WEBVTT

00:00.660 --> 00:05.670
It's incredibly important that we're aware when threat actors are attacking our networks.

00:05.670 --> 00:12.660
So to deal with this we have network intrusion detection systems and network intrusion prevention systems

00:12.930 --> 00:16.750
better known as an idea and an IP address.

00:16.820 --> 00:20.670
Now first of all let's make sure we understand the difference between the two.

00:20.670 --> 00:26.970
Detection is not prevention detection simply means I see something's happening and I will tell somebody

00:26.970 --> 00:32.280
about it through an email or text message or something so that we can deal with it.

00:32.280 --> 00:39.410
Prevention means to actually detect that something's happening but also to stop it in one way or another.

00:39.450 --> 00:48.510
So we say an idea is a passive type of system whereas an IP is a in-line or active system that's actually

00:48.510 --> 00:50.340
doing something.

00:50.340 --> 00:54.790
The interesting thing about prevention is that in IP systems.

00:54.960 --> 01:00.000
They certainly detect but more than that they often have the ability for example to go into a router

01:00.360 --> 01:07.740
and dynamically start blocking ports or blocking an IP address or blocking a user name or whatever it

01:07.740 --> 01:08.540
might be.

01:08.760 --> 01:14.510
And they can actually control devices to stop whoever is coming in and doing naughtiness.

01:14.520 --> 01:16.420
The trick though is detection.

01:16.500 --> 01:19.390
So we have four different methods for detection.

01:19.680 --> 01:24.600
First of all we have behavioral or anomaly based what we're talking about there is that we have some

01:24.600 --> 01:26.460
kind of baseline on a system.

01:26.520 --> 01:35.250
We expect this many malformed packets coming in per second or we expect that we see this amount of traffic

01:35.250 --> 01:39.030
coming from certain geographical areas over time.

01:39.090 --> 01:45.530
If we see changes from this baseline we treat that as a detection of heart attack.

01:45.630 --> 01:48.610
And we set off a flag.

01:48.690 --> 01:55.560
Second is signature based signature files are kind of like anti-malware we have expectations of things

01:55.560 --> 02:01.290
that we're expecting to come in and we do online checking of them and if we see it we consider that

02:01.290 --> 02:04.080
that is an attack and we're dealing with it.

02:04.320 --> 02:07.970
Next our rule rule simply means that it uses rule sets.

02:08.010 --> 02:10.440
Sort of like a firewall in that we have.

02:10.590 --> 02:18.600
If I see more than 273 ICMP packets per second I will treat that as a denial of service attack and I

02:18.600 --> 02:20.510
will detect a threat.

02:20.550 --> 02:25.010
And then last is heuristic heuristics probably the most common today.

02:25.080 --> 02:30.190
It starts with signature files but then it does the behavioral anomaly thing as well.

02:30.240 --> 02:35.520
So it will have a signature file but also a baseline and it will learn over time.

02:35.520 --> 02:40.250
Most of the good ideas and IP systems today are here stick.

02:40.260 --> 02:45.720
In fact a lot of them do combinations that fall for and they protect how they do it very carefully very

02:45.720 --> 02:47.460
proprietary information.

02:47.850 --> 02:55.380
So if we have all this well how do we set all this up so to configure an idea or an IP.

02:55.580 --> 02:57.570
You start off with sensors.

02:57.740 --> 03:00.200
A sensor is a little box like for example.

03:00.200 --> 03:03.130
Here's a picture of what we call a network tap.

03:03.290 --> 03:11.000
This network tap has two sets of connectors one for in and one for out literally every packet that goes

03:11.000 --> 03:14.590
through this tap is being logged and checked.

03:14.600 --> 03:18.560
That's his job is to look for that type of stuff.

03:18.560 --> 03:25.370
Secondly is port mirroring most any switch these days has the ability to be able to grab data from multiple

03:25.370 --> 03:26.920
other physical ports.

03:26.990 --> 03:30.970
It's a configuration thing that we do and we can set it up so that we can do that.

03:30.980 --> 03:36.950
In particular if you have a lot of violations it's very very common to set port mirrors up that say

03:36.950 --> 03:41.090
I want to see everything happening on all the different lands at once.

03:41.150 --> 03:46.220
Now with the sensors up and running the next thing we're going to have to do is we have to set them

03:46.220 --> 03:53.480
up in the right way with an ID s because it's a passive it's often set up as out-of-band.

03:53.510 --> 04:02.120
So if we take a look at this diagram right here you'll see that I have a n id s sensor configured.

04:02.120 --> 04:08.130
Now it's not really connected through anything it's just designed to pick up as much data as it can.

04:08.420 --> 04:12.440
And it probably has a nick in there in promiscuous mode that's just grabbing all the information that

04:12.440 --> 04:13.610
it possibly can.

04:14.430 --> 04:18.610
With an IP it's almost always going to be in-band.

04:18.630 --> 04:23.340
So just like that network tap we saw a moment ago I will bring up another diagram.

04:23.340 --> 04:29.010
So in this diagram what we have is a device we're literally everything that is on the network has to

04:29.010 --> 04:34.740
go through the device because it is the connection to the Internet itself so it's just behind the firewall.

04:35.100 --> 04:41.010
So in-band is almost always going to be for an IP address and out-of-band is almost always going to

04:41.010 --> 04:42.060
be for an idea.

04:42.090 --> 04:45.440
Although there will be exceptions from time to time.

04:45.620 --> 04:51.470
So now that we have all these sensors in one little network tap to keep track of all this might be tough.

04:51.770 --> 04:54.170
Maybe for my little network here at total seminars.

04:54.170 --> 05:00.020
So on larger networks what we'll have are collectors collectors are going to be computers whose job

05:00.020 --> 05:05.540
is to take all this data that's coming from all these different sensors and stored into a single database

05:05.870 --> 05:08.180
and it just keeps building up and building up.

05:08.270 --> 05:13.760
So we have a single source that we can look at to see if there's any problems and to see if there's

05:13.760 --> 05:14.660
any problems.

05:14.660 --> 05:16.180
That's where the last part comes into.

05:16.190 --> 05:21.800
And this is where the big money runs to and that is correlation Injun's a correlation engine is nothing

05:21.800 --> 05:27.170
more than the actual tool that does the behavioral and honestly it does the signature checks.

05:27.170 --> 05:32.450
Does the rule checks it does the heuristic checks and that's the actual device that will set off the

05:32.450 --> 05:35.390
alarms and let us know or on it.

05:35.450 --> 05:41.200
And I guess take care of itself to deal with the tax code

05:46.180 --> 05:50.350
in

05:53.900 --> 05:55.170
an.