170 likes | 190 Views
STATE OF THE PRACTICE OF INTRUSION DETECTION TECHNOLOGIES. Presented by Hap Huynh Based on content by SEI. SEI Report. Technical REPORT CMU/SEI-99-TR-028 To provide an unbiased assessment of publicly available Intrusion Detection (ID) technology. Roadmap.
E N D
STATE OF THE PRACTICE OF INTRUSION DETECTION TECHNOLOGIES Presented by Hap Huynh Based on content by SEI
SEI Report • Technical REPORT CMU/SEI-99-TR-028 • To provide an unbiased assessment of publicly available Intrusion Detection (ID) technology
Roadmap • An overview of ID from perspective of the CERT Coordination Center • Examine the current state of ID technology • Issues surrounding ID technology • Recommendations for ID sponsor, user, vendor, and research communities
Dimensions of Intrusion Detection • ID technology is immature and dynamic • ID system describe a system designed to detect attacks regardless of their success • Fundamentally, two approaches: • Signature detection identifies patterns corresponding to know attacks • Anomaly detection identifies any unacceptable deviation from expected behavior
State of the ID Market What can ID systems do? ID Product claims: • Lend a greater degree of integrity to the rest of your security infrastructure • Make sense of often obtuse system information sources • Relieve system management staff of the task of monitoring the Internet searching for latest hacker attacks • Make the security mgmt of your systems by non-expert staff possible • Provide guidelines that assist in establishing a security policy • Trace user activity from the point of entry to point of exit or impact • Recognize activity patterns reflecting known attacks and alert proper staff • Statistical analysis for abnormal activity patterns • Operating-system audit trail mgmt, recognition of of user activity reflecting policy violations Based on ICSA paper titled “An Introduction to Intrusion Detection and Assessment”
State of the ID Market What can ID systems do? ID Experts: • Detect common attacks in a reasonably timely manner • View network and system activity in real-time, identify unauthorized activity and provide a near-real-time automated response • Ability to analyze today’s activity in view of yesterday’s activity to identify larger trends and problems • Designed to be operated at the technician level but still requires considerable expertise to understand the data and know what to do in response • Discovery and detection tools that guide further investigation • Customers should not expect IDS to offer 100% protection • Gather hard data about what’s being directed at your site from remote locations, and you can use that knowledge to make informed decisions about what security controls need to be deployed • Based on 1998 Computer Security Institute round table discussion
Current IDS Market Position • “The use of IDS rose from 35% in 1998 to 42% in 1999” (CSI/FBI Computer Crime Survey 1999) • 2,700 executives, security professionals, and technology managers from 49 countries concluded that more companies are using IDS (Information Week Survey 1999)
CERT/CC IDS Team Observations CERT examined ISS RealSecure, Cisco NetRanger, Network Flight Recorder, and Shadow • IDS products based on current signature-based analysis approaches do not provide a complete intrusion detection solution but do produce useful results in specific situations and configurations
Issues Surrounding ID Technology • Increases in the types of intruder goals, intruder abilities, tool sophistication, and diversity as well as the use of more complex, subtle, and new attack scenarios • The use of encrypted messages to transport malicious information • The need to interoperate and correlate data across infrastructure environments with diverse technologies and policies • Ever increasing network traffic • The lack of widely accepted ID terminology and conceptural • Volatility in the ID marketplace which makes the purchase and maintenance of ID systems difficult
Issues Surrounding ID Technology • Risks inherent in taking inappropriate automated response actions • Attack on the ID systems themselves • Unacceptably hi-levels of false positives and false negatives, making it difficult to determine true positives • The lack of objective ID system evaluation and test information • The fact that most computing infrastructures are not designed to operate securely • Limited network traffic visibility resulting from switched local area networks. Faster networks preclude effective real-time analysis of all traffic on large pipes
ID Technology Recommendations For sponsors: • Supporting ongoing, comprehensive testing of commercial IDS and making test results publicly available • Emphasizing research funding directed towards reducing false alarms
ID Technology Recommendations For users: • Implementing a security architecture that reflects a defense-in-depth or layered approach in protecting an organization’s assets, whether or not the organization chooses to deploy an IDS • Developing clear, concise IDS requirements based on security policy and organizational needs • Configuring the IDS to maximize performance. This includes selective deployment to monitor critical assets as well as signature tuning to prevent excessive false alarms
ID Technology Recommendations For vendors: • Support initiatives to create open source signatures • Move towards the distribution model used by the anti-virus community • Spend more time and resources testing signatures and making results public • Provide measures that represent the level of confidence a user should place in an IDS’s ability to report an intrusion by type of signature or attack • Integrate human analysis as part of event diagnosis • Integrate available data sources more effectively to include information from different sensors and from different ID systems
ID Technology Recommendations For vendors: • Increase efforts to detect malicious code (email attachments, Java, ActiveX) • Increase interaction with the research community
ID Technology Recommendations For research community: • Emphasizing the integration of diverse sources of available date to reduce false alarms • Providing credible, defensible test data to support test and evaluation of IDS • Providing a taxonomy of vulnerabilities base on victim perspective rather than intruder perspective • Developing approaches for defending against sophisticated attacks such as denial of service, distributed, coordinated attacks, etc. • Developing approaches that integrate human analysis as part of even diagnosis • Developing approaches that support better detection of malicious code • Increase interaction with vendor community