How to Make Your IDS Useful. Joel M Snyder Senior Partner Opus One jms@opus1.com

Similar documents
IDS or IPS? Pocket E-Guide

Taxonomy of Intrusion Detection System

IBM Managed Security Services Vulnerability Scanning:

THE ROLE OF IDS & ADS IN NETWORK SECURITY

BUILDING A SECURITY OPERATION CENTER (SOC) ACI-BIT Vancouver, BC. Los Angeles World Airports

IBM Security QRadar SIEM & Fortinet FortiGate / FortiAnalyzer

Cautela Labs Cloud Agile. Secured. Threat Management Security Solutions at Work

Overcoming PCI Compliance Challenges

Database Security Guideline. Version 2.0 February 1, 2009 Database Security Consortium Security Guideline WG

How to Build a Security Dashboard

Effective IDS/IPS Network Security in a Dynamic World with Next-Generation Intrusion Detection & Prevention

Payment Card Industry (PCI) Data Security Standard

Cisco IPS Tuning Overview

Security Event Management. February 7, 2007 (Revision 5)

SANS Top 20 Critical Controls for Effective Cyber Defense

Enabling Security Operations with RSA envision. August, 2009

Intrusion Detection and Intrusion Prevention. Ed Sale VP of Security Pivot Group, LLC

TNC is an open architecture for network access control. If you re not sure what NAC is, we ll cover that in a second. For now, the main point here is

MONITORING AND VULNERABILITY MANAGEMENT PCI COMPLIANCE JUNE 2014

ForeScout CounterACT. Device Host and Detection Methods. Technology Brief

Module II. Internet Security. Chapter 7. Intrusion Detection. Web Security: Theory & Applications. School of Software, Sun Yat-sen University

How To Protect A Network From Attack From A Hacker (Hbss)

Concierge SIEM Reporting Overview

74% 96 Action Items. Compliance

INTRUSION DETECTION SYSTEMS and Network Security

Take the Red Pill: Becoming One with Your Computing Environment using Security Intelligence

Dedicated and Distributed Vulnerability Management

BEGINNER S GUIDE to. Open Source Intrusion Detection Tools.

Presentation Title: When Anti-virus Doesn t Cut it: Catching Malware with SIEM

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

Automate PCI Compliance Monitoring, Investigation & Reporting

IT Networking and Security

RSA Security Analytics

Security Frameworks. An Enterprise Approach to Security. Robert Belka Frazier, CISSP

How To Prevent Hacker Attacks With Network Behavior Analysis

Architecture Overview

Best Practices for PCI DSS V3.0 Network Security Compliance

Defence Cyber Protection Partnership Cyber Risks Profile Requirements

SIEM Optimization 101. ReliaQuest E-Book Fully Integrated and Optimized IT Security

Role of Anomaly IDS in Network

Tunisia s experience in building an ISAC. Haythem EL MIR Technical Manager NACS Head of the Incident Response Team cert-tcc

Honeywell Industrial Cyber Security Overview and Managed Industrial Cyber Security Services Honeywell Process Solutions (HPS) June 4, 2014

Secure Software Programming and Vulnerability Analysis

O N L I N E I N C I D E N T R E S P O N S E C O M M U N I T Y

PCI Security Scan Procedures. Version 1.0 December 2004

GFI White Paper PCI-DSS compliance and GFI Software products

Effective Threat Management. Building a complete lifecycle to manage enterprise threats.

The SIEM Evaluator s Guide

Closing Wireless Loopholes for PCI Compliance and Security

Host Hardening. Presented by. Douglas Couch & Nathan Heck Security Analysts for ITaP 1

THE TOP 4 CONTROLS.

