The document discusses the evolution of Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS), emphasizing the importance of context in threat detection. It highlights the transition from passive detection to proactive prevention, the necessity of integrating various data sources to build context, and the significance of behavioral analysis in improving alert accuracy. Ultimately, it suggests that modern IDS require ongoing tuning and correlation with threat intelligence for effective security management.

1. The Evolution of IDS:
Why Context is Key
Dave Shackleford, Voodoo Security and SANS
Joe Schreiber, AlienVault
© 2014 The SANS™ Institute - www.sans.org

2. Introduction
• How has IDS/IPS changed in the
past 10 years?
• First, there’s been more of a move
to prevention vs. just passive
detection
• Second, IDS really doesn’t
function as a “standalone” tool
anymore (for most)
• The context of what is happening
in and around the environment is
key
© 2014 The SANS™ Institute - www.sans.org
2

3. Packets? What packets?
• Getting access to network traffic
was one of the first goals of
intrusion detection platforms
• Classic sniffers like TCPdump led
to the creation of Snort and Bro,
as well as commercial options
• Gaining access to the network
traffic itself was a challenge
– Promiscuous mode interfaces
– Dual-homed configs
– Finally, SPAN ports or taps
© 2014 The SANS™ Institute - www.sans.org
3

4. Aha. Now we’ve got packets!
• Packets! We have them!
• But…now what?
• For most, setting up IDS sensors led
to the realization that we needed
better knowledge of the environment
© 2014 The SANS™ Institute - www.sans.org
4

5. Patterns of packets make more
sense.
• We now can start to analyze
patterns of behavior
– Who is talking to who
– Types of traffic
– Source/destination ports
– Protocols
• Patterns of traffic ebbs and flows
are useful for volume analysis and
troubleshooting, too
© 2014 The SANS™ Institute - www.sans.org
5
Sif SrcIPaddress Dif DstIPaddress Pr SrcP DstP Pkts Octets StartTime EndTime Active B/Pk Ts Fl
0059 127.0.0.1 005b 219.140.194.174 06 50 4f3 1 40 0721.21:58:00.593 0721.21:58:00.593 0.000 40 00 14
0059 127.0.0.1 005b 219.148.205.228 06 50 6ef 1 40 0721.21:57:56.533 0721.21:57:56.533 0.000 40 00 14

6. Patterns -> Blocking.
• Intrusion detection gave way to
blocking with intrusion prevention
systems
– This was driven by better
understanding of traffic patterns
and signature sets
• Most IDS and IPS platforms, even
in blocking mode, did not have
much understanding of context
– Most blocks were “point in time”
matches based on packet attributes
© 2014 The SANS™ Institute - www.sans.org
6

7. What do the patterns MEAN?
• IDS and IPS needed to evolve to
make better sense of what was
happening in the environment
• To that end, more data is needed
– Events from other network devices
– Events from scans and user
information
– Data from vulnerability scanners
and monitoring tools
• This is how we can start to build
context of what’s happening in
the environment.
© 2014 The SANS™ Institute - www.sans.org
7

8. Event Data, and Lots of It
© 2014 The SANS™ Institute - www.sans.org
8
[**] SQL Injection [**]
10/30-20:38:56.753145 192.168.1.52:2360 -> 192.168.1.61:80
TCP TTL:128 TOS:0x0 ID:22376 IpLen:20 DgmLen:809 DF
***AP*** Seq: 0xF69FDBE3 Ack: 0x3D5C8C4 Win: 0xF991 TcpLen: 20
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=
Traditional IDS and IPS alerts
are
often overwhelming

9. Event Data, and Lots of It (2)
© 2014 The SANS™ Institute - www.sans.org
9
Firewalls and routers are simple,
static filtering devices with no
understanding of context

10. Context + Alerting
• With event data from numerous
sources, you can start to build
context in the environment
– What systems communicate in a
given subnet?
– What known vulnerabilities are
there in the environment?
– What network devices does the
traffic pass through?
• The IDS/IPS by itself, however,
will still only report what it “sees”
© 2014 The SANS™ Institute - www.sans.org
10

