STATE OF THE PRACTICE OF INTRUSION DETECTION TECHNOLOGIES

1
STATE OF THE PRACTICE OF INTRUSION DETECTION
TECHNOLOGIES

• Presented by Hap Huynh
• Based on content by SEI

2
SEI Report

• Technical REPORT CMU/SEI-99-TR-028
• To provide an unbiased assessment of publicly
  available Intrusion Detection (ID) technology

3
Roadmap

1. An overview of ID from perspective of the CERT
   Coordination Center
2. Examine the current state of ID technology
3. Issues surrounding ID technology
4. Recommendations for ID sponsor, user, vendor, and
   research communities

4
Growth in Number of Incidents Handled by the
CERT/CC
5
Dimensions of Intrusion Detection

• ID technology is immature and dynamic
• ID system describe a system designed to detect
  attacks regardless of their success
• Fundamentally, two approaches
• Signature detection identifies patterns
  corresponding to know attacks
• Anomaly detection identifies any unacceptable
  deviation from expected behavior

6
State of the ID Market

• What can ID systems do?
• ID Product claims
• Lend a greater degree of integrity to the rest of
  your security infrastructure
• Make sense of often obtuse system information
  sources
• Relieve system management staff of the task of
  monitoring the Internet searching for latest
  hacker attacks
• Make the security mgmt of your systems by
  non-expert staff possible
• Provide guidelines that assist in establishing a
  security policy
• Trace user activity from the point of entry to
  point of exit or impact
• Recognize activity patterns reflecting known
  attacks and alert proper staff
• Statistical analysis for abnormal activity
  patterns
• Operating-system audit trail mgmt, recognition of
  of user activity reflecting policy violations
• Based on ICSA paper titled An Introduction to
  Intrusion Detection and Assessment

7
State of the ID Market

• What can ID systems do?
• ID Experts
• Detect common attacks in a reasonably timely
  manner
• View network and system activity in real-time,
  identify unauthorized activity and provide a
  near-real-time automated response
• Ability to analyze todays activity in view of
  yesterdays activity to identify larger trends
  and problems
• Designed to be operated at the technician level
  but still requires considerable expertise to
  understand the data and know what to do in
  response
• Discovery and detection tools that guide further
  investigation
• Customers should not expect IDS to offer 100
  protection
• Gather hard data about whats being directed at
  your site from remote locations, and you can use
  that knowledge to make informed decisions about
  what security controls need to be deployed
• Based on 1998 Computer Security Institute round
  table discussion

8
Current IDS Market Position

• The use of IDS rose from 35 in 1998 to 42 in
  1999 (CSI/FBI Computer Crime Survey 1999)
• 2,700 executives, security professionals, and
  technology managers from 49 countries concluded
  that more companies are using IDS (Information
  Week Survey 1999)

1998 1999
Alerted by colleague 47 48
Analysis of server, firewall logs 41 45
Intrusion detection systems 29 38
Data or material damage 41 37
Alerted by customer, supplier 14 15
9
CERT/CC IDS Team Observations

• CERT examined ISS RealSecure, Cisco
• NetRanger, Network Flight Recorder, and
• Shadow
• IDS products based on current signature-based
  analysis approaches do not provide a complete
  intrusion detection solution but do produce
  useful results in specific situations and
  configurations

10
Issues Surrounding ID Technology

• Increases in the types of intruder goals,
  intruder abilities, tool sophistication, and
  diversity as well as the use of more complex,
  subtle, and new attack scenarios
• The use of encrypted messages to transport
  malicious information
• The need to interoperate and correlate data
  across infrastructure environments with diverse
  technologies and policies
• Ever increasing network traffic
• The lack of widely accepted ID terminology and
  conceptural
• Volatility in the ID marketplace which makes the
  purchase and maintenance of ID systems difficult

11
Issues Surrounding ID Technology

• Risks inherent in taking inappropriate automated
  response actions
• Attack on the ID systems themselves
• Unacceptably hi-levels of false positives and
  false negatives, making it difficult to determine
  true positives
• The lack of objective ID system evaluation and
  test information
• The fact that most computing infrastructures are
  not designed to operate securely
• Limited network traffic visibility resulting from
  switched local area networks. Faster networks
  preclude effective real-time analysis of all
  traffic on large pipes

12
ID Technology Recommendations

• For sponsors
• Supporting ongoing, comprehensive testing of
  commercial IDS and making test results publicly
  available
• Emphasizing research funding directed towards
  reducing false alarms

13
ID Technology Recommendations

• For users
• Implementing a security architecture that
  reflects a defense-in-depth or layered approach
  in protecting an organizations assets, whether
  or not the organization chooses to deploy an IDS
• Developing clear, concise IDS requirements based
  on security policy and organizational needs
• Configuring the IDS to maximize performance.
  This includes selective deployment to monitor
  critical assets as well as signature tuning to
  prevent excessive false alarms

14
ID Technology Recommendations

• For vendors
• Support initiatives to create open source
  signatures
• Move towards the distribution model used by the
  anti-virus community
• Spend more time and resources testing signatures
  and making results public
• Provide measures that represent the level of
  confidence a user should place in an IDSs
  ability to report an intrusion by type of
  signature or attack
• Integrate human analysis as part of event
  diagnosis
• Integrate available data sources more effectively
  to include information from different sensors and
  from different ID systems

15
ID Technology Recommendations

• For vendors
• Increase efforts to detect malicious code (email
  attachments, Java, ActiveX)
• Increase interaction with the research community

16
ID Technology Recommendations

• For research community
• Emphasizing the integration of diverse sources of
  available date to reduce false alarms
• Providing credible, defensible test data to
  support test and evaluation of IDS
• Providing a taxonomy of vulnerabilities base on
  victim perspective rather than intruder
  perspective
• Developing approaches for defending against
  sophisticated attacks such as denial of service,
  distributed, coordinated attacks, etc.
• Developing approaches that integrate human
  analysis as part of even diagnosis
• Developing approaches that support better
  detection of malicious code
• Increase interaction with vendor community

17
State of the Practice of Intrusion Detection
Technologies