The Purpose of Intrusion Detection & Prevention Systems

Intrusion Detection System (IDS) is a detective device designed to detect malicious (including policy-violating) actions. An Intrusion Prevention System (IPS) is primarily a preventive device designed not only to detect but also to block malicious actions.

Depending on their physical location in the infrastructure, and the scope of protection required, the IDS and IPS fall into two basic types: network-based and host-based. Both have the same function and the specific type deployed depends on strategic considerations.

WHY ARE IDS and IPS necessary?

The IDS and IPS devices employ technology, which analyses traffic flows to the protected resource in order to detect and prevent exploits or other vulnerability issues.

These exploits can manifest themselves as ill-intended interactions with a targeted application or service. The goal is to interrupt and gain control of an application or a machine, thus enabling the attacker to disable the target causing a denial-of-service situation, or to gain access to rights and permissions available through the target.

EVENT TYPES

There are four types of IDS and IPS events: true positive, true negative, false positive, and false negative. The goal of implementing an IDS or IPS is to achieve only true positives and true negatives.

One should keep in mind that most implementations have false positives so monitoring engineers spend time investigating non-malicious events, and false negatives, which can lead to intrusions. Thus, a proper configuration of the system is of crucial importance as it must reflect the organization’s traffic patterns.

IDS are designed to provide readiness to prepare for and deal with cyber attacks. This is accomplished through information collected from a variety of systems and network sources, which is then analyzed for security problems. IDS are generally deployed with the purpose to monitor and analyze user and system activity, audit system configurations and vulnerabilities, assess the integrity of any critical system and data files, perform statistical analysis of activity patterns based on the matching to known attacks, detect abnormal activity and audit operating systems.

 

The IPS is generally deployed in-line and analyses network packet traffic as it flows through. Thus, it is similar in function to an IDS – both attempt to match packet data against a signature database or detect anomalies against what is pre-defined as “normal” traffic.

In addition to this IDS functionality, an IPS does more than log and alert – It is usually used to react to detected anomalies. This reaction ability of the detections is what makes IPS more desirable than IDS in general.

THE WHAT, WHERE AND WHO’S OF IDS and IPS DEPLOYMENT

These questions are to be answered taking into account the specifics of one’s environment. The most common locations for intrusion detection/protection sensor are between the network and extranet, in the Demilitarized Zone (DMZ), between the servers and the user community, on the remote access, intranet, and database environment, establishing network perimeter, and covering all possible points of entry should be possible.

Once placed, the sensors must be configured to report to the central management console, as dedicated administrators will manage the sensors, provide a new or updated signature, and review logs. In order to avoid data tampering, one must ensure the communication between the sensors and management console is secure.

The proper identification of mission-critical systems and points of entry requires the following roles in an organization to be involved in any IDS/IPS deployment:

  • Senior Management
  • Information Security Officers
  • Data owners
  • Network Administrators
  • Database Administrators
  • Operating System Administrators

If the key people representing these roles are not involved, the resources won’t be used efficiently and the resulting measure will be inadequate. It is strongly advisable to perform Vulnerability and Risk Assessment prior to implementing IDS or IPS.

Once the IDS is up and operational, logs must be reviewed, and traffic must be tailored to meet the specific needs of the company. Remember, traffic that may be perceived as abnormal by the IDS/IPS may be perfectly suitable for the environment. IDS/IPS must be properly maintained and configured.

WHY CHOOSE A VENDOR?

There are times when you may feel you lack the knowledgeable staff to deploy and administer the IDS/IPS. Here the vendors come in. Instead of spending a considerable amount of time and money trying to figure out the how’s and why’s, specialized teams can come to the aid, with the required expertise to get you started and train your personnel.

When choosing a vendor, look for a team that:

  • Eliminates false positives by systematic tuning of detection to meet the characteristics of the particular system;
  • Eliminates false negatives. Eliminating false positive alarms may result in incurring false negatives, and that must not happen;
  • Understands what constitutes a security-relevant event and develop proper reporting;
  • Installs and configures a complete solution;
  • Provides and devises methods to test IDS/IPS;
  • Determines the damage caused by a detected attack, limits further damage, and recovers from the attack;
  • Makes your systems scalable to the size required.

