11th March, 2020
Everyone in the infosec community will agree that Intrusion Detection Systems (IDS) are an important component in any effective cyber security strategy, perhaps not the most press-worthy but integral to policing your network borders. Much like a burglar alarm, an IDS is timeless in its effectiveness in detecting and alerting that someone has breached perimeter security measures. However, IDS technology is not evolving at the pace it once did but that doesn’t mean that there aren’t exciting innovations and changes happening.
The traditional definition of an IDS is a device or software application that monitors a network or systems for malicious activity or policy violations. Any detected activity or violation is typically reported either to an administrator or collected centrally using a security information and event management (SIEM) system.
When IDS products first appeared on the market, 10Mbps was the fastest network around, this has very quickly changed and now we are looking at 10Gbps – 40Gbps plus networks. That’s why vendors like Telesoft have created products that scale to cope with today’s data usage while intelligently using network data and traffic patterns to trigger automated event responses.
IDS platforms use different methods to detect suspected intrusions but the most common and widely used is pattern matching or signature-based IDS. The IDS looks for traffic and behaviour that matches the patterns of known attacks, the effectiveness of which is dependent on an up-to-date signature database. The challenge for an analyst is to quickly discover if a signature match is a genuine threat, or benign data that is impersonating a genuine threat. This is usually done by retrieving one or more captured data packets, to give a complete understanding of what was happening at the time of the trigger event. The challenge however, is that pattern matching fails to catch new attacks for which the software doesn’t have a defined signature in its database. It is also prohibitively expensive for many organisations, due to the quantity of storage required and the complexity of accessing huge volumes of stored data, especially as networks become faster and faster.
One way to counter these challenges is to take advantage of the next generation of IDS platforms on the market which use automation and ‘Event Triggered Record’ to respond to events that impact security. This allows Systems Administrators to quickly discern if the event is serious, relevant or just a false positive. The Telesoft CERNE 40Gbps IDS for example uses Event Triggered Record which collects and records only the packets and flows that have triggered an IDS alert, significantly reducing infrastructure resource requirements.
However, as we all know snippets of information aren’t enough to provide relevancy or context around a potential breach, as the old adage goes “you can only defend against what you can see”. In order to gain a complete picture of your suspected nasty you will need to see the full session. Telesoft do this by using a back-in-time buffer, which automatically goes back to before your IDS alert and cherry picks which packets belonged to that session and reassembles in real-time for delivery up to the SIEM, giving the analyst a full picture of what was happening before, during and after the event.
In order for IDS systems to stay relevant in today’s cyber security environments it’s important that vendors like Telesoft continue to innovate and use new techniques to reinvent and rejuvenate this integral security technology.