Skip to content ↓ | Skip to navigation ↓

With the August 5th & 6th show fast approaching, we are continuing our series highlighting some of the informative presentations that are scheduled to take place at Security BSides Las Vegas.

picFor those who don’t already know, Security BSides events are organized by-and-for the security community, and attracts some of the most innovative security practitioners from around the world, and BSidesLV has the reputation for being one of the biggest events of the series.

We previously featured sessions on vulnerabilities in URL schemes, a talk  on conference swag hacking strategies, a session on how to be successful in social engineering attacks, and another on attacking Drupal.

Next up is a talk by Tony Robinson (@da_667), titled IDS and NSM: Cut the Sh**!, where Robinson will share his extensive knowledge of IDS and NSM and how to make deployments more valuable for security programs.

Robinson says most of his professional experience was gained at Sourcefire doing IDS/NSM work, and with the federal government doing systems administration for the DoD. Currently, he’s a senior security analyst with a large fortune 500 energy provider in where he manages IDS and NSM for a large network that spans a quarter-of-a-million systems with various ingress/egress points all over the country.

“I consider this topic important because Intrusion Detection/Prevention Systems are security measures that a lot of companies deploy, and in fact in most regulatory compliance, have it as a requirement. All too often I see it as either a compliance checkbox that sits derelict on a network, sucking up traffic and alerting with no one to care,” Robinson said.

“Alternatively, I’ve seen cases where IDS/IPS is deployed as a knee-jerk reaction to a breach. This is more common than you’d think and leads to half-assed deployments where things are not thought out all the way through.”

Robinson also says he has seen cases where there is a fervent belief that every single rule for a system needs to be turned on, resulting in nothing but an expensive noisemaker and angry analysts.

“Properly managed IDS/IPS along with a means to correlate your events with other network data can provide tons of value and insight into the network, and make it easier to understand the events leading up to the alert/incident in question,” Robinson said.

The information he will present in the talk is likely most interesting to security operations teams, and any organizations large or small looking to deploy IDS/IPS systems either as an extra layer of security or as a means for achieving compliance.

“I want to take your deployment beyond checkbox compliance and have it be a reliable tool in your arsenal for finding the bad guys on your network,” said Robinson.

“Ideally, I want my audience to come away from the talk understand that IDS/IPS can be more than a compliance checkbox, that with minimal effort, it can be tuned to provide valuable data, and the excess noise and false positives can be quieted relatively easily as well.”

He says he expects there will be some attendees who won’t care for some of the tools he will be using for part of the talk, calling them sub-par or comparing them to Security Onion, but says ultimately providing tools is all about giving users choices.

“You can easily take the advice and not have to use any of the tools I recommend, it doesn’t matter to me, I just want folks to know that IDS and IPS can be powerful for information security, if properly maintained,” Robinson explained.

He believes that IDS/IPS solutions like Snort and Suricata as they stand right now should evolve beyond basic signature-based detection in the form of pre-processors to “normalize” traffic for comparison against rules/signatures.

In contrast, IDS/IPS platforms like BRO are very heuristic in nature, collecting network data and using scripts to detect “weirdness” in network traffic.

“In my opinion, some way to combine the two such as using Snort/Suricata to hunt the known bad traffic and/or indicators, along with BRO to heuristically spot traffic that is abnormal, is going to be key. I think the maintainers of the Snort project are looking at BRO and saying, Man, we should totally do some of these things!” Robinson said.

“Which is why you’re seeing beta features like file extraction that BRO and even ntop have had for a while now, and now OpenAppID, which is essentially service and OS fingerprinting, again, bringing in features from BRO and other heuristic network security solutions.”

The take-away, Robinson says, is that Heurstic-based IDS/IPS like BRO and traditional, normalized and signature-based IDS like Suricata and Snort complement one another very well.


Related Articles:



picThe Executive’s Guide to the Top 20 Critical Security Controls

Tripwire has compiled an e-book, titled The Executive’s Guide to the Top 20 Critical Security Controls: Key Takeaways and Improvement Opportunities, which is available for download [registration form required].