 

DPO Outsourcing and the GDPR

Protecting data, be it personal, sensitive, or even public, is extremely important, and having a competent Data Protection Officer will ensure successful implementation of all the regulations and proper compliance with the GDPR (General Data Protection Regulation) that is coming into force on May 25th 2018.

The DPO is responsible for overseeing the proper use of information technology and supplying staff with information and providing training. The DPO is an independent role, thus is not obliged to adhere to instructions issued by other members of staff in performing DPO role-related tasks.

WHO NEEDS A DPO?

Article 37 of the GDPR stipulates that a controller or a processor must appoint a DPO if:

  • You are a Public Authority processing data, or
  • You are a controller or a processor whose principal activities involve large-scale, regular, and systematic data processing, or
  • You are a controller or a processor whose principal activities involve large-scale processing of sensitive data (under Article 9) or data relating to criminal convictions/offenses (under Article 10)

IS DPO OUTSOURCING POSSIBLE?

In today’s competitive market, it may be hard to find a suitable DPO, or it may be more feasible to look for an outsourcing alternative. It would be wise to consider appointing an external Data Protection Officer for reasons of cost, training, skillset, qualifications, and assumed liability.

In general, outsourcing the role of the DPO will cost less and your organization will benefit from a team-held knowledge base and experience that is wider and deeper than that of any single person who may be suited for the role in your organization.

Develop Policies for an All-round Approach to Information Security

Taking risks is something we do every single minute, sometimes without even realizing it. A risk may be something as little as talking to somebody, let alone major decision-making or something life-defining. Taking risks also relates heavily to IT security, therefore a countermeasure is required – a policy.

Information Security Policies are an important administrative security control designed to avoid, counteract or minimize IT security risks. They are an integral and inseparable part of the multitude of possible security controls, without which one cannot claim an effective implementation of any meaningful security actions. Organizations need Security Policy, Standards, and Procedures to enforce Information Security in a structured way.

Defining corporate security policies, basing them on industry standards, measuring compliance, and outsourced services are keys to successful policy management.

THE RULES OF POLICIES DEVELOPMENT

Security policy and supporting documents must be not only developed but also implemented. The execution of all documents must be ensured.

A clear and understandable procedure should be developed and implemented for applying sanctions to those who fail to comply with the policy. So staff knows not only what is expected of them, but what are the consequences of non-compliance.

Policy –  Information Security Policy is a comprehensive statement made by the company’s senior management, indicating the role of security in the organization. The Policy is independent in terms of technology and solutions. It outlines the purpose and mission of security and achieves tasks such as defining the assets considered valuable, empowering the security group and its activities, serving as a basis in the process of security-related conflict resolution, capturing the goals and objectives relating to safety, outlining the personal responsibility of staff members, helping prevent unexplained events, defining the boundaries and functions of the security group, etc.

Standards – mandatory actions or rules. Standards help, support, and develop policies in certain areas. Standards may be internal or external (e.g. legislation). Standards can, for example, indicate how to use the software and hardware or how to deal with users. They can ensure the uniformity of technologies, applications, settings, and procedures throughout the company.

Procedures – detailed step-by-step descriptions of tasks performed to achieve a certain goal. Steps can be performed by users, IT professionals, security personnel, and other staff members dealing with specific tasks.

Procedures occupy the lowest level in the chain of policies, as they relate to computers and users and describe certain concrete steps and also how the policies will actually be implemented in the production environment. Procedures should be detailed enough to be understandable and useful.

 

Guidelines – describe the recommended actions and operating instructions for users, IT professionals, and other staff members, when the appropriate Standards do not apply. Recommendations may relate to technological methods, personnel, or physical security. Recommendations, as opposed to mandatory enforcement of strict Standards, show the basic approach of having some flexibility in unforeseen circumstances.

Baselines – uniform ways of implementing a given safeguard. The system must meet the baseline described by benchmarks. Baselines are discretionary; it is acceptable to implement a safeguard without following benchmarks, as long as it is implemented to poses a level of security at least as secure as if using benchmarks.

THE INFORMATION SECURITY POLICY FRAMEWORK

Each document listed above has a different target audience within the business and therefore, should never be combined into one document. Instead, there should be several documents, that together form the concept of an Information Security Policy framework.

