusion detection system in place - this could be a WAF, SIEM, cloud-native security tools, or open-source solutions. The goal is systematic detection of malicious activity, not just reactive incident response.

Check automatically:

  1. Check for WAF/security proxy:
# Cloudflare (most common)
curl -sI https://example.com | grep -iE "cf-ray|server: cloudflare"

# AWS WAF - check for WebACL associations
aws wafv2 list-web-acls --scope REGIONAL --region us-east-1 2>/dev/null
aws wafv2 list-web-acls --scope CLOUDFRONT 2>/dev/null
  1. Check for SIEM/security monitoring tools:
# Look for security tool configuration in codebase
grep -rE "datadog.*security|splunk|elastic.*security|sentinel|chronicle" --include="*.yml" --include="*.yaml" --include="*.json" --include="*.tf" 2>/dev/null

# Check for cloud-native security
# AWS GuardDuty
aws guardduty list-detectors 2>/dev/null

# GCP Security Command Center
gcloud scc sources list --organization=ORG_ID 2>/dev/null
  1. Check for open-source IDS:
# Look for common open-source IDS tools
grep -rE "wazuh|ossec|suricata|snort|zeek|fail2ban" --include="*.yml" --include="*.yaml" --include="docker-compose*" --include="*.tf" 2>/dev/null

# Check Docker Compose for security containers
grep -rE "wazuh|ossec|suricata" docker-compose*.yml 2>/dev/null
  1. Check Terraform/IaC for security resources:
# AWS security resources
grep -rE "aws_guardduty|aws_securityhub|aws_wafv2" --include="*.tf" 2>/dev/null

# GCP security resources
grep -rE "google_scc|google_security" --include="*.tf" 2>/dev/null

# Cloudflare WAF rules
grep -rE "cloudflare_ruleset|cloudflare_waf" --include="*.tf" 2>/dev/null

Ask user:

  • "What security monitoring tools does your team use?"
  • "Have you evaluated IDS options for your budget/scale?"
  • "Is there a security team or designated security owner?"

Common IDS options by budget:

  • Free/Low cost: Cloudflare (free tier WAF), Fail2ban, AWS GuardDuty (pay per use), Wazuh (open source)
  • Medium: Datadog Security, Cloudflare Pro/Business, AWS Security Hub
  • Enterprise: Splunk, Elastic Security, Chronicle, Sentinel

Cross-reference with:

  • SEC-001 (Cloudflare setup from section 13)
  • IDS-002 (network-level monitoring)
  • IDS-003 (database-level monitoring)

Pass criteria:

  • Some IDS/security monitoring solution is deployed and active
  • Solution is appropriate for project scale and budget
  • Someone is responsible for reviewing security alerts

Fail criteria:

  • No IDS or security monitoring in place
  • "We haven't looked into it" without a plan
  • Security monitoring exists but nobody reviews alerts

Evidence to capture:

  • IDS solution(s) in use
  • Coverage scope (network, application, database)
  • Who reviews security alerts
  • Last security review date (if available)

Section

25. Intrusion Detection

Data Management

← Previous

RET-005

Legal retention requirements respected

 Next →

IDS-002

Network-level data transfer monitoring