SlideShare a Scribd company logo

Best practices in NIPS - Brighttalk - January 2010

EQS Group
EQS Group

Marco Ermini, Network Security Manager will discuss his best practices of Network Intrusion Detection and Prevention and deployment of the overall NIDS/NIPS infrastructure and network vulnerability.

Technology
1 of 15
Best practices in Intrusion Prevention Marco Ermini Vodafone ICT Security 12 January 2010 1 Presentation title in footer Confidentiality level on title master January 3, 2013 Department on title master Version number on title master
W this is about hat …and what is not about! This presentation is not about… > …explaining what NIPS are – but let’s be clear about what you can expect > …choosing a vendor/brand – even if we may mention something briefly – heard about Gartner? > …discussing if you need a NIPS or not, or which technology do you need (maybe a short note…) > … “off the shelves” or “vendor provided” best practices – you can just Google for “be s t p ra c tic e s intrus io n p re ve ntio n” - it will do the job! > I assume you need and want NIPS, or you already have NIPS – You want to use them effectively – Maybe you are just sticking to “default” “vendor suggested” rule-sets – You want to avoid headaches managing them day by day – You want to have a metric to compare your performances What you are looking for, are best practices to make your investment worth 2 Presentation title in footer Version number on title master January 3, 2013 Confidentiality level on title master Department on title master
W is speaking? ho This is not a bio… W are you listening to me? – 1 hy > I am supposed to know what I am talking about > Yes, that’s my daily job. No, I am not a trainer or something like that > No, this is not academia or pure science. There is hardly here! > I know what the market offers. Everyone can download Snort. It’s not about that > I have a realistic view about this technology > Yes, I have been under a real attack. And not just once! > I am a customer of NIPS. I don’t sell them. I will not try to contact you and sell you anything  > Yes, this will be my personal, partial, questionable, but realistic point of view You are not drinking from the fountain of truth  3 Presentation title in footer Version number on title master January 3, 2013 Confidentiality level on title master Department on title master
W is this for? ho Why do you care? W are you listening to me? – 2 hy > You are a security or network engineer, and need to… – have an added value from the investment – are thinking/need to deploy NIPS into your networks > You are a security or network manager, and need to… – understand the true value of NIPS > You are just curious – graduate student getting into the network and/or security job World – experienced security or network personnel trying to understand NIPS You are welcome to share your expectation, doubts, questions! 4 Presentation title in footer Version number on title master January 3, 2013 Confidentiality level on title master Department on title master
W I am doing today with my NIPS? hat Let’s assume you have NIPS already, or are going to install them What are the common mistakes with NIPS? > They are deployed in the wrong place in the network > Are deployed and then forget > Are running the “suggested” rule sets from the supplier > It is assumed they are invincible and protect against all 0-days attacks > Are confused with NIDS (detection) > There is no measurable improvement on the overall security > No one is there around that can access and use them when you are under attacks > They are not really enabled for fear of false positives > You are subject to (vendors-diffused?) urban legends (“behavioural based”? “auto- learn”?) > Use them because they are cool, or my boss told me, or “for compliance” (sic!!!) – They add latency and false positives Behold the common mistakes of NIPS!!  5 Presentation title in footer Version number on title master January 3, 2013 Confidentiality level on title master Department on title master
W to really expect from NIPS? hat …or, “avoid being ripped of my money” How can NIPS help me? > Do not test to bypass them. That’s futile. You can do it. Save your time. – Ever heard of “SSL”, “event horizon” and “inspect the first 512 bytes only”? > You need to use them in conjunction with other instruments – Coordination between different departments of your organisation > You need to update, patch the NIPS > You need to continually follow and profile the design of your network, applications, business > They will not protect you against 0days (despite what vendors say) > You cannot treat them as NIDS – they are a specific tool (cannot afford false positives) > You need to establish a metric and evaluate the real improvements over the overall security > You need to have operational procedures to use NIPS on the network > You need to enable useful signatures and test them in production If you don’t do those steps, you better save your money! 6 Presentation title in footer Version number on title master January 3, 2013 Confidentiality level on title master Department on title master
W you want to do with your NIPS? hat What does my company need? I can use NIPS for… > Mitigate specific attacks. For the rest, I need to integrate with other tools – Will not protect against all of web application attacks, DDoS, malware… – Will protect against many – but if you want a locked down environment, you need to complement – 100% protection is not realistic, 0-days protection is marketing > As an effective tool for immediate reaction to threats – They are in-line > Enforce company policies – Security is a process. NIPS must be part of the processes – Many can do traffic shaping/policing – Some can communicate with NAC/NAP or firewalls > Can do tunnel inspection, stop exploits, detect anomalies and normalise traffic, detect scans… They can be an effective tool if used wisely 7 Presentation title in footer Version number on title master January 3, 2013 Confidentiality level on title master Department on title master
