AlienVault, profile picture
Uploaded byAlienVault
PPTX, PDF1,257 views

IDS for Security Analysts: How to Get Actionable Insights from your IDS

The document discusses best practices for intrusion detection systems (IDS). It recommends a three phase process: collection, evaluation, and tuning. In the collection phase, an IDS gathers baseline data for 2 weeks. In evaluation, valuable and actionable events are identified based on policy, risk, and environment. Trending helps eliminate normal activity. Tuning removes unnecessary events to reduce false positives and save time through threshold adjusting and awareness of network details. Updates may require periodic re-evaluation and tuning to account for changes.

Embed presentation

Downloaded 54 times
“JTaG” Our Speakers Joe Schreiber AlienVault Director of Solutions Architecture @pkt_inspector Tony Simone Castra Consulting Managing Partner castraconsulting.com Grant Leonard Castra Consulting Managing Partner castraconsulting.com
Before Day 1 Day 0 Day 0 doesn’t exist….in this presentation
INSTALLATION
It’s where you put things…. Installation [Day 0] 1. Pre-install checklist 2. Where (inside/outside, core/perimeter) 3. Tap/span/port-mirror 4. How much traffic can you handle / ROI
Day 1
They make events Intrusion Detection Systems Lots of Events • Placement - Where is it deployed? • Inspection - Traffic Inspected
Don’t other things generate events? What Makes IDS Different? Firewalls • Access Control Proxies • URLs IDS • Malware • Network Policy • Active Exploits • URLs (also) • Applications
I’m positively false…or am I? False Positives What is it? • Invalid? • Relevance? Signature Sets Environment CiiT International Journal of Artificial Intelligent Systems and Machine Learning , Vol 2, No 11, November 2010 Precision = TP (TP + FP)
The Process Collection Evaluation Tuning
Phase I - Collection
Gather all the things Acquisition Baselining Soak Period Maintenance Period
I want to investigate now! Why? You need data! • How long do I do this for? - 2 weeks? Patterns Sorting • Volume • IP
Phase II - Evaluation
What’s valuable? Evaluation What events are valuable and actionable? • Policy (Network) - Acceptable or Indifferent • Risk - Assets - Signatures by perceived risk • Environment - Servers - Users
What’s normal can be eliminated Trending Historical Record from Phase I • ?Normal? Activity • Scheduled Activities (Backups, Cron Jobs…) Trending is in Flux..
Stakeholders Discuss Get Stakeholders Involved • The First Time Create Notification Paths Build Relationships Taxonomy can help for Future Events
Phase III – Tuning
What is it? Tuning Removal of Events • Avoid FP • Saves Time Threshold Adjusting • Volumes • Risk Scoring Network Awareness • Subnets • VLANs
Save time Filtering Granularity • Use the closest match when tuning • Don’t blind yourself Documentation • Why did you tune this? • Time
Repeat
Things will happen Updates New Signatures are released often • New Events to Evaluate and Tune Your network changes as servers are added / removed • Tuning re-evaluation
The Loop
Inter-Process
But remember you’re special. You Are Not Alone Business Policies • Change Control • Clearance - Avoid These (Time Burglars) Passive Detection • Needs to Stay Up-to-Date
It’s all Unicorns and Rainbows! You’re gonna see crazy stuff Stick to the Process Document Tune Move On!
ASSET DISCOVERY • Active Network Scanning • Passive Network Scanning • Asset Inventory • Host-based Software Inventory VULNERABILITY ASSESSMENT • Continuous Vulnerability Monitoring • Authenticated / Unauthenticated Active Scanning BEHAVIORAL MONITORING • Log Collection • Netflow Analysis • Service Availability Monitoring SECURITY INTELLIGENCE/SIEM • SIEM Event Correlation • Incident Response THREAT DETECTION • Network IDS • Host IDS • File Integrity Monitoring USM Platform Integrated, Essential Security Controls
The world’s largest crowd- sourced threat repository Provides access to real-time, detailed information about threats and incidents from over 8,000 collection points across 140 countries Enables security professionals to share threat data and benefit from data shared by others Open Threat Exchange (OTX)
Integrated Threat Intelligence Reduced Noise: Correlating IDS/IPS data with vulnerability & IP reputation reduces false positives Full Threat Context: See attack type, number of events, duration, source/destination IP addresses Threat Research: Weekly updates to IDS signatures & correlations rules from AlienVault Labs Threat Research Team Full Coverage: Inspect traffic between devices, not just at the edge Flexible: Integrate your existing IDS/IPS events, and/or use the built-in IDS
Questions? More on this topic:  IDS “Ask the Experts” Google Hangout 3/24  Free 30-Day Trial of AlienVault USM: www.alienvault.com/IDS  Video: IDS Best Practices  Blog Post: Open Source IDS Tools  Follow @alienvault & @pkt_inspector

