How would you implement a secure intrusion detection strategy for an air-gapped or legacy environment?