Basic evaluation/ purchasing recommendations This is not a shopping guide!!! Some very quick and rough tips and guidelines > They will not sustain the bandwidth they claim to > The real cost is by network interface – NIPS may need from one to four network interfaces to protect a single network segment! > Asymmetric traffic path – state table synchronisation – May use one or two network interfaces! – May confuse your NIPS – layer 4/7 reassembling-synchronisation > VRRP may be problematic > Evaluate that the capabilities are what you need > Evaluate how effective is the vendor itself – Customer satisfaction track record – will it just sell and then forget you? > RTFM – do your research Use your brain! 8 Presentation title in footer Version number on title master January 3, 2013 Confidentiality level on title master Department on title master
Border deployment Don’t leave them alone Some tips and guidelines > Border edges of the Data Centre/border routers > They can apply traffic policing/shaping > Can be the first barrier against malware and attacks against publically-exposed services – Cannot do miracles, generally do not inspect TLS/SSL/encrypted protocols – Often cannot scan inside emails – mail servers today use SMTP over TLS – Will only detect what is in the their event horizon > Better have them working in conjunction with other tools that work on the border routers/firewalls – Before or after routers/firewalls? Depends on your policies > You need to pre-emptively discuss with your ISP and establish a network security policy > Evaluate the impact on the performances > Remain realistic: they will add latency and will be bypassed Remain focused on making them an useful tool! 9 Presentation title in footer Version number on title master January 3, 2013 Confidentiality level on title master Department on title master
Inner deployment Protection of the service Some tips and guidelines > They can be deployed strategically in front of an important service – Achieving compliance? PCI-DSS? SOX? > They can sit around in the network – Enterprise Office network – connected with NAC/NAP and block the rogue clients on the switch – Inside a DMZ/production segment – need to create a profile > What is your policy? – I want to detect everything that is attempted against me – deploy wide rule set – I want only to protect against attacks that can hit me – deploy specific rule set > What is the default fall-back scenario? – Pass-through or drop? Again: remain focused on making them an useful tool! 10 Department on title mastertitle in footer Version number on title master Presentation January 3, 2013 Confidentiality level on title master
Baseline rule set tuning and deployment Tune your rule set Some tips and guidelines > Establish your baseline for a specific environment – As described before > Test in a test environment – If it is possible! > Agree on a deployment window – Verify if important things are going to happen… don’t deploy before a new release gets into production! – Monitor for a couple of hours and a couple of days thereafter > Create a report over the differences with the baseline > If you prefer: a report about attacks mitigated Something changes in the service/ network? Repeat the process! 11 Department on title mastertitle in footer Version number on title master Presentation January 3, 2013 Confidentiality level on title master
Monitoring Don’t forget them! Some tips and guidelines > You need to create profiles/deploy rule sets that are useful – Many outsourced managed SOC uses statistical tools on which I strongly doubt – You need to have a network diagram/maps of your networks and services! – You need to profile – the services you are protecting – the traffic of your networks – You need then to tailor your rule sets – There is no magic wand, or bayesian-behavioural-self adapting etc. – this is marketing – You need correlation with other tools – anti viruses, NIDS, network scanners… – You need to have personnel monitoring 24X7X365 that can also access and know how to use the NIPS! Again: remain focused on making them an useful tool! 12 Department on title mastertitle in footer Version number on title master Presentation January 3, 2013 Confidentiality level on title master
Measure effectiveness Because you have to renew your contracts sooner or later  Some tips and guidelines > How they did behave under attack? – Have they detected it at all? – Have they been useful in mitigating it? – Were they manageable under attack? > Peer with other NIPS customers – Different companies, also from different market segments > Do not believe the vendors. Use basic math. > Be paranoid > Finally: create reports that are readable – Your management doesn’t understand a bunch of IP addresses and the signature names Again: remain focused on making them an useful tool! 13 Department on title mastertitle in footer Version number on title master Presentation January 3, 2013 Confidentiality level on title master
Correlation and SOC Effective security 24X7X365 Some tips and guidelines > Do not import all of your events in your SEM/SIM tool – Often you just overwhelm it, even with NIPS – Do not work “statistically” and blindly about your architecture > The rule set you deployed have an impact on what you get! – Often you pay the SEM/SIM or the outsourced SOC by number of events! > Does the SOC (either out-sourced or in-sourced) have access to the NIPS? – Have you defined a user management for the NIPS? – What about operational procedures? – What about technical skills of the personnel? Again and again: remain focused on making them an useful tool! 14 Department on title mastertitle in footer Version number on title master Presentation January 3, 2013 Confidentiality level on title master
Thank you 15 Presentation title in footer Confidentiality level on title master January 3, 2013 Department on title master Version number on title master