One-Man Shop. How to build a functional security program with limited resources DEF CON 22

WHITE PAPER. FortiGate DoS Protection Block Malicious Traffic Before It Affects Critical Applications and Systems

Reverse Shells Enable Attackers To Operate From Your Network. Richard Hammer August 2006

Achieving SOX Compliance with Masergy Security Professional Services

ARE YOU REALLY PCI DSS COMPLIANT? Case Studies of PCI DSS Failure! Jeff Foresman, PCI-QSA, CISSP Partner PONDURANCE

Configuring Personal Firewalls and Understanding IDS. Securing Networks Chapter 3 Part 2 of 4 CA M S Mehta, FCA

Network Management and Monitoring Software

INCIDENT RESPONSE CHECKLIST

How To Connect Log Files To A Log File On A Network With A Network Device (Network) On A Computer Or Network (Network Or Network) On Your Network (For A Network)

Footprinting and Reconnaissance Tools

IBM QRadar Security Intelligence April 2013

PROTECTING INFORMATION SYSTEMS WITH FIREWALLS: REVISED GUIDELINES ON FIREWALL TECHNOLOGIES AND POLICIES

Database Auditing: Best Practices. Rob Barnes, CISA Director of Security, Risk and Compliance Operations

Today s Topics. Protect - Detect - Respond A Security-First Strategy. HCCA Compliance Institute April 27, Concepts.

FISMA / NIST REVISION 3 COMPLIANCE

How To Test For Security On A Network Without Being Hacked

Security+ Guide to Network Security Fundamentals, Fourth Edition. Chapter 6 Network Security

Network Intrusion Detection Systems. Beyond packet filtering

How To Manage Security On A Networked Computer System

Fight the Noise with SIEM

Why The Security You Bought Yesterday, Won t Save You Today

Analyzing Security for Retailers An analysis of what retailers can do to improve their network security

WHITE PAPER PROCESS CONTROL NETWORK SECURITY: INTRUSION PREVENTION IN A CONTROL SYSTEMS ENVIRONMENT

Firewalls, Tunnels, and Network Intrusion Detection

1. Thwart attacks on your network.

SOUTHERN POLYTECHNIC STATE UNIVERSITY. Snort and Wireshark. IT-6873 Lab Manual Exercises. Lucas Varner and Trevor Lewis Fall 2013

NEW YORK INSTITUTE OF TECHNOLOGY School of Engineering and Technology Department of Computer Science Old Westbury Campus

CS 640 Introduction to Computer Networks. Network security (continued) Key Distribution a first step. Lecture24

Top 5 Essential Log Reports

Chapter 9 Firewalls and Intrusion Prevention Systems

Securing Web Applications...at the Network Layer

CHAPTER 3 : INCIDENT RESPONSE FIVE KEY RECOMMENDATIONS GLOBAL THREAT INTELLIGENCE REPORT 2015 :: COPYRIGHT 2015 NTT INNOVATION INSTITUTE 1 LLC

G/On. Basic Best Practice Reference Guide Version 6. For Public Use. Make Connectivity Easy

Running the SANS Top 5 Essential Log Reports with Activeworx Security Center

Don t skip these expert tips for making your firewall airtight, bulletproof and fail-safe. 10 Tips to Make Sure Your Firewall is Really Secure

CORE Security and the Payment Card Industry Data Security Standard (PCI DSS)

Managed Intrusion, Detection, & Prevention Services (MIDPS) Why Sorting Solutions? Why ProtectPoint?

Network Instruments white paper

Blended Security Assessments

Transcription:

How to Make Your IDS Useful Joel M Snyder Senior Partner Opus One jms@opus1.com

Agenda: IDS Why are we looking at IDS? The 5 Ws of IDS Analysis The IDS Analysis Cycle 2

IDS Has Little to Do With Intrusions Port Scan here: ho-hum Internal Net External network Internal Net router/ firewall DMZ Enterprises want to understand and block security problems on their networks. On each network, intrusion can mean something very different Internal Net Port Scan here: Uh-oh! 3

Intrusion Detection Systems Identify Security Problems on Your Networks External network DMZ Internal Net Internal Net IDS (passive) IDS (passive) Management Network 4

Intrusion Prevention Systems Block Security Problems on Your Networks External network IPS (active) DMZ Internal Net Internal Net Management Network 5