More Related Content

PPTX
Improve threat detection with hids and alien vault usm
byAlienVault
 
PPTX
Incident response live demo slides final
byAlienVault
 
PPTX
Simplify PCI DSS Compliance with AlienVault USM
byAlienVault
 
PPTX
Improve Threat Detection with OSSEC and AlienVault USM
byAlienVault
 
PDF
Open Source IDS Tools: A Beginner's Guide
byAlienVault
 
PPTX
Malware detection how to spot infections early with alien vault usm
byAlienVault
 
PPTX
Meltdown and Spectre - How to Detect the Vulnerabilities and Exploits
byAlienVault
 
PPTX
Improve Situational Awareness for Federal Government with AlienVault USM
byAlienVault
 
Improve threat detection with hids and alien vault usm
byAlienVault
 
Incident response live demo slides final
byAlienVault
 
Simplify PCI DSS Compliance with AlienVault USM
byAlienVault
 
Improve Threat Detection with OSSEC and AlienVault USM
byAlienVault
 
Open Source IDS Tools: A Beginner's Guide
byAlienVault
 
Malware detection how to spot infections early with alien vault usm
byAlienVault
 
Meltdown and Spectre - How to Detect the Vulnerabilities and Exploits
byAlienVault
 
Improve Situational Awareness for Federal Government with AlienVault USM
byAlienVault
 

What's hot

PPTX
AWS Security Best Practices for Effective Threat Detection & Response
byAlienVault
 
PPTX
Alienvault threat alerts in spiceworks
byAlienVault
 
PPTX
Insider Threats: How to Spot Trouble Quickly with AlienVault USM
byAlienVault
 
PPTX
Configuring Data Sources in AlienVault
byAlienVault
 
PPTX
Creating Correlation Rules in AlienVault
byAlienVault
 
PPTX
How Malware Works
byAlienVault
 
PPTX
Six Steps to SIEM Success
byAlienVault
 
PPTX
Beginner's Guide to SIEM
byAlienVault
 
PPTX
How to Solve Your Top IT Security Reporting Challenges with AlienVault
byAlienVault
 
PPTX
Improve Security Visibility with AlienVault USM Correlation Directives
byAlienVault
 
PPTX
How to Detect SQL Injections & XSS Attacks with AlienVault USM
byAlienVault
 
PPTX
New OSSIM v5.0 - Get Security Visibility Faster & Easier Than Ever
byAlienVault
 
PPTX
How to Detect System Compromise & Data Exfiltration with AlienVault USM
byAlienVault
 
PDF
SIEM for Beginners: Everything You Wanted to Know About Log Management but We...
byAlienVault
 
PPTX
New USM v5.0 - Get Complete Security Visibility Faster & Easier Than Ever
byAlienVault
 
PPTX
Otx introduction sw
byAlienVault
 
PPTX
How to Simplify Audit Compliance with Unified Security Management
byAlienVault
 
PPTX
Automating Critical Security Controls for Threat Remediation and Compliance
byQualys
 
PPTX
OSSIM User Training: Detect and Respond to Threats More Quickly with OSSIM v4.5
byAlienVault
 
PPTX
SIEM 101: Get a Clue About IT Security Analysis
byAlienVault
 
AWS Security Best Practices for Effective Threat Detection & Response
byAlienVault
 
Alienvault threat alerts in spiceworks
byAlienVault
 
Insider Threats: How to Spot Trouble Quickly with AlienVault USM
byAlienVault
 
Configuring Data Sources in AlienVault
byAlienVault
 
Creating Correlation Rules in AlienVault
byAlienVault
 
How Malware Works
byAlienVault
 
Six Steps to SIEM Success
byAlienVault
 
Beginner's Guide to SIEM
byAlienVault
 
How to Solve Your Top IT Security Reporting Challenges with AlienVault
byAlienVault
 