11. Visibility: What IDS “Sees”
• Only traffic that passes by or through
the IDS/IPS is analyzed
– Subnets? Check.
– Source/Destination ports? Check.
– Applications or platforms in use? Nope.
© 2014 The SANS™ Institute - www.sans.org
11

12. Visibility: More Data = Better
• Attacks are no longer viewed as
discrete events at a “point in
time”
• More data adds context and tells a
better “security story”
– Passive scan data on OS,
applications
– Active scan data on vulnerabilities
– Behavioral trend data
– System logs and endpoint security
– User directory data
© 2014 The SANS™ Institute - www.sans.org
12

13. Hmmm. Too many alerts?
• Now we have to start paring down
alerts to get to *better* data
– Are there false positives we’ve
discovered?
– Can we prioritize some data?
– Can we start combining data types
into unique alert models?
• Data overload is a very common
problem with IDS/IPS sensors
© 2014 The SANS™ Institute - www.sans.org
13

14. Correlation -> BETTER alerts.
• Correlation makes a big difference
in how events are reported
• Not every unique event makes
sense to alert on
– Combinations of events
– Quantity of events
– Times of day or location
(source/destination)
• Having some context and
behavioral baseline can help
© 2014 The SANS™ Institute - www.sans.org
14

15. Correlation Examples
• High Severity Threat Targeting
Vulnerable Asset
– Goal: Identify threats in real time that
are likely to compromise a host.
Vulnerability data has shown the host
to be vulnerable to the inbound attack
being detected by NIPS.
– Trigger: Any event from a single IP
Address targeting a host known to be
vulnerable to the attack that is
inbound.
– Event Sources: NIPS events,
Vulnerability Assessment data
© 2014 The SANS™ Institute - www.sans.org
15

16. Correlation Examples
• Repeat Attack-Multiple Detection
Sources
– Goal: Find hosts that may be infected
or compromised detected by multiple
sources (high probability of true
threat).
– Trigger: Alert on ANY second threat
type detected from a single IP Address
by a second source after seeing a
repeat attack. (i.e. Repeat Firewall
Drop, followed by Malware Detected)
– Event Sources: Firewall, NIPS, Anti-
Virus, HIPS, Failed Login Events
© 2014 The SANS™ Institute - www.sans.org
16

17. The Keys to Context-Driven Threat
Assessment
1. Visibility: Know what you’re
protecting in the environment
2. Baselines: Understand the
behaviors of the assets in your
environment
3. Impact: Understand how threats
will impact assets
4. Intelligence: Incorporate threat
intelligence from
internal/external sources
5. Action: Prioritize security
response
© 2014 The SANS™ Institute - www.sans.org
17

18. Threat Intel -> Better Correlation.
• Threat intelligence is the set of
data collected, assessed, and
applied regarding:
– Security threats
– Threat actors
– Exploits
– Malware
– Vulnerabilities
– Compromise indicators
• When this data is incorporated,
much more accurate event
monitoring can take place
© 2014 The SANS™ Institute - www.sans.org
18

19. IDS…Where’s it going?
• Intrusion detection systems are
evolving today
– More context-aware
– More behavioral analysis
– Some “SIEM-like” capabilities, too
• Some IDS can now also integrate
with threat intelligence feeds, too
• IDS is not a “set and forget”
technology
– Tuning and correlation are required
© 2014 The SANS™ Institute - www.sans.org
19

20. AlienVault Unified Security
Management
© 2014 The SANS™ Institute - www.sans.org
20

21. Collaborative Threat Intelligence:
AlienVault Open Threat ExchangeTM
(OTX)
Coordinated Analysis, Actionable Guidance
• 200-350,000 IPs validated daily
• 8,000 collection points
• 140 countries
Join OTX: www.alienvault.com/open-threat-exchange

22. Questions?
Q@SANS.ORG
Three Ways to Test Drive
AlienVault USM
Download a Free 30-Day Trial
http://www.alienvault.com/free-trial
Try our Interactive Demo
http://www.alienvault.com/live-demo-site
Join us for a LIVE Demo!
http://www.alienvault.com/marketing/ali
envault-usm-live-demo
Thank You!
© 2014 The SANS™ Institute - www.sans.org
22