There are at least 4 types of IDS/IPS products out there Signature-based: look for specific traffic that matches specific descriptions, or is out of spec in some particular way Anomaly-based: observe deviations from baseline normal traffic and block or alert Niche: Wireless: have specific knowledge of RF and RF behaviors; looking for wirelessspecific issues Rate-based: watch flows and connections and limit or modify TCP/UDP to predetermined norms or to guarantee response time 6

Network Intrusion Analysis Combines Technology With Methodology You must have some of both before you can even start Suggested reading: Network Intrusion Detection, 3/e by Northcutt & Novak 7

Before You Start, Consider the Five Ws Where is everything? What do I care about? Who is responsible? Who do I tell? When do we do analysis? Why are we doing this? Yes, this sounds dull and uninteresting. But if you don t do it, then you ll never know what to do with the data your IDS gives you 8

W#1 Where Is Everything on Your Network? You can t watch all ports on all devices connected to the network Even if you had infinite CPU time... So you need to know what each device is doing and who is taking care of them Mapping your network is part of your preparation for IDS analysis 9

W#1 Map Your Network at Three Levels (at Least!) Physical layer topology helps to understand what wires and bridges go where Network layer topology identifies systems and routing paths Application layer topology shows you what businesscritical resources are present 10

W#1 Applications Are Hard to Map but Critical to Understand Physical layer topology helps to understand what wires and bridges go where Network layer topology identifies systems and routing paths Application layer topology shows you what businesscritical resources are present WWW Oracle WWW Oracle Oracle Load Balancer WWW LDAP RADIUS WWW LDAP 11

W#2 What Do I Care About? Once you have mapped your network, you have two main questions to ask: What is visible to my IDS/IPS? Generally, certain inside-to-inside flows will not be visible Also, certain outside-toinside flows might not pass a sensor That whole encryption thing Which network elements are important to me? Physical Network Application 12

W#2 Spend Time on Critical and Important Systems Quick: your IPS says that someone is trying SQL attacks on imprimo. Quick: your IPS says that someone is trying SQL attacks on system repono. Do you care? Answer: No. It s a printer. It doesn t run SQL. No one cares about it anyway. Do you care? Answer: Yes! It s an SQL server. It s behind the firewall. It generates my paycheck. 13

W#3 Who Is Responsible? System Mgmt Responsibility Who takes care of the network? Who takes care of the servers and routers? Who takes care of the applications? Incident Responsibility Who do I tell? What are they responsible for doing? What if they don t do it? Then what do I do? (or do I even care?) 14

W#4 When Do We Do Analysis? Immediately? Are we concerned about catching someone in the act? Daily? Weekly? Monthly? Quarterly? Annually? Never? Do we want to know quickly if there is a problem on our net? Are we looking for long-term trends? Do we do this for forensics and tuning? 15

W#4 Your Analysis Timeframe Strongly Influences What You Do Immediate Alert system & network mgrs React or traceback? Start logging Get on the phone Daily Successful? Prioritize 1/2/3 A trend? History? Patch? Update firewall rules? Surveillance? Trending What s abnormal? Normal? Getting worse? Better? Forensics? 16

Why Are We Doing This? You must be doing Intrusion Detection analysis and Intrusion Prevention for a reason What is it? W#5 What did your business case say? Avoid common exploits? Look for internal worms and malware? Discover misbehaving users and systems? Find out how you were broken? Who? Why? When? Tool for your application and network managers? Tool for security manager? 17

A Policy Covers the Five Ws and You Need a Policy This is even more important than the policy that you didn t write to go along with your firewall Where is everything? What do I care about? Who is responsible? Who do I tell? When do we do analysis? Why are we doing this? Policies don t work Marcus Ranum, Seven Things I ve Learned 18

Your Policy Will Determine How You Do Analysis and Use Your IPS Immediate alerting You want to know the moment that something is up so that you can react immediately. Correlation You watch breakins and attempts to understand the motivation, method, and goals of the attacker. Surveillance Forensics You instruct the IDS to watch certain things more carefully to collect data on an object or suspect of interest. You use IDS to help understand what happened after a security incident or to show traffic flows and long-term statistics 19