Improve Security Visibility with AlienVault USM Correlation Directives
byAlienVault
 
How to Detect SQL Injections & XSS Attacks with AlienVault USM
byAlienVault
 
New OSSIM v5.0 - Get Security Visibility Faster & Easier Than Ever
byAlienVault
 
How to Detect System Compromise & Data Exfiltration with AlienVault USM
byAlienVault
 
SIEM for Beginners: Everything You Wanted to Know About Log Management but We...
byAlienVault
 
New USM v5.0 - Get Complete Security Visibility Faster & Easier Than Ever
byAlienVault
 
Otx introduction sw
byAlienVault
 
How to Simplify Audit Compliance with Unified Security Management
byAlienVault
 
Automating Critical Security Controls for Threat Remediation and Compliance
byQualys
 
OSSIM User Training: Detect and Respond to Threats More Quickly with OSSIM v4.5
byAlienVault
 
SIEM 101: Get a Clue About IT Security Analysis
byAlienVault
 

Viewers also liked

PPTX
How to Leverage Log Data for Effective Threat Detection
byAlienVault
 
PPT
Best Practices for Leveraging Security Threat Intelligence
byAlienVault
 
PDF
Malware Analysis Using Free Software
byXavier Mertens
 
KEY
Time tested php with libtimemachine
byNick Galbreath
 
KEY
libinjection: a C library for SQLi detection, from Black Hat USA 2012
byNick Galbreath
 
KEY
libinjection: new technique in detecting SQLi attacks, iSEC Partners Open Forum
byNick Galbreath
 
PPTX
Program understanding: What programmers really want
byEinar Høst
 
PPTX
The Evolution of IDS: Why Context is Key
byAlienVault
 
PDF
libinjection: from SQLi to XSS  by Nick Galbreath
byCODE BLUE
 
PPT
How To Detect Xss
byFerruh Mavituna
 
PPTX
OSSIM User Training: Get Improved Security Visibility with OSSIM
byAlienVault
 
PDF
PCI DSS Implementation: A Five Step Guide
byAlienVault
 
PDF
Security operations center 5 security controls
byAlienVault
 
PDF
Insider Threat Detection Recommendations
byAlienVault
 
How to Leverage Log Data for Effective Threat Detection
byAlienVault
 
Best Practices for Leveraging Security Threat Intelligence
byAlienVault
 
Malware Analysis Using Free Software
byXavier Mertens
 
Time tested php with libtimemachine
byNick Galbreath
 
libinjection: a C library for SQLi detection, from Black Hat USA 2012
byNick Galbreath
 
libinjection: new technique in detecting SQLi attacks, iSEC Partners Open Forum
byNick Galbreath
 
Program understanding: What programmers really want
byEinar Høst
 
The Evolution of IDS: Why Context is Key
byAlienVault
 
libinjection: from SQLi to XSS  by Nick Galbreath
byCODE BLUE
 
How To Detect Xss
byFerruh Mavituna
 
OSSIM User Training: Get Improved Security Visibility with OSSIM
byAlienVault
 
PCI DSS Implementation: A Five Step Guide
byAlienVault
 
Security operations center 5 security controls
byAlienVault
 
Insider Threat Detection Recommendations
byAlienVault
 

Similar to IDS for Security Analysts: How to Get Actionable Insights from your IDS

PPTX
PCI DSS Reporting Requirements for People Who Hate PCI DSS Reporting
byAlienVault
 
PDF
Incident Response Whitepaper - AlienVault
byJermund Ottermo
 
PPT
Chapter-3-Intrusion-Detection-Systems-part-1.ppt
bymadin20232022
 
PPTX
SpiceWorks Webinar: Whose logs, what logs, why logs
byAlienVault
 
PDF
2023 NCIT: Introduction to Intrusion Detection
byAPNIC
 
PPTX
Vulnerability Management: What You Need to Know to Prioritize Risk
byAlienVault
 