This framework is illustrated in the diagram above, with each level of the framework supporting the levels above it. Some small organizations tend to define Security Policies from the bottom up, starting with the capabilities of the tools at hand. Medium and large enterprises know that sound Security Policies Development begins from the top down.

HOW TO START with the development of policies

Practice shows that without top management’s participation and visionary input, Information Security Policies Development is practically impossible.

Any endeavor in Information Security must, at least, be fully supported by top management. Ideally, the seniors of the company will initiate the changes in strategy and will be actively involved in the Information Security Policy development process.

No matter how talented and prepared the Information Security person you hire, they will not be able to affect the necessary changes.

Top management must be involved in the entire program development in order to ensure comprehensiveness, full compliance by staff, and sanctioning for non-compliance – it is only effective when supervised and executed under an autocratic approach.

CISO-for-Hire?

The CISO (Chief Information Security Officer) is the one person in an organization that bears the primary responsibility for IT asset security, for the strategy, planning, and implementation of security measures and initiatives. The main responsibility of the CISO must always be in sync and know what to do with all possible risks associated with cybersecurity. Furthermore, the CISO takes care of all regulatory and operational compliance requirements so that all relevant standards and regulations are addressed properly and in a timely fashion.

WHY DO YOU NEED ONE?

The CISO is a useful function to have in your organization, especially today, with all the dynamics we see in the cyber threat landscape. With a CISO you will be able to:

  • Achieve an improved overall security posture;
  • Be better prepared for what may come;
  • Reach business KPI’s more easily;
  • When you have new projects, or even with existing ones, you will have security and compliance addressed properly at all times;
  • Benefit from all engagements related to risk management as well as in any security or operational endeavors;
  • Decrease the impact of risks associated with the nature of your business;
  • Keep your business updated with all relevant regulations and compliance or other requirements.

WHY WOULD YOU RENT YOUR CISO?

Finding, recruiting, and keeping on the payroll your very own, full-time, dedicated, and talented CISO is not always possible for a number of reasons. Sometimes, it works out to be more cost-effective to hire a CISO from an outside organization. How can that be? Let’s look at some scenarios:

  • Your business is small or mid-sized and a cost-effective alternative to hiring is welcome;
  • You may need a security expert only temporarily, say for a specific project, or if you have upcoming audits and compliance engagements;
  • You may be searching already for your own specialist to hire and want to have someone tide you over in the meantime;
  • Your specialist may be on vacation or extended leave and, again, you don’t want to be without an IT security specialist by your side.

WHAT TO EXPECT AND WHAT TO LOOK FOR IN YOUR HIRED CISO

The company you want to rent your CISO from must prove they can deliver experienced practitioners to act as your hired CISO. Ask for company and personal certifications and qualifications. Furthermore, this person must be able to integrate seamlessly into your business and, well, extend it, least not hinder it. The security presence you need is just to help you bear the brunt by reducing cyber risks and avoiding IT incidents. The service must provide at least the following:

  • Proactive monitoring, adapting, and forecasting of your own risk management engagements;
  • Management of all security incidents;
  • Information security audit assistance and management;
  • Train and re-train your staff;
  • Consult on business and IT process management;
  • Dedicate regular on-site hours to be spend with your team;
  • Be available through email and phone when off-site;
  • Attend and assist management meetings when needed;
  • Regularly report to your management or on a need-to-have basis.

The company you hire your CISO from must form a business partnership with you to drive your IT security strategy forward through one or several consultants who should be:

  • Profoundly and broadly knowledgeable, with certified expertise, experience, and professional qualifications in IT Security that at least matches, and even better if it surpasses those of any single CISO or security manager;
  • Equipped with a varied outside-of-professional-qualification set of skills to include multi-tasking, leadership, swift and legible communication, soft skills, fast reaction, and on-boarding of new security technologies;
  • Passionate about what they do and your satisfaction;
  • Ready to act and consider themselves as your own employees;
  • Skilled in creative thinking and problem-solving.

HOW DOES IT HAPPEN?

