Security Wars: Can Intrusion Detection Even The Score?
Intrusion detection systems provide reams of raw data, and plenty of false alarms. How do you assess an IDS, where do you use one, and when does a human need to step in and make sense of what it's telling you?
It's common knowledge that network attacks are growing more widespread, as well as more sophisticated, just about every day. Intrusion detection systems (IDS) continue to get more numerous, too, but are their capabilities keeping up? Experts point to lingering gaps in areas that include accuracy, data interoperability, and analysis tools.
The 2002 CSI/FBI Survey underscored the pervasiveness of the network intrusion problem. Ninety percent of respondents reported security breaches within the past 12 months, with 39 percent admitting to 10 or more incidents.
Intrusion techniques never stop evolving, of course. The latest attack tools range from stealthy port scanners to automated root kits. To cite just one example, the popular port scanner nmap can now identify over 100 different operating system releases, hiding the source of the scan by sending out decoy packets.
Due to these inaccuracies, automated response tools really aren't on the radar screen yet. Some vendors, though, do support varying response levels of manual intervention. CMDS, for instance, allows response at four different levels: ignore the warning; increase observation; deny access; and emergency shutdown.
RealSecure, on the other hand, permits an associated firewall to be reconfigured by a human operator to reject traffic from a designated IP address.
At this point, though, commercial products can be roughly categorized in two main ways. One level of differentiation revolves around whether the system is designed to detect "misuse" - such as combinations of activities within a network packet which should never legitimately occur -- or "anomalous use"
To find anomalous activity, the system needs to recognize what is "regular" behavior on a particular network, and what is not (such as port scanning, for instance). Some IDS use a combination of both approaches.
IDS can also be categorized as either network-based or host-based. Decisions about products and their placement should be based on which IT systems are most at risk at within a particular organization.
"Utilize a variety of tool types and placements. Understand what kind of target you are. Understand clearly what your threats are," urged George J. Dolicker, principal consultant at Lucent Technologies, speaking at Computer Security 2002, a conference recently held by the Metro New York chapter of the Information System Security Association (ISSA).
Host IDS might be placed on exposed servers in the DMZ; critical servers; RAS boxes, and authentication servers, for example, he illustrated.
Network IDS might be placed in front of the firewall, behind the firewall in the DMZ; behind the DMZ on the intranet; on critical LAN segments; and "between you and the extranet."
Some sources caution, though, that placing an IDS outside of the external firewall can bring misleading results. You'll gain an early warning advantage by being able to detect reconnaissance port scans. Not all scans, however, are followed by actual attacks.
Additional tools that can come in handy range from honey pots and war dialer traps to logs and file integrity checkers. Logs can be either "labor intensive if you check them regularly, or useless if you do not," Dollicker noted.
Right now, though, one of the most useful tools of all is probably a good (human) security analyst, who can make sense out of the reams of diverse data swept up by all these various IDS systems and tools.
Open standards for sharing data between systems are still on the way. In another recent report, Gartner Group analysts point out that vendors have made great strides over the past year in boosting performance of their products. Now , though,it's time to move on to other sorts of progress, according to the analysts.
"We predict that the advances still to come that will make IDS a more effective enterprise security tool will be in the area of data collection, analysis, correlation, alerting and reporting. Pattern recognition and artificial intelligence for monitoring and identifying illicit activity are yet to become a commonplace. Host and network IDS agents must report their data through a common format to a central console that can present the data in a cogent, usable interface," the analysts add.
The industry has actually been working in these directions for the past several years. Teresa Lunt first launched an effort called the Common Intrusion Detection Framework (CIDF) when she was information technology officer for DARPA. CIDF later spun off from DARPA as an independent entity.
Some of the ideas discussed within DARPA then spurred the creation of the IETF's Intrusion Detection Working Group (IDWG). By now, the working group, has submitted requirements, language, and transport documents to the IETF for consideration as RFCs.
Researchers do keep exploring new approaches to intrusion detection. For instance, the DARPA-funded EMERALD (Event Monitoring Enabling Responses to Anomalous Live Disturbances) Project has been building an intrusion analysis system for large, highly distributed networks which is based on the expert system shell P-BEST.
EMERALD is also using and extending CIDF, with the goal of being able to correlate intrusion reports and discern large-scale patterns of attack, while also "infering the intent of adversaries." An evaluation edition of EMERALD's eXpert-BSM system for Solaris 1.4 is currently available for download from the Web.