PPT
SoleraNetworks
byJoe Levy
 
PPT
Intrusion detection 2001
byeaiti
 
PDF
Network security monitoring with open source tools
byterriert
 
PPTX
Information Security: Advanced SIEM Techniques
byReliaQuest
 
PPTX
Dcit 418-Slide two presentation (1).pptx
bykojokoranteng19
 
PDF
Bit defender ebook_secmonitor_print
byjames morris
 
PPTX
Abstract Tools for Effective Threat Hunting
bychrissanders88
 
PDF
Maturity Model of Security Disciplines
byFlorian Roth
 
PPT
Intrusiondetection systemscyberinfom.ppt
bySoundariyaSathish
 
PPT
mjr-00-asia-Intrusrrrrrrrrrrrrion-long.ppt
byijaz342
 
PPT
Using Event Processing to Enable Enterprise Security
byTim Bass
 
PPT
FIRST 2006 Full-day Tutorial on Logs for Incident Response
byAnton Chuvakin
 
PDF
Lessons Learned Fighting Modern Cyberthreats in Critical ICS Networks
byAngeloluca Barba
 
PPT
What Every Organization Should Log And Monitor
byAnton Chuvakin
 
PCI DSS Reporting Requirements for People Who Hate PCI DSS Reporting
byAlienVault
 
Incident Response Whitepaper - AlienVault
byJermund Ottermo
 
Chapter-3-Intrusion-Detection-Systems-part-1.ppt
bymadin20232022
 
SpiceWorks Webinar: Whose logs, what logs, why logs
byAlienVault
 
2023 NCIT: Introduction to Intrusion Detection
byAPNIC
 
Vulnerability Management: What You Need to Know to Prioritize Risk
byAlienVault
 
SoleraNetworks
byJoe Levy
 
Intrusion detection 2001
byeaiti
 
Network security monitoring with open source tools
byterriert
 
Information Security: Advanced SIEM Techniques
byReliaQuest
 
Dcit 418-Slide two presentation (1).pptx
bykojokoranteng19
 
Bit defender ebook_secmonitor_print
byjames morris
 
Abstract Tools for Effective Threat Hunting
bychrissanders88
 
Maturity Model of Security Disciplines
byFlorian Roth
 
Intrusiondetection systemscyberinfom.ppt
bySoundariyaSathish
 
mjr-00-asia-Intrusrrrrrrrrrrrrion-long.ppt
byijaz342
 
Using Event Processing to Enable Enterprise Security
byTim Bass
 
FIRST 2006 Full-day Tutorial on Logs for Incident Response
byAnton Chuvakin
 
Lessons Learned Fighting Modern Cyberthreats in Critical ICS Networks
byAngeloluca Barba
 
What Every Organization Should Log And Monitor
byAnton Chuvakin
 

More from AlienVault

PDF
Malware Invaders - Is Your OS at Risk?
byAlienVault
 
PDF
The State of Incident Response - INFOGRAPHIC
byAlienVault
 
PPTX
Best Practices for Configuring Your OSSIM Installation
byAlienVault
 
PDF
Alien vault sans cyber threat intelligence
byAlienVault
 
PPTX
Security by Collaboration: Rethinking Red Teams versus Blue Teams
byAlienVault
 
PPTX
Prepare to Be Breached: How to Adapt your Security Controls to the “New Normal”
byAlienVault
 
PPTX
Spice world 2014 hacker smackdown
byAlienVault
 
PPTX
Demo how to detect ransomware with alien vault usm_gg
byAlienVault
 
PPTX
Planning your 2015 Threat Detection Strategy with a Broken Crystal Ball
byAlienVault
 
Malware Invaders - Is Your OS at Risk?
byAlienVault
 
The State of Incident Response - INFOGRAPHIC
byAlienVault
 
Best Practices for Configuring Your OSSIM Installation
byAlienVault
 
Alien vault sans cyber threat intelligence
byAlienVault
 
Security by Collaboration: Rethinking Red Teams versus Blue Teams
byAlienVault
 
Prepare to Be Breached: How to Adapt your Security Controls to the “New Normal”
byAlienVault
 
Spice world 2014 hacker smackdown
byAlienVault
 
Demo how to detect ransomware with alien vault usm_gg
byAlienVault
 
Planning your 2015 Threat Detection Strategy with a Broken Crystal Ball
byAlienVault
 

