Visit us at IoT World on Booth 752

Blog

Get news about our products, which events we are attending plus industry insights and commentary

Utilising Contextual Threat Record in Intrusion Detection Systems (IDS)

Written by Sarah Chandley on Wednesday, 09 January 2019. Posted in Cyber

Security Analysts within the SecOps, DevOps, Security Operations Centre (SOC), Incident Response and Threat Intel teams are often overloaded with information produced by their cyber security tools. This issue is even more problematic in Firewalls and Intrusion Detection Systems’s (IDS) at carrier scale, leading to ‘Alert Fatigue’ and false positives. When this happens, it makes it difficult to priortise threats and respond to incidents and malicious activity effectively, leading to missed critical events and early opportunities to block attacks that pose a risk to network infrastructure. Having easy to access to information regarding threat actors, persistent threats, attack patterns, tools and signatures is incredibly important to perimeter defence strategies.  Modern network and asset security requires this level of granularity and valuable threat context to gain a greater level of network visibility and security.

The modern threat environment is highly dynamic and unsurprisingly adversaries are very agile and adapt when working towards a criminal goal.  Contextual threat intelligence reduces risk to network security by improving decision making capabilities before, during and after a cyber security incident. This reduces resource intensive operational mean time to recovery, adversary dwell time and enables root cause analysis. In order to attain this level of context and enhance incident triage, post-incident forensics and red teaming activities at carrier scale need to look to tools that provide threat Intelligence that meets four critical categories: completeness, accuracy, relevance and timeliness.

Security teams require high quality information in real-time, in order to work effectively and protect their networks from attacks. This enhanced level of IDS performance and context can be achieved by integrating intelligent alert driven packet record, based on flow/session, which at higher data rates negates the need for expensive disk storage or SIEM resources.  The ability to capture traffic from a non-persistent back in time capture store allows data packets from before the event to be included, rapidly reducing data search, retrieval and assembly. These all reduce the time taken to investigate or perform forensics and maximise record efficiency by only recording data relevant to the investigation.

As we move in to 2019, Intrusion Detection Systems (IDS) still have a place in an overall cyber security strategy but need be enhanced beyond their traditional definition of simply analysing passing traffic, and matching that traffic against a library of known attack vectors. This methodology alone only provides a part of the picture. In order to attain the full picture i.e. contextual threat intelligence and qualified threat indicator information, new techniques need to be employed such as alert driven record and configurable automation. Configurable automation is important because different things are important to different defenders, this is typically defined by the size of a network. Carrier scale networks will invariably have a different security strategy to that of an SME. At every level an IDS should be an adaptable safeguard technology for network security after traditional technologies fail.

At Telesoft, we enable reduction of alert fatigue and provision of contextural alert intelligence with the high rate 40Gbps CERNE, which combines an IDS engine with automated record of relevant network traffic for real-time and historical threat investigation…learn more

About the Author

Sarah Chandley

Sarah Chandley

Sarah is an experienced B2B technology marketing professional, creating content for the Cyber Security, Telco and Government Infrastructure sectors. 

Information cookies

Cookies are short reports that are sent and stored on the hard drive of the user's computer through your browser when it connects to a web. Cookies can be used to collect and store user data while connected to provide you the requested services and sometimes tend not to keep. Cookies can be themselves or others.

There are several types of cookies:

  • Technical cookies that facilitate user navigation and use of the various options or services offered by the web as identify the session, allow access to certain areas, facilitate orders, purchases, filling out forms, registration, security, facilitating functionalities (videos, social networks, etc..).
  • Customization cookies that allow users to access services according to their preferences (language, browser, configuration, etc..).
  • Analytical cookies which allow anonymous analysis of the behavior of web users and allow to measure user activity and develop navigation profiles in order to improve the websites.

So when you access our website, in compliance with Article 22 of Law 34/2002 of the Information Society Services, in the analytical cookies treatment, we have requested your consent to their use. All of this is to improve our services. We use Google Analytics to collect anonymous statistical information such as the number of visitors to our site. Cookies added by Google Analytics are governed by the privacy policies of Google Analytics. If you want you can disable cookies from Google Analytics.

However, please note that you can enable or disable cookies by following the instructions of your browser.