The Evolution of Intrusion Detection Systems
I am currently working with a client who asked me to choose an intrusion detection system (IDS) to deploy in their environment. I have been working with intrusion detection since it was virtually unknown, so it would seem the decision would be quite simple. On the contrary, with all of the different components and vendors to choose from, IDS offerings have become pretty complex. That led me to wonder how IDS technology has progressed to its current state. So, I invested some time trying to figure it out. Now that I have, let me tell you, it is enough to induce a headache. Nonetheless, I wrote this article to share my findings with you. If you are ready for a discussion about the evolution of IDS, then read on
|
|
The Great IDS Debate : Signature Analysis Versus Protocol Analysis
Intrusion detection systems (IDS) have rapidly become a crucial component of any network defense strategy. Over the past few years, their popularity has soared as vendors have refined their results and increased performance capabilities. At the heart of intrusion detection systems lies the analysis engine. It reviews each packet, determines if it is malicious, and logs an alert if necessary - the core tasks of an IDS. Two different IDS techniques, each favored by separate and loyal camps, have emerged as the preferred engine behind the software. Despite the copious marketing material and fiery online debates, each method has distinct strengths and weaknesses. In this article, we'll examine and compare the two different techniques: signature analysis and protocol analysis.
|
|
Understanding IDS Active Response Mechanisms
Debates still rage in the developer community over which methods of detecting attackers are best, but IDS customers as a whole are satisfied with the current IDS technology. To get an edge on the competition, many of the IDS vendors are adding active response capabilities to their products. The concept underlying this tactic is that the IDS will detect an attacker and then move to stop his attack. The problem is that any attacker with a basic knowledge of TCP/IP can easily defeat these mechanisms directly or simply knock the network offline often enough that the Admin is forced to turn off the feature. It is important for Admins to know the limitations of active response mechanisms to avoid being blindsided by them.
|
|
Evaluating Network Intrusion Detection Signatures, Part One
Over the past several years, a number of academic and commercial entities have conducted evaluations of various network intrusion detection (NID) software, to determine the overall effectiveness of each product and to compare the products to each other. Many system administrators and security analysts are also responsible for conducting their own evaluations of NID products, in order to choose a solution for deployment in their environments. NID evaluations typically include some rough indication of the relative quality of each product's signatures. However, high signature quality is critical to achieving a good NID solution, so the importance of accurately evaluating signature quality cannot be stressed strongly enough.
|
|
Evaluating Network Intrusion Detection Signatures, Part Two
In this series of articles, we present recommendations that will help readers to evaluate the quality of network intrusion detection (NID) signatures, either through hands-on testing or through careful consideration of third-party product reviews and comparisons. The first installment discussed some of the basics of evaluating NID signature quality, as well selecting attacks to be used in testing. This article will conclude the discussion on criteria for choosing attacks and then provide recommendations for generating attacks and creating a good testing environment. We begin by discussing some methods of acquiring attacks and attack traffic.
|
|
Evaluating Network Intrusion Detection Signatures, Part Three
In this three-part series of articles, we are presenting recommendations that will help readers to evaluate the quality of network intrusion detection (NID) signatures, either through hands-on testing or through careful consideration of third-party product reviews and comparisons. The first installment discussed some of the basics of evaluating NID signature quality, as well as selecting attacks to be used in testing. The second installment concluded the discussion of criteria for choosing attacks and provided recommendations for generating attacks and creating a good testing environment. This article will wrap up the series by examining other ways of generating attacks with other security-related tools and by manually creating your own attacks.
|
|
Host Integrity Monitoring: Best Practices for Deployment
The purpose of this article is to highlight the important steps and concepts involved in deploying a host integrity monitoring system. Being aware of these concepts can mean the difference between a useful deployment, and one that is rendered ineffective or more trouble than it is worth.
|
|
Identifying and Tracking Emerging and Subversive Worms Using Distributed Intrusion Detection Systems
Worms continually become more sophisticated, as new propagation methods and stealth techniques are developed and implemented. As worms continue to evolve, so must our ability to detect and track them. One solution is the use of distributed intrusion detection systems (dIDS) to identify new and emerging worms that utilize new subversive propagation techniques. This paper will discuss how and why the dIDS design is able to identify, detect, and track worms even as they implement more advanced propagation methods.
|
|
|
|
IDS Terminology, Part Two: H - Z
This is the second of two articles intended to introduce readers to some IDS terminology, some of it basic and relatively common, some of it somewhat more obscure. (To see the first article, please click here.) As a result of the speed of growth of IDSs, and the marketing prowess of some IDS vendors, come confusion has arisen about the proper meaning of certain terms: the same term may be used by different vendors to mean different things. Wherever possible, I have tried to include all terms except where I consider usage of the term to be inaccurate or misleading. This is a living document: if I'm missing any terms or you wish to discuss my interpretation please don't hesitate to contact me.
|
|
Justifying the Expense of IDS, Part One: An Overview of ROIs for IDS
A positive return on investment (ROI) of intrusion detection systems (IDS) is dependent upon an organization's deployment strategy and how well the successful implementation and management of the technology helps the organization achieve the tactical and strategic objectives it has established. For organizations interested in quantifying the IDS's value prior to deploying it, their investment decision will hinge on their ability to demonstrate a positive ROI. ROI has traditionally been difficult to quantify for network security devices, in part because it is difficult to calculate risk accurately due to the subjectivity involved with its quantification. Also, business-relevant statistics regarding security incidents are not always available for consideration in analyzing risk.
|
|
Justifying the Expense of IDS, Part Two: Calculating ROI for IDS
This article is the second of a two-part series exploring ways to justify the financial investment in IDS protection. In part one of this series we discussed general IDS types and expanded on the impact that the logical location of a company's critical networked assets could have on the risk equations. To this end we introduced the Cascading Threat Multiplier (CTM) to expand on the Single Loss Expectancy (SLE) equation. We also reviewed implementation and management costs based on various support profiles and reviewed the commonly accepted risk equations. Finally, we left off with the basic formula for calculating ROI for security, otherwise commonly known as Return on Security Investment (ROSI).
|
|
Managing Intrusion Detection Systems in Large Organizations, Part One
We put this two-part series of articles together to discuss our experiences working with larger organizations so that we may all learn and benefit from them. As security professionals, we are bound to protect the confidentiality of our clients, and thus the names of these parties will not be disclosed in this article.
|
|
Managing Intrusion Detection Systems in Large Organizations, Part Two
This is the second part of a two-part series devoted to discussing the implementation of intrusion detection systems in large organizations. In the first installment, we looked at some of the challenges of planning, integrating, and deploying IDSs in a large organization. In this installment, we will look at managing agents in a distributed environment, managing data from multiple IDS packages, and correlating data from distributed agents.
|
|
Page: 1 2 3 4 5
|
Actions
Category Stats