WEBVTT

00:00.000 --> 00:01.650
>> Moving right
along to intrusion

00:01.650 --> 00:03.674
>> detection and prevention.

00:03.674 --> 00:05.250
>> With intrusion detection and

00:05.250 --> 00:06.990
prevention systems
on our network,

00:06.990 --> 00:08.970
we want to specify
the difference.

00:08.970 --> 00:11.910
An IDS, intrusion
detection system,

00:11.910 --> 00:13.710
is going to be a passive device

00:13.710 --> 00:16.370
that's going to be a device
that monitors the network,

00:16.370 --> 00:18.749
and if malicious
activity is detected,

00:18.749 --> 00:21.465
it can alert administrator
or log an entry,

00:21.465 --> 00:23.760
but it does not
terminate the attack.

00:23.760 --> 00:26.220
The intrusion prevention
system is actually

00:26.220 --> 00:28.710
an active device that can
terminate the attack.

00:28.710 --> 00:32.100
It might send a TCP reset to
terminate the connection.

00:32.100 --> 00:33.944
It could reconfigure a firewall,

00:33.944 --> 00:36.510
but ultimately,
the IPS is active.

00:36.510 --> 00:38.540
Quite honestly, today
you're going to have

00:38.540 --> 00:40.445
both combined in
a single system.

00:40.445 --> 00:42.590
You'll have detection
and prevention,

00:42.590 --> 00:44.735
but on the exam when they
separate the two out,

00:44.735 --> 00:46.490
we've got to honor that.

00:46.490 --> 00:47.750
If they say IDS,

00:47.750 --> 00:52.110
purely detection, IPS is
going to be more active.

00:52.150 --> 00:54.080
There are different types of

00:54.080 --> 00:55.929
>> intrusion detection systems.

00:55.929 --> 00:59.235
>> We have HIDS
and we have NIDS.

00:59.235 --> 01:01.425
A HIDS is a host-based system.

01:01.425 --> 01:02.900
It's basically a
software that you

01:02.900 --> 01:04.820
install on a particular system,

01:04.820 --> 01:06.890
and its job is to
monitor activities

01:06.890 --> 01:08.319
>> just on that system.

01:08.319 --> 01:10.280
>> If I want to find
out who's modifying

01:10.280 --> 01:12.290
the registry or if
I want to find out

01:12.290 --> 01:14.030
how much network
traffic is coming to

01:14.030 --> 01:18.455
this particular NIC or if
there's any local access,

01:18.455 --> 01:20.510
that's going to be
fine with the HIDS.

01:20.510 --> 01:23.535
That's what a HIDS is
designed to inspect.

01:23.535 --> 01:26.450
If I want to monitor the
areas of the network,

01:26.450 --> 01:28.490
I'm going to need a NIDS,

01:28.490 --> 01:30.910
a network intrusion
detection system.

01:30.910 --> 01:33.090
NIDS is a glorified sniffer.

01:33.090 --> 01:34.940
We said a sniffer is
a device that has

01:34.940 --> 01:36.875
a network card in
promiscuous mode,

01:36.875 --> 01:40.075
so it captures all traffic
regardless of destination.

01:40.075 --> 01:42.935
Well, when you add a sniffer
to an analysis engine,

01:42.935 --> 01:44.615
now you have an IDS.

01:44.615 --> 01:47.060
Now you have an intrusion
detection system.

01:47.060 --> 01:48.920
We still have to have
that network card

01:48.920 --> 01:50.165
in promiscuous mode,

01:50.165 --> 01:52.055
but if we're plugging
into a switch,

01:52.055 --> 01:54.050
don't forget the
idea of port span,

01:54.050 --> 01:57.035
so that way we can monitor
switch-based traffic.

01:57.035 --> 01:59.420
Those same things we
learned about sniffers are

01:59.420 --> 02:02.340
going to apply to network IDS.

02:02.480 --> 02:04.920
Looking at the
different components,

02:04.920 --> 02:06.945
we're going to have
a network sensor.

02:06.945 --> 02:09.210
The sensor is where
data is collected.

02:09.210 --> 02:11.560
You're going to have an
analysis engine that

02:11.560 --> 02:13.100
evaluates whether
or not the traffic

02:13.100 --> 02:14.359
>> is malicious or not.

02:14.359 --> 02:15.500
>> A lot of times,

02:15.500 --> 02:17.540
that analysis engine
is going to look for

02:17.540 --> 02:19.250
either signatures
or behaviors to

02:19.250 --> 02:21.895
determine if the
traffic is malicious.

02:21.895 --> 02:24.660
We have pattern
matching systems.

02:24.660 --> 02:26.940
These are your
signature-based systems.

