Theres plenty of malware floating around out there on the Internet.
Thankfully, there are many protection measures available.
Antivirus software is also useful in large enterprise networks.
An enterprise web connection really wants to have reports of antivirus incidents to be centralised.
What is an advantage for home users is a weakness for enterprise networks.
Contents
Going beyond antivirus
To take things further a different approach is needed.
This approach is referred to as an IDS or Intrusion Detection System.
There are many different variations on the IDS, many of which can complement each other.
For example, an IDS can be tasked to monitor a equipment or internet traffic.
A equipment monitoring IDS is referred to as HIDS or Host(-based) Intrusion Detection System.
A web link monitoring IDS is known as a NIDS or web link Intrusion Detection System.
A HIDS is similar to an antivirus suite, monitoring a rig and reporting back to a centralised system.
A NIDS Is generally placed in a high-traffic area of the internet.
A NIDS can be configured to be inline or in a tap configuration.
A tap configuration basically mirrors all connection traffic to the NIDS.
It can then perform its monitoring functions without acting as a single point of failure.
Monitoring methods
An IDS typically uses a range of detection methods.
The classic approach is exactly what is used in antivirus products; signature-based detection.
This is a well-known and generally fairly effective way of countering known threats.
Signature-based monitoring, however, isnt a silver bullet.
This makes it useless in detecting new attacks and vulnerable to variations on existing techniques.
The main alternative method an IDS uses for identification is anomalous behaviour.
Anomaly-based detection takes a baseline of standard usage and then reports on unusual activity.
This can be a powerful tool.
It can even highlight a risk from a potential rogue insider threat.
A developing field is the use of artificial Neural Networks to perform the anomaly-based detection process.
Centralisation: A curse or a blessing?
One of the key features of an IDS is centralisation.
It allows a connection security team to collect live connection and gear status updates.
This includes a lot of information, most of which is everything is fine.
To minimise the chances of false negatives, i.e.
missed malicious activity, most IDS systems are configured to be very twitchy.
Even the slightest hint of something being off is reported.
Often this report then has to be triaged by a human.
If there are many false positives, the responsible team can be quickly overwhelmed and face burnout.
Centralising the system also often involves adding a complex SIEM system.
SIEM stands for Security Information and Event Management system.
It typically involves an array of collection agents around the online grid gathering reports from nearby devices.
These collection agents then feed the reports back to the central management system.
The introduction of a SIEM does increase the connection threat surface.
This, however, is always a risk for any security system.
Automating responses with an IPS
An IDS is basically a warning system.
It looks for malicious activity and then throws alerts to the monitoring team.
Imagine if a ransomware worm manages to get into the online grid.
An IPS takes automated action to attempt to minimise the risk.
On a HIDS, an IPS acts like an antivirus software quarantine function.
It automatically locks down the suspected malware and alerts the security team to analyse the incident.
On a NIDS, an IPS must be inline.
This means that all traffic needs to run through the IPS, making it a single point of failure.
Limitations
An IDS has several limitations.
The false positive rate is generally really high and there can be large periods of time between legitimate issues.
This can lead to the security team becoming desensitised and blase about alarms.
This attitude increases the risk that they miscategorise a rare true positive as a false positive.
data pipe traffic analysis tools typically use standard libraries to analyse the data pipe traffic.
Inline NIDS act as single points of failure.
Training an anomaly-based system requires the web link to be safe in the first place.
Finally, an IDS cant on its own, analyse encrypted traffic.
This has in the past introduced its own risks.
Conclusion
An IDS is an Intrusion Detection System.
An IDS suffers from very high false positive rates in an effort to avoid false negatives.
Typically, reports are triaged by a human security team.
Some actions, when detection confidence is high may be automated and then flagged for review.
Such a system is known as an IPS or IDPS.
