Threat Level: green Handler on Duty: Brad Duncan

SANS ISC: recommender system for network intrusion detection SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms: https://isctv.sans.edu

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
recommender system for network intrusion detection
Ideas to build recommender system for network intrusion detection will be appreciated. BiSarfraz

1 Posts
Testing AlexTesting

1 Posts
My first reaction to your question is "Defense in depth". :-) We just got done doing some evals of several different intrusion detection/prevention systems. And the one thing that really stuck out to me was that no one vendor caught everything or all of the same things. We've got a FireEye appliance in one office, PaloAlto firewalls in most offices (just monitoring traffic), and snort in most offices. We also are using OpenDNS (and my own DNS filters using the RPZ feature in bind), and bluecoat (web proxying). I highly recommend both.

Note that these are my opinions only, and they're just opinions. I urge you to do your own eval of multiple vendors - who knows, your networks are likely different than mine so other solutions may be better. Lastline and Cyphort both were very good. Lastline was better than most at picking up spyware/adware than most. Cyphort is already picking up OSX malware. PaloAlto's Wildfire also works nicely at catching the users downloading some adware-du-jour or other bad stuff.

But as I said, no one solution detects everything. When we simulated a bad-actor pivoting using the same mechanism we'd caught the previous year (using snort), none of the commercial vendors batted an eye and even snort merely waved a yellow flag saying "this might be suspect" (one system PSEXEC'ing something on another). For me, the one take-away from running a bunch of systems in parallel was that we're going to continue to deploy snort everywhere, and run it in parallel with as many of the commercial solutions as we can afford (both in $$ and in time to manage/analyze the results) and none of these solutions are any good without someone to look at the results several times a day.

To summarize, I'd strongly urge you to filter DNS, filter/proxy web (these two prevent more infections here than any anti-virus tool ever has), and monitor as much traffic as you can. The days of monitoring your edge traffic alone are over. Segment your network (ie, separate users, and services with firewalls, separate even different groups of users with firewalls if/when you can), and monitor any traffic crossing a security or geographic boundary at the very least with one or more intrusion detection systems. It was only because we'd fired up snort to monitor MPLS as well as internet traffic that we caught a bad-actor pivoting. :-( Before then everyone was still subscribing to the "just monitor edge traffic" notion...
Brent

121 Posts

Sign Up for Free or Log In to start participating in the conversation!