The Analysis Cycle Gives a Framework Respond appropriately Feedback Identify resources Policy Breakdown Validate success Define attack Interact Research Qualify applicability 20

Analysis Is Always Grounded in Policy Respond appropriately Feedback Identify resources Policy Breakdown As you dive in, remember Paul Proctor s rule: When you first start operating an IDS, you will find many things you do not expect. Be prepared. Validate success Interact Which implies, perhaps, that policy is also grounded in analysis Qualify applicability Define attack Research 21

The 1st Step Is Identification and Mapping Respond appropriately Identify resources Policy Feedback Construct your 3 maps (physical, network, application) Breakdown Validate success Identify key resources Link to responsible people within your organization Define attack For each step in the cycle, identify the tools your IDS has to support this step Interact Some of this will come from policy Qualify applicability Research 22

Break Down the Data Into Manageable Chunks Respond appropriately Identify resources Policy Feedback Validate success Interact You will have dozens or perhaps hundreds of events (or thousands, if you haven t tuned) to look through Looking at them all requires mental discipline and an ability to prioritize Breakdown Define attack Research Qualify applicability 23

Define the Incident and Understand What It Means Respond appropriately Identify resources Policy Feedback Validate success Interact What kind of incident? Attack on a host? DoS attack? Information probe? What does the event message mean? What happened? Who was the source? Breakdown Define attack Research Qualify applicability 24

Research Is an Integral Part of Defining an Incident Respond appropriately Identify resources Policy Feedback Validate success Reference materials Stevens Vol. 1, 3 Web Rambling Your brain and your analyst (paper or electronic) notebook Breakdown Define attack Interact Research Qualify applicability 25

Qualify the Incident Policy Respond appropriately Identify resources Feedback Validate success Is it applicable to us? Do we care about it? Have I seen it before? Have I seen this attacker before? Breakdown Define attack Interact Qualify applicability Research This is the most important and time-consuming part of analysis 26

Qualification Means Answering a Lot of Questions Does this host actually exist? Attacks on non-existent hosts are pretty low priority Is this host vulnerable to the attack? Key conclusion: Without a comprehensive map, you cannot do useful analysis. Information gathering is painful, but there are tools to help. Go back to your Identify Resources maps and start talking to the responsible people 27

Northcutt Advises Prioritizing Your Incidents and Events severity = (criticality + lethality) (sys + net countermeasures) Criticality: How bad will it hurt? 5: Firewall, DNS, router 4: Email gateway/server 3: Executive s desktop 2: User desktop 1: MS-DOS 3.11 running soda machine System Countermeasures 5: Totally patched, modern O/S, internal firewall 3: Older O/S, partially patched 1: Unpatched/Unmanaged Lethality: How likely to do damage? 5: Multi-system root access 4: Single-system root 3: DoS total lockout 2: User-level access 1: Unlikely to succeed Network Countermeasures 5: Validated, restricted firewall 4: Firewall, plus some unprotected connections 2: Permissive firewall 1: No firewall 28

You Might Want to Answer Two More Questions Did the event cause a state change? Is there something else going on here? Is the behavior of the target system different after the event than before the event? What other correlation can we make between this attacker, the attacked system, and the type of incident with past incidents? 29

Communicate and Validate the Incident Respond appropriately Identify resources Policy Feedback Validate success Share information: something of interest might be correlated Find out: was the attack successful? Breakdown Define attack Interact Research Qualify applicability 30

Feedback Completes the Analysis Cycle Respond appropriately Identify resources Policy Feedback Validate success Interact Firewall adjustments IPS adjustments Update maps with contact information and patch details Log incident and results Verify against policy Breakdown Define attack Research Qualify applicability 31

Action Items: Making your IDS Useful Follow the 5 Ws and prepare background information on the network Identify tools within your IDS to help each step in the Analysis Cycle Set aside 2 to 3 hours each week to practice and get into the swing of tuning and analyzing events 32

Thanks! Joel Snyder Senior Partner Opus One jms@opus1.com

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information