Wednesday, August 17, 2016

Intelligent IDS A CanadaCyber prospective

What is Intrusion Detection System [IDS]? We will not cover the very technical definitions on IDS.
However, we will mention the industry standard definitions.

Institute Says: Intrusion Detection can be defined as “…the act of detecting actions that attempt to compromise the confidentiality, integrity or availability of a resource, more specifically, the goal of intrusion detection is to identify entities attempting to subvert in-place security controls” Did you get what they are trying to explain rather define? Good! NIST Says: “Intrusion detection is the process of monitoring the events occurring in a computer system or network and analyzing them for signs of possible incidents, which are violations or imminent threats of violation of computer security policies, acceptable use policies, or standard security practices” Did you get what they are trying to explain rather define? Hmm better?

Okay, let us explain what IDS is, “It’s nothing but a mechanism which helps you in the detection of something abnormal i.e. intrusion into your defined boundaries which constitute a system.” To detect something abnormal, you should teach your IDS what is abnormal so it can detect any abnormality.

This teaching part is termed as methodology on which your intrusion detection system basically works.

Intrusion Detection Methodology

Generally, there are three types of methodologies that exist which can be used to gear up your intrusion detection system. Normally, intrusion detection systems are build on any of these types of methodologies or sometimes on a combination of these technologies.
The three methodologies
  • Stateful protocol analysis
  • Anomaly based detection
  • Signature based detection

Signature Based Detection
The simplest and very actual method of detecting known threats signature is basically a pattern that corresponds to a known threat. It’s a process of comparing signatures against observed events to identify the possible incidents.

Anomaly Based Detection
Anomaly based detection is basically the process of comparing the definition of an activity considered normal against the observed events to detect or identify the significant deviation. Anomaly based intrusion detection systems use profiles that represent the normal behavior of such things as users, hosts, network connections or applications. Monitoring of typical activity over a period of time basically develops these profiles.

The major benefit of anomaly-based detection methodology is that they can be much effective at detecting previously unknown threats. For instance, they can be used to detect the infection of a computer with a new type of malware.
However, signature based detection does not support this technique of detection for previously unknown threats.

Stateful Protocol Analysis
In comparison with Anomaly based intrusion detection systems, which uses host or network-specific profiles, the Stateful Protocol Analysis methodology basically relies on vendor-developed comprehensive profiles that identify how particular protocols should or should not be used.

Therefore, we can define Stateful Protocol Analysis as basically a process, which compares the predetermined profiles of generally accepted definitions to identify deviations.

The Types of Intrusion Detection & Prevention Systems So far, we have spoken about the methods on which these systems works, IDS & IPS are also categorized in different types based on the types of intrusions they monitor.
  • Network Based
  • Wireless
  • Network Behavior Analysis
  • Host Based
The most common and most used are basically host and network based intrusion detection systems and in our workshop, we will talk about Network Based Intrusion Detection System i.e. Snort!

Host Based Intrusion Detection System (HIDS)
Host based intrusion detection attempts to identify unauthorized, illicit, and anomalous behavior on a specific device only rather than on a network.
HIDS generally involves an agent installed on each system that monitors and alerts on local OS and application activity, using a combination of signatures, rules, and heuristics to identify unauthorized activity. The role of a host IDS is passive, only gathering, identifying, logging, and alerting.

Network Based Intrusion Detection System (NIDS)
Network based intrusion detection basically identifies unauthorized, illicit, and anomalous behavior solely based on network traffic.
They use a network tap, span port, or hub and collect packets that traverse a given network and use the captured data and flag any suspicious traffic. An intrusion detection system does not actively block network traffic.

What is Intrusion Prevention System?
So far, we have explained to you more on intrusion detection systems. Basically, if you have a clear concept of how intrusion detection system works, then it’s much easy for you to understand how intrusion prevention system works.
Basically, intrusion prevention system is one step ahead of intrusion detection systems. The role of intrusion detection prevention system is to stop the intrusion; however, intrusion detection system alerts when there is any intrusion in the system.
“Intrusion prevention follows the same process of gathering and identifying data and behavior, with the added ability to block (prevent) the activity. This can be done with Network and Host based intrusion detection systems” One thing we do not like IPS systems, their ability to deny legitimate traffic when a false positive

Architecture of Intrusion Detection & Prevention Systems

The main question is how these systems are designed or how they actually work. The architecture of an intrusion detection system comprises of different key components.

Architecture components

There are four (4) main components of the architecture:
  • Sensor or Agent
  • Database server
  • Management Server
  • Console
Their job is to monitor and analyze activities. Basically, the term sensor is typically used for both intrusion detection and prevention systems, which monitor networks. There can be multiple sensors configured within one network i.e. based on the network architecture.

Management Server
A management server is a device, which works centrally and receives the information from sensors and manages them.

Database Server
Its job is to store the events information recorded by the sensors. This information is later used at the time of reporting and performing different analysis for any security purposes.

The console provides access to intrusion detection and prevention system. You can say it’s an interface for administration or related activities and tasks.
Most consoles offer many features to assist administrators in their daily tasks. For example, most consoles offer drill-down capabilities, which mean that when a user examines an alert, more details and information are available in layers and draws different graphs and are more presentable to senior management.

At Canada Cyber we usually employ all these items on 1 Physical or Virtual server, we do this as we are service you contract, and we manage all of the items within our sensor. We also deal with business that are usually less than 2000 employ meaning the network load is not that cumbersome of one physical device.

It is important to understand, that we offer something no one else does and that is a intelligent point of view, our security team, understand the global security threat. And can identify strange network patterns; something no hardware can ever give you. As we understand your business. This allows us to identify the threat that will pose you.

This is why we ask you, the bandwidth of your network. What is average throughput and what is the sustained session count of your network connection. As this help us determine what best to install at the edge of your network.

What is usually logged or detected by IDS & IPS
This can be customized based on the type and features of your device. Generally, intrusion detection and prevention systems usually store the following types of information.

Timestamp (usually date and time)

Connection or session ID (typically, a consecutive or unique number assigned to each TCP connection or to like groups of packets for connectionless protocols)

  • Event or alert type.
  • Rating (e.g., importance, severity, impact, confidence)
  • Network, transport, and application layer protocols
  • Source and destination IP addresses
  • Source and destination TCP or UDP ports, or ICMP types and codes
  • Sum of bytes transmitted over the connection
  • Interpreted payload data, such as application requests and responses
  • State-related information (e.g., real username)
  • We can also set it to record everything, Just think of a Video Camera system for your network.

Always keep your sensor up to date
It is important to ensure that your intrusion detection and prevention systems are up to date with the newest feed released by your vendor. This could include both software update fixes for your IDS or IPS itself or it can be a new update in their signatures to detect newer threats and attack vectors. An intrusion detection or prevention system without the latest feeds cannot help you in securing your network or systems. That is why we offer it as a managed service.

This is the introduction to the types, architecture and methodologies which intrusion detection and prevention systems generally are comprised of.

We at Canada Cyber employ a blend of these products from open source to enterprise grade system, giving us an optimum system that benefits from the open source community and the commercial options.

No comments:

Post a Comment