Tuesday, 06 January 2009

Intrusion & Extrustion Detection & Prevention 

The last two years have seen and increase in the rise of new threats onour corporate and agency networks.  Although perimeter securitytechniques are generally in place and executing as designed,perpetrators have been yet more diligent in their efforts to infiltratethe environments which contain our intellectual property, customerlists, and confidential information.

Attacks from the outside are no longerthe only mechanism by which espionage is occurring.  Internal information espionage, or the acknowledgement of its existence, is in2008 a topic in vogue.  One need only look at the Pentagon, Department of Homeland Security, Boeing, and AIG for examples of acknowledgementsin 2008, which had at the core an insider as the conduit for internalinformation espionage.

When network security is mentioned what do you think about? Firewalls,routers, IDS/IPS content inspection? Routers block groups of IP’s andprotocols and some firewalls can take it a step further by lookingdeeper into the packets. In regards to IDS, there are generally twotypes, signature based and rules based. Signature based systems candetect and block all known attacks. This is good information to know ifyou are unsure the status of the devices on your network or if you arenot up to date on patches. Rules based IDS’s take a slightly differentapproach, they look at types of traffic in relation to the normal datastream. This again is good information, however, what if a compromisehappens that is not known and then the communication is within normaltypes of traffic?

What are the 2008 Network Security Issues?

Increased Network Bandwidth – The first problemis the increase in bandwidth on today’s networks.  A typical mediumsize network with 2000 devices performing nightly backups, very likelywill hit 600Mbs-800Mbs or more during their peak time.  This translatesinto an average 50,000pps, that is 50,000 packets that must bedeconstructed, categorized, analyzed, and determined if there ismalicious activity occurring.

In a typical network security system, a majority of the CPU time isutilized in keeping up with the interrupts just trying to perform thecopy process from the NIC through the Kernel to User space.  Only afterthe capture and copy process can the IDS begin the CPU intensiveprocess of deconstructing the packets for analysis.  This is asignificant challenge with the traditional IDS design.  What typicallyoccurs is the network capture starts discarding packets as the speedincreases, and therefore the IDS is not analyzing all the packets. Surprisingly, the discards begin happening around 200Mbs, and the issuebecomes worse from here.  With an extremely popular open source toollike Snort, having an effective performance processing capability of300-350Mbs, the IDS administrator has a trade-off decision: Increasethe speed (try to get closer to 100% packet capture) by decreasing thenumber of rules/signatures processed or watch less traffic for moreattacks.  Execution on this decision leaves a hole in the IDS, allowing the opportunity for data to drive through the IDS to its destination.

Attack Detection – the second problem revolvesaround detecting unknown attacks. How do you detect what you don’t knowabout?  In the 2007 Price-Waterhouse-Coopers Information SecurityAnnual Report it outlined that, 40% of Chief Information SecurityOfficers acknowledged that they don’t know, what they don’t know.  Onlyin single digits two years ago, this large percentage reflects on theincreased knowledge of perimeter security solutions which now report inoperational terms the network and information security issues.  CISO’swhich had no knowledge in the past what is being reported today are nowconcerned about what else there is that is not currently known.

Attacks and communications between elements of attacks are moresophisticated today than in 2005.  Utilization of peer-to-peer andcommunication authentication and encryption approaches by the attackersis growing.  Cloaking an attack is growing as a technique, whether fromthe outside in or the inside out.

Normal – What’s that? – The third problem stemsfrom knowing what is normal. Depending on the applications, operatingsystems, user habits, type of business, and dozens of other variablesthat will determine what a normal traffic pattern is, what isconsidered normal for one organization may be abnormal for another.What is considered normal for one customer service representative maybe abnormal for another.  This can even be seen between departments inthe same organization.

Taking the internal network perspective, if one can accurately map outor build a profile of normal traffic then any new behavior orcommunication is readily and easily detectable. To begin with, this isa difficult task.  Additional  complication occurs on a highly utilizednetwork, and a vicious cycle occurs as stated in problem one where theproduct performing the profiling has to not only keep up with capturingthe traffic, but then analyze each packet and compare that against aprofile.  As the CPU activity increases by keeping up with the copiesfrom the NIC to User space there is less CPU available for analysis andcomparison.

Trends in the Wild – If an organization isconnected to the Internet, then malicious or abnormal traffic needs tobe put into context with what is happening locally, nationally andglobally. For example, if nationally there is an increase in udp 2489traffic due to a recent exploit against some application, thatinformation should be used in determining alert priorities. If it’snot, then are you actually properly detecting and protecting yourenterprise from an attack? 

Administrative and Resource Management – In a oneor two sensor network, individually managing the rules, configurationsand alerts may not be all consuming.  However, think about how many manhours are involved in managing a dozen sensors, two dozen, 100 sensorsor more.  Downloading rules, configuring them, pushing them out todifferent sensors with different focuses is a full time job.  Doingsuch in technological taxonomy as opposed to operational, user or rolebased taxonomy provides the opportunity for an operational technicalstaff member to impact operational business development or managementactivity, without knowing the possible larger business impact.  Nothaving real-time or over-time trending analysis information providesfor a precarious network security support environment whereby the teammay be attempting to do the right thing, without having the context ofthe actual business impact of the management or mismanagement of asensor, two dozen or hundreds of them.

Never Ending Complexity – The carpet is constantly shifting.  2008 additional issues include:

  • Spoof detection
  • Zero-scan detection
  • Decoy scan detection
  • Hidden  signatures in malformed packets
  • Worm detection
  • Inter-virus communication
  • False positives

Keeping up with the rate of change and increase complexity in abudgetary environment of cost containment for a rising bottom lineprovides the environment for missing a single issue.

 
 

HOME | Solutions | The Kynetique Suite | myKryptofon | Security Industry Issues | About Us | Online Store |
Privacy Policy

Copyright 2005-2008 I.D. Rank Security, Inc.
7887 Bryan Dairy Road, Suite 530, Largo, FL 33777 (888) 448-RANK