“JTaG”

Our Speakers

Joe Schreiber

AlienVault

Director of Solutions

Architecture

@pkt_inspector

Tony Simone

Castra Consulting

Managing Partner

castraconsulting.com

Grant Leonard

Castra Consulting

Managing Partner

castraconsulting.com

Before Day 1

Day 0

Day 0 doesn’t exist….in this presentation

INSTALLATION

It’s where you put things….

Installation [Day 0]

1. Pre-install checklist

2. Where (inside/outside, core/perimeter)

3. Tap/span/port-mirror

4. How much traffic can you handle / ROI

Day 1

They make events

Intrusion Detection Systems

Lots of Events

• Placement

- Where is it deployed?

• Inspection

- Traffic Inspected

Don’t other things generate events?

What Makes IDS Different?

Firewalls

• Access Control

Proxies

• URLs

IDS

• Malware

• Network Policy

• Active Exploits

• URLs (also)

• Applications

I’m positively false…or am I?

False Positives

What is it?

• Invalid?

• Relevance?

Signature Sets

Environment

CiiT International Journal of Artificial Intelligent Systems and Machine Learning

, Vol 2, No 11, November 2010

Precision = TP

(TP+FP)

The Process

Collection Evaluation Tuning

Phase I - Collection

Gather all the things

Acquisition

Baselining

Soak Period

Maintenance Period

I want to investigate now!

Why?

You need data!

• How long do I do this for?

- 2 weeks?

Patterns

Sorting

• Volume

• IP

Phase II - Evaluation

What’s valuable?

Evaluation

What events are valuable and actionable?

• Policy (Network)

- Acceptable or Indifferent

• Risk

- Assets

- Signatures by perceived risk

• Environment

- Servers

- Users

What’s normal can be eliminated

Trending

Historical Record from Phase I

• ?Normal? Activity

• Scheduled Activities (Backups, Cron Jobs…)

Trending is in Flux..

Stakeholders

Discuss

Get Stakeholders Involved

• The First Time

Create Notification Paths

Build Relationships

Taxonomy can help for Future Events

Phase III – Tuning

What is it?

Tuning

Removal of Events

• Avoid FP

• Saves Time

Threshold Adjusting

• Volumes

• Risk Scoring

Network Awareness

• Subnets

• VLANs

Save time

Filtering

Granularity

• Use the closest match when tuning

• Don’t blind yourself

Documentation

• Why did you tune this?

• Time

Repeat

Things will happen

Updates

New Signatures are released often

• New Events to Evaluate and Tune

Your network changes as servers are added / removed

• Tuning re-evaluation

The Loop

Inter-Process

But remember you’re special.

You Are Not Alone

Business Policies

• Change Control

• Clearance

- Avoid These (Time Burglars)

Passive Detection

• Needs to Stay Up-to-Date

It’s all Unicorns and Rainbows!

You’re gonna see crazy stuff

Stick to the Process

Document

Tune

Move On!

ASSET DISCOVERY

• Active Network Scanning

• Passive Network Scanning

• Asset Inventory

• Host-based Software Inventory

VULNERABILITY ASSESSMENT

• Continuous

Vulnerability Monitoring

• Authenticated / Unauthenticated

Active Scanning

BEHAVIORAL MONITORING

• Log Collection

• Netflow Analysis

• Service Availability Monitoring

SECURITY INTELLIGENCE/SIEM

• SIEM Event Correlation

• Incident Response

THREAT DETECTION

• Network IDS

• Host IDS

• File Integrity Monitoring

USM Platform

Integrated, Essential Security Controls

The world’s largest crowd-

sourced threat repository

Provides access to real-time,

detailed information about

threats and incidents from

over 8,000 collection points

across 140 countries

Enables security

professionals to share threat

data and benefit from data

shared by others

Open Threat Exchange (OTX)

Integrated Threat Intelligence

Reduced Noise: Correlating IDS/IPS

data with vulnerability & IP reputation

reduces false positives

Full Threat Context: See attack type,

number of events, duration,

source/destination IP addresses

Threat Research: Weekly updates to

IDS signatures & correlations rules from

AlienVault Labs Threat Research Team

Full Coverage: Inspect traffic between

devices, not just at the edge

Flexible: Integrate your existing IDS/IPS

events, and/or use the built-in IDS

Questions?

More on this topic:

IDS “Ask the Experts” Google Hangout 3/24

Free 30-Day Trial of AlienVault USM:

www.alienvault.com/IDS

Video: IDS Best Practices

Blog Post: Open Source IDS Tools

Follow @alienvault & @pkt_inspector