Intrusion Detection recommendations

Fri Feb 13 17:25:21 UTC 2015

On Fri, 13 Feb 2015, Andy Ringsmuth wrote:

> NANOG'ers,
> 
> I've been tasked by our company president to learn about, investigate and recommend an intrusion detection system for our company.
> 
> We're a smaller outfit, less than 100 employees, entirely Apple-based. Macs, iPhones, some Mac Mini servers, etc., and a fiber connection to the world. We are protected by a FreeBSD firewall setup, and we stay current on updates/patches from Apple and FreeBSD, but that's as far as my expertise goes.
> 
> Initially, what do people recommend for:
> 
> 1. Crash course in intrusion detection as a whole
> 2. Suggestions or recommendations for intrusion detection hardware or software
> 3. Other things I'm likely overlooking
> 
> Thank you all in advance for your wisdom.

I'd have a look at Alien Vault if you don't want to fork
out heavy money and have a geek enough staff who doesn't
mind butchering it up. It can be plug and play to an extent
yet at the same time, if not configured properly it becomes
useless.

On the other hand, if you don't want to waste precious time
in the event of say incident response to an actual event,
then I would opt for QRadar. 

IDS/IPS is a mere buzzword. Detection comes via way of
knowledge: "Who knows/has seen, that N traffic is malicious"
often based on signatures. Then of course you get all the
nifty buzzwords: "but we use heuristic doohickey reverse
nacho cheese technology!" Prevention is a paradox. If it
did prevent then why did you get notified via a tweet that
you were compromised before you even knew you were.

IDS works like this (in theory): Look at all logs, and all
traffic patterns. Compare this data (often) to a config
file of known knowns, if it matches what we have seen then
it MUST be an attack.

IPS works like this: Sell someone an IDS appliance or
software and tell them it's IPS. It won't stop a huge
portion of attacks since it is well... IDS but boy does
it have a cooler name.

ITS (Intrusion Tolerance) works like this: Ok, so we won't
stop them, we can't prevent them, but boy oh boy can we
tolerate them! 

All work off of a broken premise of "known knowns" and
not one vendor will ever come clean on this. 

I have had the opportunity (or misfortune take your pick)
to have analyzed quite a bit of malware, intrusions, and so
forth. I have seen how rapidly some of the attacks change,
so I know firsthand why IDS, IPS, and others fail. Now
let me be fair... IDS/IPS are good as a HSSS (new buzzword)
Hind Sight Security System, but will only prevent, and 
detect what is known.

Your best goal is to perform a combination security and
network analysis PRIOR to implementing any system. In doing
so, you create logic suitable to your environment. For
example, you have a DB that is supposed to ONLY communicate
internally, a better approach would be to go on to that
machine, and use the local machine's firewall rule to
create a rule that says: ONLY CONNECTIONS FROM HERE TO
THERE ARE ALLOWED ALL OTHERS GET BLOCKED, then alert when
something strays.

Most of these systems lack because of the design prior to,
and after their implementations. Organizations haven't
taken the time to map data, processes, and create even
a simple baseline to work with. This leads to these types
of systems (IPS, IDS, SIEM, ITS, blah blah blah) generating
all sorts of false positives. These false positives often
overwhelm the users tasked with the administration of the
systems. Thousands of alerts which often go unchecked until
it is too late.

thee end.

-- 
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
J. Oquendo
SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT, RWSP, GREM

"Where ignorance is our master, there is no possibility of
real peace" - Dalai Lama

0B23 595C F07C 6092 8AEB  074B FC83 7AF5 9D8A 4463
https://pgp.mit.edu/pks/lookup?op=get&search=0xFC837AF59D8A4463