Recently uploaded

PDF
Traditional-Security-Models-No-Longer-Work.pptx (1).pdf
byOhhproJunction
 
PPTX
Do You Control the AI, or Does the AI Control You?
bymedhateltoukhy
 
PDF
How does MES(Manufacturing Execution System) work?
byakipii ogaoga
 
PDF
Chapter 5 Security Mechanisms iin computer security.pdf
byGetnet Tigabie Askale -(GM)
 
PDF
Mesh WiFi Router: The Smart Solution for Fast, Seamless, Whole-Home Internet
byAeroMesh Systems
 
PPTX
Beyond the Algorithm: Designing Human-Centric Public Service with AI
byAlan Dix
 
PPTX
Computer architecture, Computer architecture ,Computer architecture
bywaheedqazi123
 
PPTX
TravelTech Paris 2025 | Beyond the pipes: Why Channel Management isn’t really...
byapidays
 
PDF
Advanced SELinux Management - RHCSA (RH134).pdf
byLinuxCert Guru
 
PDF
UiPath Automation Developer Associate Training Series 2026 - Session 1
byDianaGray10
 
PDF
Why Many Smart Device Platforms Fail to Scale?
byPromeraki Developments
 
PPTX
Automation Without Apprentices: How AI Challenges the Open Source Way
byIcinga
 
PDF
Mount File Systems using UUID and Label - RHCSA (RH134).pdf
byLinuxCert Guru
 
PDF
Understanding Foldable 3-Wheel Electric Scooters for Everyday Use
byTopmate
 
PPTX
NTG - Data Center Management System Software
byMustafa Kuğu
 
PDF
UiPath Automation Developer Associate Training Series 2026 - Session 2
byDianaGray10
 
PDF
AI in DevOps: Transforming the Developer Experience and Expanding the Securit...
byEnterprise Management Associates
 
PPTX
Retrieval Augmented Generation- The Synergistic Power of Prompt Engineering
bySemantic SEO BD
 
PDF
NTG -Company Profile_Software_Vendor_Company_in_MENA
byMustafa Kuğu
 
PDF
Rustici Software: eLearning standards in the age of AI
byRustici Software
 
Traditional-Security-Models-No-Longer-Work.pptx (1).pdf
byOhhproJunction
 
Do You Control the AI, or Does the AI Control You?
bymedhateltoukhy
 
How does MES(Manufacturing Execution System) work?
byakipii ogaoga
 
Chapter 5 Security Mechanisms iin computer security.pdf
byGetnet Tigabie Askale -(GM)
 
Mesh WiFi Router: The Smart Solution for Fast, Seamless, Whole-Home Internet
byAeroMesh Systems
 
Beyond the Algorithm: Designing Human-Centric Public Service with AI
byAlan Dix
 
Computer architecture, Computer architecture ,Computer architecture
bywaheedqazi123
 
TravelTech Paris 2025 | Beyond the pipes: Why Channel Management isn’t really...
byapidays
 
Advanced SELinux Management - RHCSA (RH134).pdf
byLinuxCert Guru
 
UiPath Automation Developer Associate Training Series 2026 - Session 1
byDianaGray10
 
Why Many Smart Device Platforms Fail to Scale?
byPromeraki Developments
 
Automation Without Apprentices: How AI Challenges the Open Source Way
byIcinga
 
Mount File Systems using UUID and Label - RHCSA (RH134).pdf
byLinuxCert Guru
 
Understanding Foldable 3-Wheel Electric Scooters for Everyday Use
byTopmate
 
NTG - Data Center Management System Software
byMustafa Kuğu
 
UiPath Automation Developer Associate Training Series 2026 - Session 2
byDianaGray10
 
AI in DevOps: Transforming the Developer Experience and Expanding the Securit...
byEnterprise Management Associates
 
Retrieval Augmented Generation- The Synergistic Power of Prompt Engineering
bySemantic SEO BD
 
