IG2 IG3

Deploy a Host>Based Intrusion Detection Solution

Control Group: 13. Network Monitoring and Defense

Asset Type: Devices

Security Function: Detect

Description

Deploy a host-based intrusion detection solution on enterprise assets, where appropriate and/or supported.

Implementation Checklist

1

Deploy detection tools or enable detection capabilities

2

Configure alerting thresholds and notification channels

3

Establish monitoring schedule and review process

4

Test detection capabilities with simulated events

5

Document detection procedures and escalation paths

Tool Recommendations

Darktrace DETECT + RESPOND Gartner MQ Visionary, NDR 2024; Forrester Wave Leader, NDR 2024

AI-driven network detection and response with self-learning threat analysis and autonomous response

Darktrace · Enterprise subscription

Vectra AI Platform Gartner MQ Leader, NDR 2024

AI-driven threat detection and response for network, cloud, and identity with attack signal intelligence

Vectra AI · Enterprise subscription

ExtraHop RevealX Gartner MQ Leader, NDR 2024; Forrester Wave Leader, NDR 2024

Network detection and response platform with real-time traffic analysis, encrypted traffic inspection, and cloud visibility

ExtraHop · Per-device/bandwidth subscription

Cisco Secure Network Analytics Gartner MQ Challenger, NDR 2024

Network traffic analysis platform using behavioral modeling and machine learning to detect threats and anomalies

Cisco · Per-flow subscription

Threats & Vulnerabilities (CIS RAM)

Threat Scenarios

Fileless Malware Execution on Unmonitored Endpoints

Confidentiality

An attacker deploys fileless malware using PowerShell or WMI that operates entirely in memory, evading network-level detection because no host-based intrusion detection solution is monitoring process behavior.

Insider Threat Data Harvesting on Endpoints

Confidentiality

A malicious insider installs credential harvesting tools or keyloggers on their workstation, which go undetected without host-based intrusion detection monitoring local system activity.

Rootkit Persistence Without Host-Level Detection

Integrity

An attacker installs a kernel-level rootkit that persists across reboots and hides malicious processes from standard OS tools, remaining invisible without a dedicated HIDS examining system integrity.

Vulnerabilities (When Safeguard Absent)

No Visibility into Host-Level Attack Indicators

Without host-based intrusion detection, suspicious process executions, file integrity changes, and registry modifications on individual endpoints go unmonitored, allowing attackers to operate freely post-compromise.

Inability to Detect Memory-Resident Threats

Absent HIDS capabilities, attacks that never touch disk such as in-memory exploits, living-off-the-land techniques, and process injection cannot be identified at the endpoint level.

Evidence Requirements

Type	Evidence Item	Collection Frequency
Technical	Detection tool deployment evidence (dashboard screenshots, agent status)	Captured monthly
Technical	Sample alert/detection output demonstrating capability	Captured quarterly
Document	Governing policy document (current, approved, communicated)	Reviewed annually

Related Policy Templates

Network Security Policy

Control 12, Control 13

Network Access Control Policy

Control 13

Related Safeguards in Control 13

13.1 Centralize Security Event Alerting

13.3 Deploy a Network Intrusion Detection Solution

13.4 Perform Traffic Filtering Between Network Segments

13.5 Manage Access Control for Remote Assets

13.6 Collect Network Traffic Flow Logs

13.7 Deploy a Host>Based Intrusion Prevention Solution

13.8 Deploy a Network Intrusion Prevention Solution

13.9 Deploy Port>Level Access Control

13.10 Perform Application Layer Filtering

13.11 Tune Security Event Alerting Thresholds