02:26.940 --> 02:28.985
They're looking for
known patterns.

02:28.985 --> 02:30.815
After an attack is determined,

02:30.815 --> 02:33.020
then the signature
files are updated,

02:33.020 --> 02:35.310
and they have the
specifics of the attack.

02:35.310 --> 02:37.010
As long as the attack matches

02:37.010 --> 02:39.110
those specifics that are
stored in signatures,

02:39.110 --> 02:41.090
then the IDS is
going to be able to

02:41.090 --> 02:43.720
detect the attack
and create an alert.

02:43.720 --> 02:45.150
The problem with that is

02:45.150 --> 02:46.370
sometimes there are
attacks that have

02:46.370 --> 02:49.025
not had signatured files
created for them yet.

02:49.025 --> 02:51.200
Sometimes when an
attack first comes out,

02:51.200 --> 02:52.700
it might take a couple of weeks

02:52.700 --> 02:54.700
for these signatures
to be published.

02:54.700 --> 02:57.365
We refer to those as
zero-day attacks,

02:57.365 --> 02:59.780
attacks in which there
are no signatures.

02:59.780 --> 03:01.460
Of course, a pattern matching

03:01.460 --> 03:02.660
system that's just looking for

03:02.660 --> 03:05.720
patterns won't be able to
detect those zero days.

03:05.720 --> 03:08.785
An alternative to that is
profile matching systems.

03:08.785 --> 03:10.070
These are sometimes referred

03:10.070 --> 03:12.080
to as behavior-based systems.

03:12.080 --> 03:14.090
Ultimately, it'll
take a snapshot

03:14.090 --> 03:15.530
or a baseline of your network,

03:15.530 --> 03:16.790
and then the profile matching

03:16.790 --> 03:18.290
>> system identifies anything

03:18.290 --> 03:19.550
>> beyond that baseline within

03:19.550 --> 03:22.450
a certain threshold
as being an attack.

03:22.450 --> 03:25.430
The problem with that is
there's a lot of activity that

03:25.430 --> 03:27.905
varies on a network on
any given day or time,

03:27.905 --> 03:30.890
so you can have unusual
activity that isn't malicious.

03:30.890 --> 03:32.615
With your profile
matching systems,

03:32.615 --> 03:35.494
you often have what we refer
to as false positives.

03:35.494 --> 03:37.230
A positive is when an IDS

03:37.230 --> 03:39.140
indicates that
there's an attack.

03:39.140 --> 03:41.300
I always think it's
the IDS saying,

03:41.300 --> 03:42.815
"I'm positive
there's an attack."

03:42.815 --> 03:45.530
A false positive means the
IDS alerts you that there

03:45.530 --> 03:48.595
is an attack going on but
when there really isn't.

03:48.595 --> 03:51.470
That's always concerning
as a false negative.

03:51.470 --> 03:52.895
With the false negative,

03:52.895 --> 03:54.875
the IDS does not
sound the alert,

03:54.875 --> 03:56.830
but an attack is happening.

03:56.830 --> 03:58.875
We don't really want
either of those.

03:58.875 --> 04:01.520
When we talk about false
positives and false negatives,

04:01.520 --> 04:04.190
the way we re-evaluate
these analysis engines for

04:04.190 --> 04:07.250
their accuracy because the
two are inversely related.

04:07.250 --> 04:09.304
If I don't want any
false positives,

04:09.304 --> 04:11.675
I'm likely to increase
my false negatives.

04:11.675 --> 04:13.445
If I don't want any
false negatives,

04:13.445 --> 04:15.425
I'm going to increase
my false positives.

04:15.425 --> 04:18.175
At some point in time, those
two are going to match.

04:18.175 --> 04:20.915
We talked about that a
little bit with biometrics.

04:20.915 --> 04:24.200
With biometrics, it's called
the crossover error rate.

04:24.200 --> 04:27.110
It's the same concept for
intrusion detection systems,

04:27.110 --> 04:30.330
and that's a measure of
the system's accuracy.

04:30.830 --> 04:33.230
Other devices we might want on

04:33.230 --> 04:34.819
>> our network are honeypots.

04:34.819 --> 04:37.925
>> Honeypots are
distractions. For instance,

04:37.925 --> 04:40.100
I usually put a
honeypot in my DMZ,

04:40.100 --> 04:41.945
and it's a system that
looks vulnerable.

04:41.945 --> 04:44.155
It needs to look
appealing to an attacker.

04:44.155 --> 04:46.160
The idea is that
if an attacker is

04:46.160 --> 04:48.200
in my DMZ looking
around for trouble,

04:48.200 --> 04:50.090
I'm going to serve
up this desirable

04:50.090 --> 04:51.170
>> vulnerable systems.

