intrusion detection 2001

Download Intrusion detection 2001

Post on 11-May-2015




0 download

Embed Size (px)


  • 1.Intrusion Detection CTO Forum November 9, 2001 Tom Casey 703.679.4900

2. 2 Agenda Risks Associated with E-business Elements of an Intrusion Detection Strategy Misuse and Anomaly Detection Application, Host, and Network Based Tools Active and Passive Response Intrusion Detection System Architecture Technical and Legal Issues Commercial and Open Source ID systems 3. 3 Reported Incidents Increasing Number of Incidents Reported 0 5000 10000 15000 20000 25000 30000 35000 1988 1989 1990 1991 1992 1993 1994 1995 1996 1997 1998 1999 2000 *2001 Years NumberofIncidents *Q1-Q3 Statistics October 15, 2001 34,754 21,756 2,412 132 4. 4 Risks Associated with E-business Defaced Websites Denial of Service/DDOS Theft of Company Proprietary Information Theft of Customer Information Downtime = Loss of Revenue Negative Press = Negative Public Image Internal and External Threats 5. 5 History of Intrusion Detection Intrusion Detection (ID) defined: Process of monitoring computer networks and systems for violations of security policy First ID System--manual system audits 1980, ID was born First document need for automated audit trail review to support security goals Growth of Internet 6. 6 The Importance of Intrusion Detection A perfectly secure system is a myth Firewalls and filtering routers arent enough to protect electronic assets Effective audit information analysis required a tool An IDS is one of many components supporting a robust security architecture-Defense in Depth Firewalls, VPN, Virus Protection, Vulnerability Assessments etc. Protect valuable information resources from internal and external threats 7. 7 An IDS can accomplish the following Prevents and/or mitigates the damage resulting from intrusion Identifies a precursor of more serious activity Identifies perpetrators Discovers new attack patterns 8. 8 Elements of a Complete Intrusion Detection Strategy Policy! Policy is living, constantly evolving ID configuration/design must support policy Intrusion Detection System (IDS) architecture Institutionalized Incident Response Responses map to policy Working with law enforcement CERTs Trained security personnel Awareness Programs - Support from Users 9. 9 Time Line of an Attack Probing: Port Sweeps Address sweeps Doorknob Ratting Break-in: Operating System Bugs Sniffed Passwords Social Engineering Back Door Malicious Actions: Steal Data or Programs Hop to other systems Install Back Door Setup Sniffer Steal CPU time 10. 10 Misuse Detection Misuse, signature/pattern-matching Reliably detecting known use patterns Detects only known intrusions Difficult handling large volumes of data Does not handle uncertainty 11. 11 Anomaly Detection Anomaly Detection Establish profile of normal user behavior Patterns of abnormality, rare, unusual behavior Accommodate adaptations to changes in user behavior Statistical and Quantitative analysis Assumes users exhibit predictable, consistent patterns of system usage 12. 12 Anomaly Detection (cont.) User Normal Behavior Anomaly in User Behavior System Administrator Secretary Programmer Log in as root Edit users access permissions Run system configuration/ monitoring tools Logged in locally during company working hours Uses office automation software (word processing, etc) Reads and sends emails Logged in from early morning to late night Uses software development tools Browses Internet more often in the evening then the daytime Becomes a programmer Accesses Software Development tools Accesses Software project sources Logs in from a remote host Assumes the role of a manager Logs in as a human resources manager Gains access to personnel database 13. 13 Intrusion Detection Tools Application-based Collects information and detects intrusion at the application layer Placement: E-commerce Server, WebServer Host-based Agent software on host Monitors: event logs, critical system files, registry settings, etc Alerts management console, reacts actively and/or passively depending upon policy Network-based Operates at the network level Detects DOS or dangerous payloads before the reach destination Dedicated host, two interfaces: Management and Stealth 14. 14 Active Responses User driven Automatic Responses System takes action to block the progress of attack Closing holes, shutting down services, logging an intruder Block IP address(es) Collect more information (honey pots) 15. 15 Passive Responses System logs and reports problem Alarms and notification visual, audible, email paper SNMP traps Archiving and reporting 16. 16 IDS Architecture Recommendations Network based At Internet connection points Key internal network segments In the DMZ Just inside the Firewall (Intranet) Behind WAP server, WAN router, modem pool Host-based Servers containing critical data Domain servers Optimum Architecture: Combine misuse and anomaly detection 17. 17 Sample IDS Architecture Firewall Internet Router Web Server(S) DMZ Services Email Relay Border Directory Host IDS Agent Domain Controller Personnel Database User Workstations User Workstations IDS Central Management Console Network Sensor Network Sensor Network Sensor User WorkstationsStealth Mode Customer Database Corporate Private Network Web Server(s) File and Print Server 18. 18 Technical Issues Scalability Scaling over space as the network grows Management Network Management Sensor Controls Investigative Support Performance Loads User Interface Reliability Quality of analysis engines Response mechanisms 19. 19 Technical Issues (cont) Analysis Difficulties categorizing attacks/threats False positives/negatives (tuning anomaly detection engines) Trend analysis, event correlation, data mining Interoperability Tools to collect information from: multiple abstraction layers, hardware, software Audit trail standards Integration Intrusion detection in a Switched Environment Intrusion detection in a Crypto Environment 20. 20 Legal Issues Legislation Computer fraud and abuse statutes Electronic Communications Privacy Act Sec 2510 System logs are circumstantial evidence Requires proof of authenticity Testimony of responsible parties Expert to explain log file contents Maintaining redundant event log records Electronic Monitoring System admin monitoring vs. Law enforcement monitoring Cyber Forensics 21. 21 Commercial and Open Source Leading Commercial Vendors Internet Security Systems (ISS): RealSecure NetworkICE: BlackICE Enterasys System: Dragon Cisco Secure Systems: IDS NFR: Network Intrusion Detection Open Source Managed Security Providers (MSPs) Leverage the MSPs security expertise Ideal for Small/Mid-sized business Leverage MSP experience with other customers Focus your staff and resources on your core business activities 24X7X365 Monitoring and Notification 22. 22 Current and Future Trends in IDS Protocol Scanners Meta Detection Interoperability Centralized Administration, Management, and Reporting IDS Appliances No general purpose OSes to configure and maintain No patches/Drivers to install Facilitates: accuracy, speed, and remote management 100 Gigabit Detection 23. 23 References Internet Security Systems: Enterasys Networks: Cisco Systems: Snort: NFR Security CERT @ Carnegie Melon: Sans Institute: The Twenty Most Critical Internet Security Vulnerabilities Computer Security Institute: "2001 Computer Crime and Security Survey" 24. Web-Enabling Government SM


View more >