Utilising Contextual Threat Record in Intrusion Detection Systems (IDS)
Security Analysts within the SecOps, DevOps, Security Operations Centre (SOC), Incident Response and Threat Intel teams are often overloaded with information produced by their cyber security tools. This issue is even more problematic in Firewalls and Intrusion Detection Systems’s (IDS) at carrier scale, leading to ‘Alert Fatigue’ and false positives. When this happens, it makes it difficult to priortise threats and respond to incidents and malicious activity effectively, leading to missed critical events and early opportunities to block attacks that pose a risk to network infrastructure. Having easy to access to information regarding threat actors, persistent threats, attack patterns, tools and signatures is incredibly important to perimeter defence strategies. Modern network and asset security requires this level of granularity and valuable threat context to gain a greater level of network visibility and security.
The modern threat environment is highly dynamic and unsurprisingly adversaries are very agile and adapt when working towards a criminal goal. Contextual threat intelligence reduces risk to network security by improving decision making capabilities before, during and after a cyber security incident. This reduces resource intensive operational mean time to recovery, adversary dwell time and enables root cause analysis. In order to attain this level of context and enhance incident triage, post-incident forensics and red teaming activities at carrier scale need to look to tools that provide threat Intelligence that meets four critical categories: completeness, accuracy, relevance and timeliness.
Security teams require high quality information in real-time, in order to work effectively and protect their networks from attacks. This enhanced level of IDS performance and context can be achieved by integrating intelligent alert driven packet record, based on flow/session, which at higher data rates negates the need for expensive disk storage or SIEM resources. The ability to capture traffic from a non-persistent back in time capture store allows data packets from before the event to be included, rapidly reducing data search, retrieval and assembly. These all reduce the time taken to investigate or perform forensics and maximise record efficiency by only recording data relevant to the investigation.
As we move in to 2019, Intrusion Detection Systems (IDS) still have a place in an overall cyber security strategy but need be enhanced beyond their traditional definition of simply analysing passing traffic, and matching that traffic against a library of known attack vectors. This methodology alone only provides a part of the picture. In order to attain the full picture i.e. contextual threat intelligence and qualified threat indicator information, new techniques need to be employed such as alert driven record and configurable automation. Configurable automation is important because different things are important to different defenders, this is typically defined by the size of a network. Carrier scale networks will invariably have a different security strategy to that of an SME. At every level an IDS should be an adaptable safeguard technology for network security after traditional technologies fail.
At Telesoft, we enable reduction of alert fatigue and provision of contextural alert intelligence with the high rate 40Gbps CERNE, which combines an IDS engine with automated record of relevant network traffic for real-time and historical threat investigation…learn more