Question

Choose an organization, preferably one that you work in, have worked in, or are familiar with. Throughout the semester, you will be wearing the hat of the Chief Information Security Officer (CISO) for that organization. You will be planning its Cybersecurity strategy, defining all assets that require safeguarding, and identifying all components and controls. You will propose a Cybersecurity Strategy for your organization, a plan for an effective, collaborative, organization-wide cybersecurity posture and defence.

Your Strategy should identify crosscutting principles and apply these principles across IT Strategy goals. Within those goals, the Cybersecurity Strategy should identify the main objectives, with associated major tasks and activities. The Cybersecurity Strategy should also establish the guiding principles and strategic approach needed to drive both near- and long-term priorities for your organisation cybersecurity. It should be aligned with related frameworks and strategies, including the National Institute of Standards and Technology (NIST)'s Cybersecurity Framework. Through this strategy and the associated tasks, your organisation will improve its posture and protect its systems, information, and infrastructure from the cybersecurity threat.

Task

Describe in detail the intrusion detection and prevention measures that you will deploy in your organization

1. The proposal of the appropriate positions for IDS/IPS in a network topology in order to increase the security of the environment, along with providing supportive justifications of the proposed positions.

Answer 1

An Intrusion Prevention System (IPS) is a network security/threat prevention technology that examines network traffic flows to detect and prevent vulnerability exploits. Vulnerability exploits usually come in the form of malicious inputs to a target application or service that attackers use to interrupt and gain control of an application or machine. Following a successful exploit, the attacker can disable the target application (resulting in a denial-of-service state), or can potentially access to all the rights and permissions available to the compromised application.

Prevention

The IPS often sits directly behind the firewall and provides a complementary layer of analysis that negatively selects for dangerous content. Unlike its predecessor the Intrusion Detection System (IDS)—which is a passive system that scans traffic and reports back on threats—the IPS is placed inline (in the direct communication path between source and destination), actively analyzing and taking automated actions on all traffic flows that enter the network. Specifically, these actions include:

• Sending an alarm to the administrator (as would be seen in an IDS)
• Dropping the malicious packets
• Blocking traffic from the source address
• Resetting the connection

As an inline security component, the IPS must work efficiently to avoid degrading network performance. It must also work fast because exploits can happen in near real-time. The IPS must also detect and respond accurately, so as to eliminate threats and false positives (legitimate packets misread as threats).

How do Intrusion Prevention Systems work?

IPS technologies have access to packets where they are deployed, either as Network intrusion detection systems (NIDS), or as Host intrusion detection systems (HIDS). Network IPS has a larger view of the entire network and can either deployed inline in the network or offline to the network as a passive sensor that receives packets from a network TAP or SPAN port.

The detection method employed may be signature or anomaly-based. Predefined signatures are patterns of well-known network attacks. The IPS compares packet flows with the signature to see if there is a pattern match. Anomaly-based intrusion detection systems uses heuristics to identify threats, for instance comparing a sample of traffic against a known baseline.

What’s the difference between IDS and IPS?

Early implementations of the technology were deployed in detect mode on dedicated security appliances. As the technology has matured and moved into integrated Next Generation Firewall or UTM devices, the default action is set to prevent the malicious traffic.

In some cases, the decision to detect and accept or prevent the traffic is based upon confidence in the specific IPS protection. When there is lower confidence in an IPS protection, then there is a higher likelihood of false positives. A false positive is when the IDS identifies an activity as an attack but the activity is acceptable behavior. For this reason, many IPS technologies also have the ability to capture packet sequences from the attack event. These can then be analyzed to determine if there was an actual threat and to further improve the IPS protection.

better position IDS in a network architecture

An intrusion detection and prevention system is a very important asset in an information security architecture. They are sensors that placed in various positions in a network topology to increase the security of the environment.

The primary purpose of an IDS/IPS is to detect signatures of known attacks, as well as anomalous packet behavior or data flows that occur on computer networks. This allows companies to know what happens in networks, especially in the interfaces of communication with the Internet.

Placement is part of a strategy that needs to be well thought out, since there are of course different trading formats for each model that can be applied. The models are not exclusive but need to be well understood to validate the desired efficiency in the environment.

If you are not familiar with the IDS/IPS term and want to know a bit more about the classifications and divisions, the post IDS: history, concept and terminologys highly recommended;