04:51.170 --> 04:52.955
>> That way, they can
attack the system

04:52.955 --> 04:55.520
and keep them away from
my real resources.

04:55.520 --> 04:57.580
Also, honeypots software has

04:57.580 --> 04:59.010
some detective tools that track

04:59.010 --> 05:00.980
the activities of the
attacker so I can

05:00.980 --> 05:03.560
go back and review those
logs and get some idea

05:03.560 --> 05:04.775
about the type of attack

05:04.775 --> 05:07.165
and the type of tools
that were used.

05:07.165 --> 05:09.950
What we want to be
careful about is that we

05:09.950 --> 05:12.440
operate the honeypots
in an ethical fashion.

05:12.440 --> 05:14.855
We want that honeypot
to be enticing,

05:14.855 --> 05:16.880
but we don't want it to
trick someone into launching

05:16.880 --> 05:19.225
an attack or
compromising a system.

05:19.225 --> 05:20.670
I don't want to say, "Hey,

05:20.670 --> 05:22.550
click here for free
music," and try

05:22.550 --> 05:24.800
to prosecute somebody
because they've clicked.

05:24.800 --> 05:28.920
There is a fine line between
enticement and entrapment.

05:30.410 --> 05:34.100
A few other really
important systems are

05:34.100 --> 05:36.320
security information
and event managers

05:36.320 --> 05:38.480
, or SIEMs systems.

05:38.480 --> 05:40.310
These provide us aggregation

05:40.310 --> 05:42.410
across a wide
variety of devices.

05:42.410 --> 05:45.230
I've got lots of servers,
firewalls, honeypots,

05:45.230 --> 05:47.570
and intrusion detection
systems in my network,

05:47.570 --> 05:50.180
and I can go to each one
and review the logs.

05:50.180 --> 05:52.340
That doesn't really give
me the big picture.

05:52.340 --> 05:54.170
With our SIEMs systems,

05:54.170 --> 05:55.520
we can aggregate the logs and

05:55.520 --> 05:57.995
other information from all
these different devices,

05:57.995 --> 05:59.870
put them all together
on a single system,

05:59.870 --> 06:02.740
the SIEM, and use the tools.

06:02.740 --> 06:04.640
For instance, there are tools

06:04.640 --> 06:05.930
that help me correlate events

06:05.930 --> 06:08.614
and help me with trending
and forecasting analysis,

06:08.614 --> 06:10.835
aggregation, and correlation.

06:10.835 --> 06:13.215
Those are SIEMs systems.

06:13.215 --> 06:15.645
If you've ever heard of
Splunk or used Splunk,

06:15.645 --> 06:18.940
that's a good example
of a SIEM system.

06:19.150 --> 06:21.290
I also want to mention

06:21.290 --> 06:23.554
>> unified threat
management systems.

06:23.554 --> 06:26.390
>> These do not have a
specific set of requirements.

06:26.390 --> 06:28.130
This is just a generic term for

06:28.130 --> 06:30.245
all these accompanying systems.

06:30.245 --> 06:33.125
I might have a single device
that gives me a firewall,

06:33.125 --> 06:35.090
anti-malware, my router,

06:35.090 --> 06:37.265
and you can see all these
different services.

06:37.265 --> 06:38.840
It doesn't have to provide any

06:38.840 --> 06:40.384
>> specific set of services,

06:40.384 --> 06:43.285
>> but it's one of those
multipurpose devices.

06:43.285 --> 06:46.390
Then we think about
network load balancing,

06:46.390 --> 06:49.235
and you can have hardware
or software load balancers.

06:49.235 --> 06:51.740
The whole purpose of load
balancing is to ensure

06:51.740 --> 06:54.325
that the work is
distributed across nodes.

06:54.325 --> 06:57.260
A lot of time, we have this
implemented in a cluster,

06:57.260 --> 06:59.070
or you might have five
nodes in a cluster,

06:59.070 --> 07:00.170
and we want to make sure that

07:00.170 --> 07:02.510
each device handles their
fair share of the work,

07:02.510 --> 07:04.570
so load balancing does that.

07:04.570 --> 07:07.445
Comparable to that, we
have traffic shapers.

07:07.445 --> 07:09.020
Traffic shapers often look for

07:09.020 --> 07:10.970
specifics about a packet
that would help with

07:10.970 --> 07:13.070
prioritization and
specifically for

07:13.070 --> 07:15.910
things like labels that
would indicate void traffic.

07:15.910 --> 07:18.170
Void traffic gets
a higher priority

07:18.170 --> 07:19.730
because of these needs.

07:19.730 --> 07:21.260
Those two are more about

07:21.260 --> 07:24.720
increasing efficiency
and distribution.