the evolution of ids: why context is key
Post on 08-Jul-2015
127 Views
Preview:
DESCRIPTION
TRANSCRIPT
The Evolution of IDS: Why Context is Key
Dave Shackleford, Voodoo Security and SANS
Joe Schreiber, AlienVault
© 2014 The SANS™ Institute - www.sans.org
Introduction
• How has IDS/IPS changed in the past 10 years?
• First, there’s been more of a move to prevention vs. just passive detection
• Second, IDS really doesn’t function as a “standalone” tool anymore (for most)
• The context of what is happening in and around the environment is key
© 2014 The SANS™ Institute - www.sans.org 2
Packets? What packets?
• Getting access to network traffic was one of the first goals of intrusion detection platforms
• Classic sniffers like TCPdump led to the creation of Snort and Bro, as well as commercial options
• Gaining access to the network traffic itself was a challenge
– Promiscuous mode interfaces
– Dual-homed configs
– Finally, SPAN ports or taps
© 2014 The SANS™ Institute - www.sans.org 3
Aha. Now we’ve got packets!
• Packets! We have them!
• But…now what?
• For most, setting up IDS sensors led to the realization that we needed better knowledge of the environment
© 2014 The SANS™ Institute - www.sans.org 4
Patterns of packets make more sense.
• We now can start to analyze patterns of behavior
– Who is talking to who
– Types of traffic
– Source/destination ports
– Protocols
• Patterns of traffic ebbs and flows are useful for volume analysis and troubleshooting, too
© 2014 The SANS™ Institute - www.sans.org 5
Sif SrcIPaddress Dif DstIPaddress Pr SrcP DstP Pkts Octets StartTime EndTime Active B/Pk Ts Fl
0059 127.0.0.1 005b 219.140.194.174 06 50 4f3 1 40 0721.21:58:00.593 0721.21:58:00.593 0.000 40 00 14
0059 127.0.0.1 005b 219.148.205.228 06 50 6ef 1 40 0721.21:57:56.533 0721.21:57:56.533 0.000 40 00 14
Patterns -> Blocking.
• Intrusion detection gave way to blocking with intrusion prevention systems
– This was driven by better understanding of traffic patterns and signature sets
• Most IDS and IPS platforms, even in blocking mode, did not have much understanding of context
– Most blocks were “point in time” matches based on packet attributes
© 2014 The SANS™ Institute - www.sans.org 6
What do the patterns MEAN?
• IDS and IPS needed to evolve to make better sense of what was happening in the environment
• To that end, more data is needed
– Events from other network devices
– Events from scans and user information
– Data from vulnerability scanners and monitoring tools
• This is how we can start to build context of what’s happening in the environment.
© 2014 The SANS™ Institute - www.sans.org 7
Event Data, and Lots of It
© 2014 The SANS™ Institute - www.sans.org8
[**] SQL Injection [**]
10/30-20:38:56.753145 192.168.1.52:2360 -> 192.168.1.61:80
TCP TTL:128 TOS:0x0 ID:22376 IpLen:20 DgmLen:809 DF
***AP*** Seq: 0xF69FDBE3 Ack: 0x3D5C8C4 Win: 0xF991 TcpLen: 20
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=
Traditional IDS and IPS alerts
are
often overwhelming
Event Data, and Lots of It (2)
© 2014 The SANS™ Institute - www.sans.org9
Firewalls and routers are simple,
static filtering devices with no
understanding of context
Context + Alerting
• With event data from numerous sources, you can start to build context in the environment
– What systems communicate in a given subnet?
– What known vulnerabilities are there in the environment?
– What network devices does the traffic pass through?
• The IDS/IPS by itself, however, will still only report what it “sees”
© 2014 The SANS™ Institute - www.sans.org 10
Visibility: What IDS “Sees”
• Only traffic that passes by or through the IDS/IPS is analyzed
– Subnets? Check.