The process of on-boarding and “living” with your newly hired CISO usually looks something like the diagram below. Depending on your specifics, the process should be able to be altered to closely adhere and be most beneficial to you as needed:

 

COST-EFFICIENCY

Based on an initial and ongoing risk assessment, the company giving you the CISO should provide flexible, tailored pricing, so you can achieve your goals in information security and, at the same time achieve cost-effectiveness and feasibility. The service ideology should be based on affordability with a maximized value-for-money approach.

Depending on your company’s needs for on and off-site presence, the complexity of one-time or ongoing projects, and internal and external audit needs and requirements, the provider should devise the most cost-effective plan to make sure your information security projects are adequately manned.

What is a Corporate Anti-Virus System Good for?

Antivirus or anti-virus software (AV), sometimes also referred to as anti-malware software, is developed with the purpose to detect, remove and prevent the proliferation of malicious code.

The consequences of malware infection in a corporate environment may be very different – from loss of valuable information, stealing of confidential information, sending unsolicited emails and spam, to unsolicited remote computer access and unauthorized malicious attacks on the server.

ENDPOINT SECURITY

The most commonly used product for endpoint security is antivirus software. Many of today’s integrated endpoint security offerings have evolved over time from the initial development of antivirus software. Anti-virus products are often ridiculed for their continued inability to stop the spread of malicious software.

Unfortunately, there is no perfect remedy or elixir to stop malware, so antivirus products will still be necessary, though insufficient. Antivirus software is a single layer (of many) for defense-in-depth endpoint protection.

HOW DO ANTI-VIRUS SOFTWARE WORK?

Although antivirus vendors often employ heuristic or statistical methods for malware detection, the predominant means of detecting malware is still signature-based. Such approaches require that a malware specimen is available to the antivirus vendor for the creation of a signature. This is an example of application blacklisting. For rapidly changing malware or malware that has not been previously encountered, signature-based detection is much less successful.

MALWARE AND ITS MANY FACES

 

To start with, antivirus software was designed to primarily detect and remove computer viruses, and that’s where it got its name. With the invention and proliferation of many other types of malware, antivirus products have begun providing protection from other computer threats. Modern antivirus software can protect from malicious Browser Helper Objects, browser hijackers, ransomware, keyloggers, backdoors, rootkits, Trojans, worms, dialers, adware, and spyware.

IMPLEMENTATION OF ANTIVIRUS

Integrating comprehensive antivirus protection secures:

  • Control of all possible intrusion channels for viruses – email, HTTP, FTP, external storage media (floppy, CD, DVD, flash-cards, etc.), file servers;
  • Protection against various types of threats – viruses, network and email “worms”, “Trojan horses”, unwanted programs (spyware, adware, etc.);
  • Apart from being installed on endpoint devices (servers, workstations), antivirus software can be run on the Internet gateway, so traffic is scanned before reaching the network;
  • Continuous monitoring and periodic anti-virus scan of all servers and workstations;
  • Automatic notification when an “infection” or “treatment” of viruses has occurred;
  • Protection of mobile devices, etc.;
  • Deploying a corporate antivirus system will enable centralized management and software update distribution.

TIPS WHEN LOOKING FOR A VENDOR

Today’s organizations require a comprehensive, multi-layer, defense-in-depth security strategy to successfully address malware-related issues. A successful antivirus installation will help protect assets and endpoint devices against targeted attacks, prevent data loss and theft, address security policies, and protect vital company information.

Deploying the best antivirus is usually not enough. It must go hand in hand with other controls that ensure the organization is comprehensively protected. As part of building corporate anti-virus protection, look for vendors that offer a range of services, with scope varying in accordance with the needs of the client, and may include:

  • Preparation of proposals for the selection decision, so the customer is protected against compatibility risks, system scalability, additional hardware capacities, etc.;
  • Deployment of solutions on a limited segment, thus reducing potential risks for customer implementation, using the results of a “pilot” operation;
  • Preparing instructions and guidelines for further development on the basis of the results of the deployment of a limited segment;
  • Installation and configuration of a complete solution;
  • Standardization of requirements for anti-virus protection system with respect to installation, configuration, and operation of its components;
  • Development of instructional (operating) system documents for administrators and users;
  • Development of custom policies;
  • Conducting internal workshops in order to educate all participants.