Analecta Cyber Company Blog: Improving the Intrusion Detection Process

2018-05-01

Improving the Intrusion Detection Process

Improving the Intrusion Detection Process - NIST Cybersecurity Framework - www.analecta-llc.com graphic Congratulations! You heeded the advice of implementing a security information and event monitoring (SIEM) system on your company’s network – one that combines network monitoring and intrusion detection system (IDS) / intrusion protection system (IPS) alerts.

When the system begins to detect potential intrusion events, one of the biggest challenges your IT team will face is the massive amount of events that will trigger alerts. Small and medium-sized businesses (SMBs) can expect to face several hundred alerts or more a day. Unprepared, there are simply too many alerts and events to handle! However, you must deal with all of them in order to properly defend your network, otherwise you are just detecting events and collecting statistics.

Event overload 


Nearly half of the large enterprises within the U.S. face over 150,000 alerts per month and have the staff and resources to address them. A FireEye report found that on average 64% of alerts were redundant or duplicates while another 52% of all alerts were false-positives.

Business IT leads should make sure that detected events are fully investigated within a framework that reduces the number of alerts and ensures the remaining alerts contain more meaningful data. This will require a significant amount of work, but it can certainly be done.

According to the IBM-sponsored 2017 Global Cost of Data Breach report by the Ponemon Institute, there was a direct correlation between being proactive with potential data breaches and the cost a company could expect to spend on reacting to a breach event. Specifically, investments in security technologies such as enterprise-wide encryption, SIEM software and security analytics contributed to a reduction in the number of days to identify a data breach, which subsequently lowered the overall cost of the breach impact to the company.

True-positive versus false-positive


When an alert comes in, you will want to investigate it fully, spending time and resources to determine what caused the alert to trigger. An in-depth investigation into the cause of the alert will tell you one of two things: it is a true-positive or a false-positive.

An alert signaling that an event is a true-positive means the system is functioning as intended. Investigate the incident following your internal processes which ideally include a root cause analysis that will help you reduce future similar events.

Crying wolf


To drive this idea home, think of a residential smoke alarm true-positive event: fire plus smoke equals detector going off properly, danger averted. However, what if a particularly sensitive, ill-placed detector is going off due to hot shower steam? This is deemed a false-positive event: smoke alarm triggers, but not because of smoke.

The same principle applies to your network security. If the network alert signals a false-positive, it is an opportunity to fix the misconfiguration in the system. In the scenario above, moving the smoke alarm away from the entrance to the bathroom would be one way to stop the false-positive event. 

Based on the investigation of a false-positive alert on your network, you should now have some solid theories about why the alert triggered in the first place. It is important to take the time to understand what happened and update, expand or remove the rule so it doesn’t continue to trigger false-positives.

Methods for reducing false-positive alerts


Since networks can be configured and secured in a variety of ways, there is no one-size fits all solution for how to improve your intrusion detection process. A few general approaches that can help make things easier include the following:
  • Remove an outdated rule: Domain name service (DNS) names can be reused frequently and may have been used in the past for malicious activity. If the website was legitimately requested and the malware command and control is no longer in place on the web server, the rule can safely be deleted.
  • Modify a rule: Some rules are developed to be hyper-sensitive and may interfere with legitimate traffic or system activity. The EternalBlue ransomware vulnerability (CVE-2017-0144) was an SMB-specific attack. Many threat detection systems put out early rule sets that were too sensitive and alerted on any SMB-based activity. After a better understanding of how the EternalBlue exploit worked, many companies updated the rule to match the specific exploit vector.
  • Modifying your systems: Alerts are received about failed ssh attempts on your public server creating additional noise. If you update the configuration of the ssh server to only use key-based authentication, future attempts will be disconnected before an attempt to authenticate can occur. This will reduce the number of correct, but inconsequential alerts.
The EternalBlue vulnerability (CVE-2017-0144) was responsible for a ransomware attack, a cyberattack and a banking trojan in 2017. This and many other threats are reported in vulnerability databases that can link directly to alert software. As the threat transforms, adjusting alerts will help control false-positives.

How to get the most out of your IDS/IPS


Improving your detection processes will be more of an art than a science. Your IDS will need to be adjusted over time in order to account for known threats, but you can help it “learn” how to distinguish between an actual event and a false-positive. If you need expert advice on solutions for improving your network’s intrusion detection process or wish to find a turn-key product to automate some of these tasks, turn to Analecta Cyber.

How can Analecta equip you for success? 


Analecta Cyber brings decades of expertise implementing secure information systems based on the NIST Cybersecurity Framework guidelines. Reach out to us to learn about a robust, more complete cybersecurity program for your company.

Using a holistic approach and industry-standards, our Analecta 96-point Cyber Risk Assessment enables small and medium-sized businesses to minimize or even eliminate the risk of data breaches that can cause customer loss, reputational damage and severe bottom-line impact. Our assessment identifies the most important next steps in your firm’s cyber security program to maximize protection. Email us at info@analecta-llc.com or visit our Cyber Security website. We are here to help!

Further Resources