Endpoint Protection

Introduction

With industry’s widespread adoption and integration of intrusion detection, it has become clear that intrusion detection systems (IDSs) are an integral part of an organization’s infrastructure. Large government organizations and major companies have deployed, or are in the process of deploying, enterprise-wide IDS solutions. As they begin to roll out and subsequently administer IDSs, companies are experiencing numerous obstacles related to deployment, management, data collection, and data correlation. We put this two-part series of articles together to discuss our experiences working with larger organizations so that we may all learn and benefit from them. As security professionals, we are bound to protect the confidentiality of our clients, and thus the names of these parties will not be disclosed in this article. This series will discuss the need for IDSs, deployment challenges, managing agents in a distributed environment, and the use of collected data. It will also discuss some “real-world” encounters of larger companies.

The Need for Intrusion Detection Systems in Large Organizations

The need for intrusion detection systems can be summed up by a simple principle of network security: defense in-depth. Defense in-depth is a layered approach to protecting an organization’s information systems and communications network from malicious attacks and unauthorized access to sensitive information and data. This method involves multiple, overlapping controls that assist organizations in preventing, detecting, and responding to suspected intrusions. Typically, heavy reliance is placed on protection and prevention using controls such as routers, firewalls, public key infrastructures, virtual private networks, and virus scanners. In contrast, critical detection and response functions such as those provided by intrusion detection systems are often overlooked. As such, there are no mechanisms to detect and respond to intrusion attempts that evade the first lines of defense. Intrusion detection systems act as video cameras within the network and aid in deterrence, detection, damage assessment, and prosecution support. Without an IDS facility in place to monitor network and host activity, both attempted and successful intrusion attempts may go unnoticed, possibly resulting in irreparable damage to an organization’s network. Intrusion detection systems form a necessary layer of a defense in-depth strategy and play a critical role in a comprehensive information protection program.

Deployment Challenges

Acknowledging the need for IDS protection, and subsequently choosing the IDS that best fits the company’s needs are important steps in the quest for overall information security. However, these steps only complete the initial stages of a thorough IDS implementation process. After selecting and purchasing the optimal IDS, a company must properly and efficiently deploy it throughout the organization.

The first step in a well-planned and thorough deployment should be to design an IDS strategy and then express it in the context of an IDS policy. This policy document serves as a guide for the implementation process, answering questions such as:

• Will network traffic restrictions be tight or loose?
• Who will be authorized to make changes to the IDS policy or configurations?
• On which machines will an IDS installation be required?
• How frequently will IDS logs undergo analysis?

The planning and coordination required in creating this policy will reinforce the communication between company management and security officials. At the same time, this will allow both organizational units to identify and resolve conflicts before they become obstacles to successful IDS deployment. Organizations should incorporate this policy into their overall security policy or company rules and regulations.

Installing the IDS

After the IDS policy is set, we move to the next logical step, installation. Installing an IDS system typically begins with installation of the IDS manager. Generally, the procedures for this installation are similar to those for most software: insert the CD and locate the executable. Although this process is straightforward, Murphy’s Law suggests that it infrequently runs smoothly. The installation wizard might freeze, the installation options available might sound complicated and unfamiliar, or a particular .DLL file might not unpack correctly. Though these problems are comparatively miniscule in the overall process of IDS deployment, they must still be resolved prior to moving on to the next phase of deployment.

Upon completion of manager installation, the IDS tool must be distributed to agents through one of a number of different methods. Most installation problems occur in this portion of IDS deployment. The major obstacles that arise in distributing IDS agents relate to communication between the agents and managers. These problems often surface in the following areas:

1. The trust relationship between the systems on which agents and managers reside;
2. Communication issues with Network Address Translation; and,
3. Discrepancies in the installation process itself – i.e., the steps that must be followed to maintain establishment of a secure channel between an agent and the manager.

Companies have several available options to deal with these issues: using the system defaults, reading the manual, navigating through on-line help, calling the IDS vendor’s software help desk, and/or using outside consultants. Any of these methods should ultimately result in a successful installation. Many companies have found that investing the resources up front in acquiring outside assistance provides significant returns in the long run. Regardless, large enterprise installations may require considerable amounts of time and manpower, but actual installation should remain relatively transparent after the inevitable initial glitches are ironed out.

Integration and Deployment of the IDS

After the system has been successfully installed, organizations face the challenge of proper and efficient integration. For effective deployment, companies should consider, plan, and budget resources for the following:

• Establishing incident response guidelines
• Staffing
• Configuration
• Training
• Updating signatures

Establishing incident response guidelines: An IDS helps a company detect security incidents and, hopefully, discover intruders. What happens next? The company must decide if they will pursue litigation, seek outside help, try to block the intruder themselves, or simply ignore the intrusion. Some situations might call for different actions, depending on the severity of the intrusion. Whatever the case, having established incident response guidelines will facilitate an effective company response when an incident does occur.

Staffing: IDSs will generate pertinent information and data about company network activity, but this serves no purpose without subsequent examination of the data. IDS usage requires human interaction at the end point. This may or may not necessitate additional personnel requirements, but it will certainly require staff to allocate time for IDS management, log inspection, and analysis.

Configuration: Organizations must deal with the issue of setting the IDS to capture relevant data only. Every organization has different expectations and different requirements, so the default IDS settings usually need to be altered. Finding the perfect balance between a massive amount of data generation, which leads to an over-saturation of information, and a small amount of data generation, which may cause ineffective monitoring, can complicate a deployment. In general, a sophisticated IDS solution will require a sophisticated IDS configuration, so companies should budget plenty of time for thorough configuration development, tuning, and testing.

