Intrusion Detection ~

computer, servers, networks

Intrusion Detection ~

Introduction, a few personal notes to help you on your way:

~ SOFTWARE, CYBER, COMPUTER, COMPUTER FORENSICS EXPERT WITNESS, SOFTWARE EXPERT WITNESS, APPS, FAILED IT PROJECTS.

~ EXPERT ANALYSIS OF: SOFTWARE, CODING, PROGRAMMING, AI, EMAIL & SYSTEMS, TECHNOLOGY, APPS, BLOCKCHAIN, DATA SECURITY & TELECOMMUNICATIONS DISPUTES.

~ IT EXPERT WITNESS ~ INTRUSION DETECTION FOR HACKED OR COMPROMISED COMPUTER SYSTEMS AND SOFTWARE, EMAILS, APPS, SYSTEMS AND SERVERS.

Intrusion is detection at one end-point, and seeks to provide personal or corporate ‘End-to-End’ Security Solutions that keep us all safer.

Last year was the biggest yet for data breaches, with a staggering 2.6 billion records compromised.

Users need secure devices that protect sensitive data and guard against online and identity-based threats. Some computer manufacturers lead the way in IT security - with impressive results. According to CVEDetails.com, Lenovo for example had up to 99% fewer common vulnerabilities and exposures than major competitors in 2018. Many users already integrate approaches to securing devices through their entire lifecycle, from securing BIOS and firmware development to features like inbuilt Privacy Guard security screens and laptop camera shutters.

Intrusions Detection seeks to amplify users protection, centred on personal and also corporate data.

 INTRODUCTION TO OPEN SOURCE INTRUSION DETECTION.

Threat and intrusion detection have become a top priority in cybersecurity, making it more important than ever before. If you aren’t already running an Intrusion Detection System (IDS) in your network, you should start now. Cyber criminals do not wait, and actively use Covid19 lockdown to “improve” their empire. Some aspects are routinely used by us in computer expert forensic Witness work, or as software forensic Expert Witnesses.

IS OPEN SOURCE SECURITY A GOOD ROUTE?

There are a wealth of great tools out there that can dramatically improve the security of your network. Open source security goes back several decades, and there is a large, active community behind many of the tools. In fact, some of these tools are used by commercial security vendors in their products, and these vendors contribute to the tools to keep them current.

Before getting started, we would be remiss not to address the pros and cons of going the open source route.

Open source might be a good solution for you if:

  • Your organisation has the expertise in both security and System Administration [SysAdmin] needed to deploy several tools with only community support;

  • You want “complete control” over your security architecture and are willing to do extra work to make that happen;

  • You develop a plan for keeping these tools up-to-date. Unlike most software, failure to keep security tools current with the latest versions and security updates (which may come weekly, daily, or even hourly, in the IDS world) renders the tools themselves almost useless after a short time;

  • You have a very low budget to buy products, but have the staff needed to maintain open source tools; &

  • Your use-case and security concerns don’t align well with commercial products.

Open source is easier than ever to install and maintain. However, on the “con” side, there are a few important concerns. If you are going to design a security solution for your company, please keep in mind:

  • You will have to do your own support. There are great communities behind some of these tools, but you are the only one who is responsible for your network. You will have to use your “phone a friend” if you need a lifeline;

  • Many of these tools need “content” - signatures, rule updates, and the like. You will be responsible for finding these in the community, or purchasing a threat-feed from commercial sources. As stated above, security tools are only as good as their content. Otherwise, your network will have an amazing defence - against last year’s threats.

Combining different tools can be challenging even for a seasoned IT architect. You’ll need to understand what threats you are protected from and conversely what gaps remain.

  • An IDS is a visibility tool. It gives your administrators and security analysts clarity on your network’s security posture.
    It allows tangible insight into modern network security threats, as a part of your organisation’s network security monitoring strategy (NSM). An IDS can improve your team’s understanding of your network activity, explore cyber threat intelligence, discover policy violations, and most importantly, protect your IT and corporate assets.

  • In more technical terms, an IDS is a network security tool built to detect intrusion attempts against a targeted computer system or application. These threats can be detected using signature-based or anomaly-based intrusion detection techniques, discussed later. An IDS analyses network traffic for potentially malicious activity. Whenever a suspicious activity is detected, a network “event” will be logged, and a notification sent to the administrator.

  • Looking for attacks isn’t the only use case for an IDS. You can also use it to identify unauthorised systems, malicious programs and files, and find violations of network policy. An IDS will tell you if an employee is using G-chat, uploading to *Box, or spending all their time watching Netflix instead of working.

In the realm of intrusion detection, there are primarily two methods of security management for computer networks: network-based intrusion detection systems (NIDS) and host-based intrusion detection systems (HIDS). A little more on these below.

It is essential to deploy IDS everywhere you’re storing or processing critical applications and data, which could stretch from your internal network and on-premises data centers to public cloud environments. When evaluating IDS solutions, it is important to evaluate whether you need an IDS that can monitor both your cloud and on-premises assets.

IDS DETECTION TECHNIQUES - refer to 2nd drop down page.

GLOSSARY:

Glossary of Terms

EDR - ENDPOINT RESPONSE
FIM - FILE INTEGRITY MONITORING
HIDS/H-IDS - HOST-BASED INTRUSION DETECTION SYSTEMS IDS - INTRUSION DETECTION SYSTEMS
NIDS/N-IDS - NETWORK-BASED INTRUSION DETECTION SYSTEMS NSM - NETWORK SECURITY MONITORING
SIEM - SECURITY INCIDENT AND EVENT MANAGEMENT
USM - UNIFIED SECURITY MANAGEMENT

home