NTG -Company Profile_Software_Vendor_Company_in_MENA
byMustafa Kuğu
 
Rustici Software: eLearning standards in the age of AI
byRustici Software
 

IDS for Security Analysts: How to Get Actionable Insights from your IDS

  • 2.
    “JTaG” Our Speakers Joe Schreiber AlienVault Directorof Solutions Architecture @pkt_inspector Tony Simone Castra Consulting Managing Partner castraconsulting.com Grant Leonard Castra Consulting Managing Partner castraconsulting.com
  • 3.
    Before Day 1 Day0 Day 0 doesn’t exist….in this presentation
  • 4.
  • 5.
    It’s where youput things…. Installation [Day 0] 1. Pre-install checklist 2. Where (inside/outside, core/perimeter) 3. Tap/span/port-mirror 4. How much traffic can you handle / ROI
  • 6.
  • 7.
    They make events IntrusionDetection Systems Lots of Events • Placement - Where is it deployed? • Inspection - Traffic Inspected
  • 8.
    Don’t other thingsgenerate events? What Makes IDS Different? Firewalls • Access Control Proxies • URLs IDS • Malware • Network Policy • Active Exploits • URLs (also) • Applications
  • 9.
    I’m positively false…oram I? False Positives What is it? • Invalid? • Relevance? Signature Sets Environment CiiT International Journal of Artificial Intelligent Systems and Machine Learning , Vol 2, No 11, November 2010 Precision = TP (TP + FP)
  • 10.
  • 11.
    Phase I -Collection
  • 12.
    Gather all thethings Acquisition Baselining Soak Period Maintenance Period
  • 13.
    I want toinvestigate now! Why? You need data! • How long do I do this for? - 2 weeks? Patterns Sorting • Volume • IP
  • 14.
    Phase II -Evaluation
  • 15.
    What’s valuable? Evaluation What eventsare valuable and actionable? • Policy (Network) - Acceptable or Indifferent • Risk - Assets - Signatures by perceived risk • Environment - Servers - Users
  • 16.
    What’s normal canbe eliminated Trending Historical Record from Phase I • ?Normal? Activity • Scheduled Activities (Backups, Cron Jobs…) Trending is in Flux..
  • 17.
    Stakeholders Discuss Get Stakeholders Involved •The First Time Create Notification Paths Build Relationships Taxonomy can help for Future Events
  • 18.
  • 19.
    What is it? Tuning Removalof Events • Avoid FP • Saves Time Threshold Adjusting • Volumes • Risk Scoring Network Awareness • Subnets • VLANs
  • 20.
    Save time Filtering Granularity • Usethe closest match when tuning • Don’t blind yourself Documentation • Why did you tune this? • Time
  • 21.
  • 22.
    Things will happen Updates NewSignatures are released often • New Events to Evaluate and Tune Your network changes as servers are added / removed • Tuning re-evaluation
  • 23.
  • 24.
  • 25.
    But remember you’respecial. You Are Not Alone Business Policies • Change Control • Clearance - Avoid These (Time Burglars) Passive Detection • Needs to Stay Up-to-Date
  • 27.
    It’s all Unicornsand Rainbows! You’re gonna see crazy stuff Stick to the Process Document Tune Move On!
  • 28.
    ASSET DISCOVERY • ActiveNetwork Scanning • Passive Network Scanning • Asset Inventory • Host-based Software Inventory VULNERABILITY ASSESSMENT • Continuous Vulnerability Monitoring • Authenticated / Unauthenticated Active Scanning BEHAVIORAL MONITORING • Log Collection • Netflow Analysis • Service Availability Monitoring SECURITY INTELLIGENCE/SIEM • SIEM Event Correlation • Incident Response THREAT DETECTION • Network IDS • Host IDS • File Integrity Monitoring USM Platform Integrated, Essential Security Controls
  • 29.
    The world’s largestcrowd- sourced threat repository Provides access to real-time, detailed information about threats and incidents from over 8,000 collection points across 140 countries Enables security professionals to share threat data and benefit from data shared by others Open Threat Exchange (OTX)
  • 30.
    Integrated Threat Intelligence ReducedNoise: Correlating IDS/IPS data with vulnerability & IP reputation reduces false positives Full Threat Context: See attack type, number of events, duration, source/destination IP addresses Threat Research: Weekly updates to IDS signatures & correlations rules from AlienVault Labs Threat Research Team Full Coverage: Inspect traffic between devices, not just at the edge Flexible: Integrate your existing IDS/IPS events, and/or use the built-in IDS
  • 31.
    Questions? More on thistopic:  IDS “Ask the Experts” Google Hangout 3/24  Free 30-Day Trial of AlienVault USM: www.alienvault.com/IDS  Video: IDS Best Practices  Blog Post: Open Source IDS Tools  Follow @alienvault & @pkt_inspector