Training: In order to properly and efficiently use the deployed IDS, employees must receive adequate training. Employees with job requirements related to configuration, incident response, log analysis, and IDS maintenance should have up-to-date IDS education. This periodic education should extend beyond typical IDS personnel and also include management and any disaster recovery and back-up employees.

Update signatures: Accurate IDS configuration will alert the proper authorities of possible intrusions. However, in order to stay fully protected, it is important that one regularly update the list of attacks an IDS is configured to recognize. Intruders constantly change attack styles, so optimal protection requires updating the IDS signature files as often as possible.

Deploying intrusion detection systems does not happen without certain pitfalls, but these are surmountable. If organizations plan ahead and address these obstacles, the deployment phase will enable a smooth transition into the more intense phase of IDS management.

Planning IDS Deployment in a Large Organization

IDS deployment in large companies presents several unique obstacles. The most obvious difference between small and large enterprise implementations is the number of endpoint machines that must be protected. More computers, servers, and network segments mean a more complicated setup and a longer installation time. Smaller institutions, by definition, have less choices and options about where to strategically install the IDS. By contrast. larger institutions must often spend days or even weeks deciding on the optimal placement of IDS agents, managers, and IDS configuration groupings.

Planning plays a critical role in large enterprise IDS deployment. We were involved in deployment for one large company who decided to improvise. The CTO directed us to install a given IDS configuration setting for all Windows NT systems, and a different setting for Windows 2000 systems. To make a long story short, the configuration settings were reversed, and subsequently changed throughout several iterations. Each time the configuration changed, we had to go back and re-configure the IDS settings. This wasn’t a huge problem, but we learned an important lesson: planning and documenting detailed instructions on installation points and settings can save large companies significant amounts of manpower and money.

Not only do larger companies have to deal with more systems, but these systems may reside in geographically diverse locations. During one implementation, we realized that an IP address the client designated as a workstation was actually a server. Therefore, we had to uninstall the workstation version of the IDS software and replace it with the server version. However, a remote uninstall process locked up the newly discovered server, requiring the lead security engineer to drive 65 miles to fix both the system and the IDS software installation. We again learned a lesson from this experience: once an implementation plan is designed, check it and recheck it for accuracy. A plan can cause inefficiency if it is based on incorrect assumptions.

Varied software and operating system environments are other big company traits that might cause problems. This forces installation segmentation; however, the segments must still fit together nicely into an overall scheme. Fortunate companies will find one IDS that supports all of their hosting platforms. More often, this proves impossible, so a company must piece together an overall IDS solution that includes smaller segments of various IDS products. Even if users can find one IDS software solution that can serve all of an organization’s requirements, a headache may ensue. During one installation that the author’s undertook, several computers contained archaic legacy remote log-on software. The existing firewall permitted the software to function, but the newly installed IDS default settings blocked the software port. Several of the computers were remotely logged on to others, and they predictably froze. Resetting the configurations on the frozen computers proved a great and time-consuming challenge. Again, thorough and detailed implementation planning for big company environments saves tremendous amounts of time and resources. Remember to research all installed computer software and services for platform and operating requirements, and then check these requirements against the planned IDS configurations.

Another well-known issue facing big companies involves scalability and the agent/console ratio. Depending on how many employees will monitor the IDS managers for output, the employee skill and comfort level, the number of intrusion alerts per minute, the IDS software implemented, and several other factors, the ideal agent/console ratio can vary from 5:1 to 50:1. Though others may claim that these numbers are low, our experience indicates that even the high end of this spectrum is rarely achieved. Unfortunately, thorough planning in this instance may not help the situation because of the many undetermined and unpredictable factors that influence the optimal ratio. Different IDS solutions scale differently in different environments and situations. Many managed security services providers are finding that scalability is their greatest challenge, particularly when dealing with huge numbers of assorted IDS devices deployed in an extremely distributed fashion. Deploying a subsection for testing purposes or doing research at firms with a similar size, network structure, and intrusion-risk may help to pinpoint the optimal agent/console ratio when scaling for big companies. Regardless of how this issue is resolved, it must be addressed: several organizations’ IDS units and entire managed security services providers have failed as a result of their inability to scale.

Next Time

This concludes the first part of the two part series on implementing intrusion detection systems for large organizations. In the second installment, we will look at managing agents in a distributed environment, managing data from multiple IDS packages, and correlating data from distributed agents.

Paul Innella, CISSP, is President of Tetrad Digital Integrity (TDI), a Washington DC based information security services company offering one day seminars on intrusion detection. Mr. Innella has nearly ten years of experience in the computer industry working at several commercial and government companies where he held the role of security engineer, developer, integrator, systems administrator, program manager, and sales engineer.

Mr. Oba McMillan, CISSP, is Vice President of TDI. He has many years of network security and IT related work experience. Mr. McMillan has published a number of articles on information security and recently wrote an article for Secure Computing Magazine Opinion newsletter entitled “PDA policies – Worth Their Weight In Gold.” He also contributed to a SC Magazine article entitled “Road Warriors: Be Careful Out There” about wireless security.

David Trout, CISA, CISSP, is President of SecureIT Consulting Group, a Northern Virginia based IT audit and information security consulting firm that offers one day seminars in intrusion detection. Mr. Trout brings over seven years experience in the areas of IT Audit and IT Security Consulting.