You are watching your favorite
news channel and the breaking news for that day is about a ‘bandit’ who broke
into a 7-eleven store and made away with a case of warm beer. Reports state
that the unidentified hoodlum used a bat to break the glass door which
triggered the alarm and as he rushed into the store to grab his loot the camera
recorded his every move. The picture is a little bit blurred but you can
identify him if you knew him. The local PD is appealing to the community to
help apprehend the suspect. Now to link that story to what intrusion detection
systems (IDS) are; the alarm system that went off after he broke the front door
and the CCTV that captured the burglars every move can be considered intrusion
detection systems. The alarm detected the break in and the CCTV captured the
burglary. Both systems only ‘detected’ and ‘recorded’ but did not stop the
burglar from breaking and entering. The local PD used one of the detection
systems (cameras) to try to resolve the case and the convenient store owner and
possibly law enforcement were notified of the break in by the alarm going off.
 |
| IDS Depiction Photo: Courtesy of IBM Systems Magazine |
So
the definition of an IDS is a system that flags all anomalies or suspicious
activity that are deemed harmful to the network or devices being monitored. SANS Critical Security Control number 12 (CSC 12) talks about boundary defense and one of the line items under this control is deployment of Intrusion Detection Systems (IDS sensors). IDS looks for anomalies within traffic and reports or alerts on the observed ‘issues’.
IDS can be classified into 2
categories based on how they are deployed; Host Based Intrusion Detection System
(HIDS) or Network Based Intrusion Detection System (NIDS).
HIDS is when the
system is deployed at the host level (endpoint) for example on workstations
while NIDS is when the solution is deployed at the perimeter level for example
at the demilitarized zone (DMZ) or edge of the network. NIDS yield more
false-positive alerts due to the way they work; they attempt to read the
network activity pattern to determine what is normal and what isn’t.
Whether a system is deployed
at the host or network level, they both analyze traffic based on either
signature or anomaly (patterns). Signature based analysis entails pattern
matching. The IDS may have predefined signatures that are matched against the
observed traffic and if there is a ‘hit’, the system will flag that traffic as
bad. The signature match may be known malicious IP addresses or domains,
malicious files, web requests just to mentions a few. The downside with this
technique is that if there are no matching signatures as with the case with
zero day exploits (newly discovered, unpublished), the system will miss it.
Regular updates are required with this technique to ensure that the system is
covering most types of attacks out in the wild. The advantage with the
technique is that it is not resource intensive and apart from the regular
updates does not require much maintenance. A well-known open source IDS
solution that utilizes signature based techniques is snort. With snort, you can
subscribe to receive regular updates that are pushed to the system to correct
existing signatures (if needed) and add any new alerts that may have come out.
Anomaly based (aka
behavior-based) works by first establishing a baseline and then generating
alerts whenever this set baseline is breached. Anomaly based technique is good for detecting any new threats like
the zero day exploits that signature based techniques miss. Problem with this
technique is that it requires a lot of processing power since it is constantly
trying to compare the current activity to the baseline. It is also prone to a
lot of false-positive triggers in environments that experience a lot of
changes.
Current IDS systems seem to
utilize both analysis techniques to maximize the effectiveness of the system.
The systems have signatures saved in its data bank and also monitor the traffic
to capture any trends that may appear to form an anomaly based on the baseline.
This type of system is more resource intensive but is more efficient in
comparison to systems that only employ one technique.
Conclusion
Both Host and Network based
IDS systems provide a level of protection that can be beneficial to any
organization. Some cons of one system can be counter-measured by deploying the
other system as a complement. For example, a NIDS may not be able to view
encrypted traffic traversing the wire but a HIDS may be able to as the host
will expose the already decrypted traffic to the host based IDS. If possible, a
business would be better off deploying both solutions as a security in depth
strategy. In cases where budget does not allow, a small business should deploy a
network based IDS and then eventually add a host based system if possible. The
network level intrusion detection system provides a much broader coverage for
the entire business at a cheaper cost as opposed to the host based system which
may require more sensors being deployed at the host level. With a network based
system, the sensor(s) can be deployed at the entry point and this will cover
all traffic (outbound) from the internal network and also inbound traffic from
the external world.
As with any IDS solution, the
ultimate effectiveness of the chosen solution be it host or network based,
depends on human interaction and action.
References
The CIS Critical Security
Controls for Effective Cyber Defense Now. (n.d.).
Retrieved February 21, 2016, from sans.org
website: https://www.sans.org/
critical-security-controls
No comments:
Post a Comment