When network administrators understand how intrusions occur, they can defend against future attacks.
Companies have various means of monitoring inbound and outbound network traffic with the goal of detecting whether any anomalous traffic might be malicious in nature. But no detection solution is 100 percent effective, which means that some attacks will succeed. With that in mind, a company needs to be able to identify and remediate the attacks expeditiously, as well as determine the entire life cycle of the attack to prevent a future breach. One means of doing that is to install an appliance on the network that gives the company a broader picture of all the traffic that’s traversed its network.
Traditional options. Companies already use intrusion detection system (IDS) and intrusion prevention system (IPS) appliances. IDS is a passive type of monitoring that detects anomalies in traffic and alerts system administrators when they are found, says John Pirc, vice president of research at NSS Labs. However, IDSs won’t tell you whether the attack was successful.
IDS appliances, which were first developed about 14 years ago, weren’t originally designed to sit in line with a network’s activity. That’s why they were considered passive. IDS monitors activity by sitting out-of-band, explains Pirc, and traffic gets mirrored on a delayed basis. “Say there’s ports one, two, three, and four [on the appliance], and the traffic is coming in port one. What you can do is you can mirror port one, and let’s say that your IDS was in port four—you just mirror it. Essentially, [traffic is] just getting mirrored, and it’s getting analyzed on the IDS, and then it will tell you if it hit the positive on [a malicious] signature that fires off.”
But IPS, an active type of monitoring that was developed just about a year after IDS, sits in line and is designed to actually stop the intrusion.
IPS has not replaced IDS. Pirc says there are a few reasons why companies would want to deploy an IDS over IPS. First of all, there are performance issues that come along with deploying IPS. “A lot of it comes down to performance, when you’re putting IPS in line, there could be bottlenecks [in traffic],” he notes.
Furthermore, a company that depends on keeping its online services running as efficiently as possible—such as a retail or commerce site—may prefer an IDS solution. It depends on the industry vertical and the risk threshold. Some companies would rather just have a way of being alerted to the possibility that they’re under attack, but not have a system for automatically stopping it, “because there could be a false positive in the traffic that they’re seeing,” Pirc says. A false positive is an alert in which the anomaly is not malicious in nature.
But even stopping only the true positives is not sufficient to meet the challenges of network security today. For one thing, there can be activity that gets missed. As noted already, no solution is 100 percent effective. Moreover, to quickly and efficiently find the origin of a problem once it is discovered, a company needs to be able to go back and look at all of its traffic.
The way to accomplish a full perspective of the traffic on your network—not just whether or not there is a possible threat—is by looking at a copy of the actual traffic that has gone in and out of a network, and the way to do that is full-packet-capture technology.
“You really need to be able to go back in time a long way to essentially reconstruct and deconstruct attacks into their elements—the stages—so that you can understand how it happened, and so that you can identify if other similar attacks have happened,” explains Tim Sullivan, chief executive officer of nPulse Technologies. “That will help you understand whether or not you’re under a sustained campaign of attacks and also help you predict the formation of attacks in the future.”
The packet-capture technology offered by nPulse, a hardware appliance called Capture Probe Extreme (CPX), captures network packets in real time. After a breach occurs, system administrators can go back and look at the traffic that occurred around the time of the breach. That information can be used to drill down and further understand where and when the attack happened.
Obviously, storage issues arise when talking about recording traffic continuously. While there is local storage on the CPX appliance, Sullivan says that it can only hold about a day’s worth of packet capture. Therefore, CPX is designed to write to a storage area network (SAN) device, which can retain more traffic history and is typically deployed at the network level.
“In most cases you’re going to have your storage where your capture is, which is going to be on your network,” Sullivan explains. However, he adds that some companies, such as government agencies, have their packet capture occurring on an appliance in the cloud. Therefore, their storage would normally be in the cloud as well.
Typically companies only keep the full traffic history on hand for about a week; federal government agencies are required to keep it for 30 days, Sullivan says. After that, he explains, a company can still use the metadata to review the details of a breach; it just takes more time, money, and effort to break that data down.
“It’s all about time. You’re trying to remediate as quickly as possible. You can always try and throw bodies at the problem but… obviously, human beings just cannot do what software can do as quickly. So, it’s going to be more expensive and time-consuming to do it without full-packet capture,” he says.
Sullivan uses a football metaphor to explain the difference between metadata alerts and packet capture. “An alert would be like I say, ‘Did you see that touchdown that Eli Manning threw last night on Monday night football in the second quarter?’ So now I’m talking about the event [that is comparable to seeing the metadata]. If you were to go to YouTube and watch it, now you have the recording of it [that is comparable to the full-packet capture].”
Sullivan adds that this does not replace intrusion detection and prevention systems or firewalls, but it is an important supplement to them.
Other vendors also go beyond alerts, but not necessarily in the automated pre-event way that nPulse does. If clients want to pay for added functionality, Trustwave offers features that take its IDS a step beyond alerts. With certain security packages, Trustwave’s Spider Labs threat research team will go in and look at the traffic after a client’s security event has occurred to analyze it. “Traffic capture as packet capture is done on the [individual organization’s] IDS, and the relevant capture is forwarded to the Trustwave security operations center respective to the alert it represents,” says Jamie French, technical product marketing manager at Trustwave. “It’s not just a regurgitation of known and understood things, but we actually are identifying new and complex attack patterns and actually protecting our customers,” he says.
When a breach that originally went undetected is discovered retroactively, and packet capture is not stored on the IDS appliance, the Spider Labs team can still use the metadata to go back and understand the attack. “We’ll be able to piece together audit logs around detection of the attacks, so that we can actually understand the techniques that were used, and we incorporate that type of information into our signatures,” he adds.
No matter how it is done, French says that he sees a trend in customers wanting to know as much as possible about what goes on in their networks so that they’re better prepared to deal with increasingly sophisticated threats. “It broadens out further than just network intrusion detection and prevention, but holistically customers are trying to incorporate more contextual data about their environment,” he notes.