Word Notes 9.27.22
Ep 118 | 9.27.22

Intrusion Detection System (noun)

Transcript

Rick Howard: The word is: Intrusion Detection System

Rick Howard: Spelled: Intrusion as in unwanted entry, detection, as in identifying the presence of something and system as in a technology for a specific purpose. 

Rick Howard: Definition: A system that monitors for malicious or unwanted activity, and either raises alerts when such activity is detected or blocks the traffic from passing to the target.

Rick Howard: Example sentence: The intrusion detection system flagged malicious use of Cobalt Strike. 

Rick Howard: Origin and context: Dr. Dorothy Denning is one of the early computer science and security pioneers. According to Purdue University, where she received her PhD, Denning's early research in the 1970s and 1980s laid the early foundations of cryology, information warfare, and data security. She published one of the early college textbooks on cybersecurity in 1982 and she invented the idea of lattice-based access controls, LBACs, an early model for restricting access to data in 1975.

Rick Howard: But in 1984, she and a colleague, Peter Neumann developed the first Intrusion Detection Expert System, IDES, or SRI International, which could analyze host and network data. Two years later in 1986, she published her paper, "An Intrusion Detection Model," which laid the foundation for the first commercial intrusion detection tools. Today intrusion detection systems can be either host-based or network-based and look for malicious intrusions, either with known signatures or by looking for anomalies. A host-based IDS is placed on a single system, and its purview is restricted to a single computer. A network-based IDS inspects traffic traversing across the entire network. In the early 1990s network intrusion detection systems were standalone hardware boxes that security practitioners placed in the security stack that normally sat between the and the internet. Today, standalone systems still exist but also, modern firewalls have that functionality built in as an added subscription service. 

Rick Howard: Intrusion detection systems have been a staple of security stack deployments since the early days but unfortunately, they're not perfect. Configured improperly, they can generate volumes of false positives that SOC analysts have to sit through and there is always the possibility that the system doesn't notice an attack in progress. A false negative, as they say. 

Rick Howard: Nerd reference: There is an excellent YouTube channel called Professor Messer that produces quality and free content that explains all things related to IT and computer security. If you're studying for some certification, browsing the shows on the Professor Messer channel might well be worth your time. 

Rick Howard: In 2017, James Messer, the host, did a segment on intrusion detection systems.

James Messer: Many security professionals incorporate a network based intrusion detection system or IDS, or a network based intrusion prevention system or IPS on their networks. This is designed to watch traffic going through the network and if this device identifies an exploit against an operating system, it identifies a buffer overflow, a database injection across site script. It's either going to inform you that that happened. If you're using an IDS or block the traffic, if you're using an IPS. 

James Messer: There are many different ways to engineer your IPS into your network. One way is to configure it as a passive monitoring device. This means that the IPS will receive a copy of the traffic and be able to then make a decision on what to do once it's received that information, because it is acting as a passive monitor, it's obviously not sitting in the middle of the communication and able to block traffic. 

James Messer: If a security professional is looking for more control over these traffic flows, they'll probably configure their IPS for in line monitoring, all traffic then is going to pass through the IPS and the IPS is going to make a decision on whether that traffic is allowed through the network or not. There are thousands of rules that you can configure and it's up to you to enable the rules that are important for you, and then determine what the disposition of each one of these rules is going to be. A significant challenge you have with intrusion prevention systems is that they're going to give you a lot of alerts and a lot of messages and unfortunately, a number of these messages are not going to be accurate. We call these false positives where the system has told us that there has been an intrusion onto the network, but in reality, it's a case of mistaken identity and there was not an intrusion at all. Perhaps even worse than a false positive on an IPS is a false negative. This is when malicious traffic came through the IPS, but the IPS did not identify it as malicious. 

Rick Howard: Word Notes is written by Tim Nodar, executive produced by Peter Kilpe and edited by John Petrik and me, Rick Howard. The mix, sound design, and original music have all been crafted by the ridiculously talented Elliott Peltzman. Thanks for listening.