– Source/Destination ports? Check.
– Applications or platforms in use? Nope.
© 2014 The SANS™ Institute - www.sans.org11
Visibility: More Data = Better
• Attacks are no longer viewed as discrete events at a “point in time”
• More data adds context and tells a better “security story”
– Passive scan data on OS, applications
– Active scan data on vulnerabilities
– Behavioral trend data
– System logs and endpoint security
– User directory data
© 2014 The SANS™ Institute - www.sans.org12
Hmmm. Too many alerts?
• Now we have to start paring down alerts to get to *better* data
– Are there false positives we’ve discovered?
– Can we prioritize some data?
– Can we start combining data types into unique alert models?
• Data overload is a very common problem with IDS/IPS sensors
© 2014 The SANS™ Institute - www.sans.org 13
Correlation -> BETTER alerts.
• Correlation makes a big difference in how events are reported
• Not every unique event makes sense to alert on
– Combinations of events
– Quantity of events
– Times of day or location (source/destination)
• Having some context and behavioral baseline can help
© 2014 The SANS™ Institute - www.sans.org 14
Correlation Examples
• High Severity Threat Targeting Vulnerable Asset
– Goal: Identify threats in real time that are likely to compromise a host. Vulnerability data has shown the host to be vulnerable to the inbound attack being detected by NIPS.
– Trigger: Any event from a single IP Address targeting a host known to be vulnerable to the attack that is inbound.
– Event Sources: NIPS events, Vulnerability Assessment data
© 2014 The SANS™ Institute - www.sans.org 15
Correlation Examples
• Repeat Attack-Multiple Detection Sources
– Goal: Find hosts that may be infected or compromised detected by multiple sources (high probability of true threat).
– Trigger: Alert on ANY second threat type detected from a single IP Address by a second source after seeing a repeat attack. (i.e. Repeat Firewall Drop, followed by Malware Detected)
– Event Sources: Firewall, NIPS, Anti-Virus, HIPS, Failed Login Events
© 2014 The SANS™ Institute - www.sans.org 16
The Keys to Context-Driven Threat Assessment
1. Visibility: Know what you’re protecting in the environment
2. Baselines: Understand the behaviors of the assets in your environment
3. Impact: Understand how threats will impact assets
4. Intelligence: Incorporate threat intelligence from internal/external sources
5. Action: Prioritize security response
© 2014 The SANS™ Institute - www.sans.org17
Threat Intel -> Better Correlation.
• Threat intelligence is the set of data collected, assessed, and applied regarding:
– Security threats
– Threat actors
– Exploits
– Malware
– Vulnerabilities
– Compromise indicators
• When this data is incorporated, much more accurate event monitoring can take place
© 2014 The SANS™ Institute - www.sans.org 18
IDS…Where’s it going?
• Intrusion detection systems are evolving today
– More context-aware
– More behavioral analysis
– Some “SIEM-like” capabilities, too
• Some IDS can now also integrate with threat intelligence feeds, too
• IDS is not a “set and forget” technology
– Tuning and correlation are required
© 2014 The SANS™ Institute - www.sans.org 19
AlienVault Unified Security Management
© 2014 The SANS™ Institute - www.sans.org 20
Coordinated Analysis, Actionable Guidance
• 200-350,000 IPs validated daily• 8,000 collection points• 140 countries
Collaborative Threat Intelligence:
AlienVault Open Threat ExchangeTM
(OTX)
Join OTX: www.alienvault.com/open-threat-exchange
Questions?
Q@SANS.ORG
Thank You!
© 2014 The SANS™ Institute - www.sans.org 22
Three Ways to Test Drive
AlienVault USM
Download a Free 30-Day Trial
http://www.alienvault.com/free-trial
Try our Interactive Demo
http://www.alienvault.com/live-demo-site
Join us for a LIVE Demo!
http://www.alienvault.com/marketing/ali
envault-usm-live-demo
top related