Ideas to build recommender system for network intrusion detection will be appreciated. |
BiSarfraz 1 Posts |
thread locked Quote Subscribe |
Aug 14th 2014 6 years ago |
Testing |
AlexTesting 2 Posts |
Thread locked. Quote |
Aug 22nd 2014 6 years ago |
My first reaction to your question is "Defense in depth". ![]() Note that these are my opinions only, and they're just opinions. I urge you to do your own eval of multiple vendors - who knows, your networks are likely different than mine so other solutions may be better. Lastline and Cyphort both were very good. Lastline was better than most at picking up spyware/adware than most. Cyphort is already picking up OSX malware. PaloAlto's Wildfire also works nicely at catching the users downloading some adware-du-jour or other bad stuff. But as I said, no one solution detects everything. When we simulated a bad-actor pivoting using the same mechanism we'd caught the previous year (using snort), none of the commercial vendors batted an eye and even snort merely waved a yellow flag saying "this might be suspect" (one system PSEXEC'ing something on another). For me, the one take-away from running a bunch of systems in parallel was that we're going to continue to deploy snort everywhere, and run it in parallel with as many of the commercial solutions as we can afford (both in $$ and in time to manage/analyze the results) and none of these solutions are any good without someone to look at the results several times a day. To summarize, I'd strongly urge you to filter DNS, filter/proxy web (these two prevent more infections here than any anti-virus tool ever has), and monitor as much traffic as you can. The days of monitoring your edge traffic alone are over. Segment your network (ie, separate users, and services with firewalls, separate even different groups of users with firewalls if/when you can), and monitor any traffic crossing a security or geographic boundary at the very least with one or more intrusion detection systems. It was only because we'd fired up snort to monitor MPLS as well as internet traffic that we caught a bad-actor pivoting. ![]() |
Brent 123 Posts |
Thread locked. Quote |
Aug 25th 2014 6 years ago |
Sign Up for Free or Log In to start participating in the conversation!