IDS for Security Analysts: How to Get Actionable Insights from your IDS
-
Upload
alienvault -
Category
Technology
-
view
228 -
download
2
Transcript of IDS for Security Analysts: How to Get Actionable Insights from your IDS
“JTaG”
Our Speakers
Joe Schreiber
AlienVault
Director of Solutions
Architecture
@pkt_inspector
Tony Simone
Castra Consulting
Managing Partner
castraconsulting.com
Grant Leonard
Castra Consulting
Managing Partner
castraconsulting.com
It’s where you put things….
Installation [Day 0]
1. Pre-install checklist
2. Where (inside/outside, core/perimeter)
3. Tap/span/port-mirror
4. How much traffic can you handle / ROI
They make events
Intrusion Detection Systems
Lots of Events
• Placement
- Where is it deployed?
• Inspection
- Traffic Inspected
Don’t other things generate events?
What Makes IDS Different?
Firewalls
• Access Control
Proxies
• URLs
IDS
• Malware
• Network Policy
• Active Exploits
• URLs (also)
• Applications
I’m positively false…or am I?
False Positives
What is it?
• Invalid?
• Relevance?
Signature Sets
Environment
CiiT International Journal of Artificial Intelligent Systems and Machine Learning
, Vol 2, No 11, November 2010
Precision = TP
(TP+FP)
I want to investigate now!
Why?
You need data!
• How long do I do this for?
- 2 weeks?
Patterns
Sorting
• Volume
• IP
What’s valuable?
Evaluation
What events are valuable and actionable?
• Policy (Network)
- Acceptable or Indifferent
• Risk
- Assets
- Signatures by perceived risk
• Environment
- Servers
- Users
What’s normal can be eliminated
Trending
Historical Record from Phase I
• ?Normal? Activity
• Scheduled Activities (Backups, Cron Jobs…)
Trending is in Flux..
Stakeholders
Discuss
Get Stakeholders Involved
• The First Time
Create Notification Paths
Build Relationships
Taxonomy can help for Future Events
What is it?
Tuning
Removal of Events
• Avoid FP
• Saves Time
Threshold Adjusting
• Volumes
• Risk Scoring
Network Awareness
• Subnets
• VLANs
Save time
Filtering
Granularity
• Use the closest match when tuning
• Don’t blind yourself
Documentation
• Why did you tune this?
• Time
Things will happen
Updates
New Signatures are released often
• New Events to Evaluate and Tune
Your network changes as servers are added / removed
• Tuning re-evaluation
But remember you’re special.
You Are Not Alone
Business Policies
• Change Control
• Clearance
- Avoid These (Time Burglars)
Passive Detection
• Needs to Stay Up-to-Date
It’s all Unicorns and Rainbows!
You’re gonna see crazy stuff
Stick to the Process
Document
Tune
Move On!
ASSET DISCOVERY
• Active Network Scanning
• Passive Network Scanning
• Asset Inventory
• Host-based Software Inventory
VULNERABILITY ASSESSMENT
• Continuous
Vulnerability Monitoring
• Authenticated / Unauthenticated
Active Scanning
BEHAVIORAL MONITORING
• Log Collection
• Netflow Analysis
• Service Availability Monitoring
SECURITY INTELLIGENCE/SIEM
• SIEM Event Correlation
• Incident Response
THREAT DETECTION
• Network IDS
• Host IDS
• File Integrity Monitoring
USM Platform
Integrated, Essential Security Controls
The world’s largest crowd-
sourced threat repository
Provides access to real-time,
detailed information about
threats and incidents from
over 8,000 collection points
across 140 countries
Enables security
professionals to share threat
data and benefit from data
shared by others
Open Threat Exchange (OTX)
Integrated Threat Intelligence
Reduced Noise: Correlating IDS/IPS
data with vulnerability & IP reputation
reduces false positives
Full Threat Context: See attack type,
number of events, duration,
source/destination IP addresses
Threat Research: Weekly updates to
IDS signatures & correlations rules from
AlienVault Labs Threat Research Team
Full Coverage: Inspect traffic between
devices, not just at the edge
Flexible: Integrate your existing IDS/IPS
events, and/or use the built-in IDS
Questions?
IDS “Ask the Experts” Google Hangout 3/24
Free 30-Day Trial of AlienVault USM:
www.alienvault.com/IDS
Video: IDS Best Practices
Blog Post: Open Source IDS Tools
Follow @alienvault & @pkt_inspector