Recommended

Best practices in NIPS - IDC Sofia - March 2010
Best practices in NIPS - IDC Sofia - March 2010Best practices in NIPS - IDC Sofia - March 2010
Best practices in NIPS - IDC Sofia - March 2010EQS Group
 
Top risks in using NIPS - Brighttalk - July 2010
Top risks in using NIPS - Brighttalk - July 2010Top risks in using NIPS - Brighttalk - July 2010
Top risks in using NIPS - Brighttalk - July 2010EQS Group
 
Building The Framework For A Culture Of Security
Building The Framework For A Culture Of SecurityBuilding The Framework For A Culture Of Security
Building The Framework For A Culture Of Securitymguenther
 
Corona| COVID IT Tactical Security Preparedness: Threat Management
Corona| COVID IT Tactical Security Preparedness: Threat ManagementCorona| COVID IT Tactical Security Preparedness: Threat Management
Corona| COVID IT Tactical Security Preparedness: Threat ManagementRedZone Technologies
 
10 Myths about DDoS attacks
10 Myths about DDoS attacks10 Myths about DDoS attacks
10 Myths about DDoS attacksIntruGuard
 
10 things to teach end users
10 things to teach end users10 things to teach end users
10 things to teach end usersProgressive Integrations
 
2019 FRSecure CISSP Mentor Program: Class Ten
2019 FRSecure CISSP Mentor Program: Class Ten2019 FRSecure CISSP Mentor Program: Class Ten
2019 FRSecure CISSP Mentor Program: Class TenFRSecure
 
2018 CISSP Mentor Program Session 3
2018 CISSP Mentor Program Session 32018 CISSP Mentor Program Session 3
2018 CISSP Mentor Program Session 3FRSecure
 

Recommended

Best practices in NIPS - IDC Sofia - March 2010
Best practices in NIPS - IDC Sofia - March 2010Best practices in NIPS - IDC Sofia - March 2010
Best practices in NIPS - IDC Sofia - March 2010EQS Group
 
Top risks in using NIPS - Brighttalk - July 2010
Top risks in using NIPS - Brighttalk - July 2010Top risks in using NIPS - Brighttalk - July 2010
Top risks in using NIPS - Brighttalk - July 2010EQS Group
 
Building The Framework For A Culture Of Security
Building The Framework For A Culture Of SecurityBuilding The Framework For A Culture Of Security
Building The Framework For A Culture Of Securitymguenther
 
Corona| COVID IT Tactical Security Preparedness: Threat Management
Corona| COVID IT Tactical Security Preparedness: Threat ManagementCorona| COVID IT Tactical Security Preparedness: Threat Management
Corona| COVID IT Tactical Security Preparedness: Threat ManagementRedZone Technologies
 
10 Myths about DDoS attacks
10 Myths about DDoS attacks10 Myths about DDoS attacks
10 Myths about DDoS attacksIntruGuard
 
10 things to teach end users
10 things to teach end users10 things to teach end users
10 things to teach end usersProgressive Integrations
 
2019 FRSecure CISSP Mentor Program: Class Ten
2019 FRSecure CISSP Mentor Program: Class Ten2019 FRSecure CISSP Mentor Program: Class Ten
2019 FRSecure CISSP Mentor Program: Class TenFRSecure
 
2018 CISSP Mentor Program Session 3
2018 CISSP Mentor Program Session 32018 CISSP Mentor Program Session 3
2018 CISSP Mentor Program Session 3FRSecure
 
7 Things Every Ceo Should Know About Information Security
7 Things Every Ceo Should Know About Information Security7 Things Every Ceo Should Know About Information Security
7 Things Every Ceo Should Know About Information SecurityCindy Kim
 
Webinar: Ransomware Checklist – Are You Ready For Ransomware’s Next Wave?
Webinar: Ransomware Checklist – Are You Ready For Ransomware’s Next Wave?Webinar: Ransomware Checklist – Are You Ready For Ransomware’s Next Wave?
Webinar: Ransomware Checklist – Are You Ready For Ransomware’s Next Wave?Storage Switzerland
 
2019 FRSecure CISSP Mentor Program: Class Nine
2019 FRSecure CISSP Mentor Program: Class Nine2019 FRSecure CISSP Mentor Program: Class Nine
2019 FRSecure CISSP Mentor Program: Class NineFRSecure
 
So You Think You Can Hack | sitNL 2016
So You Think You Can Hack | sitNL 2016So You Think You Can Hack | sitNL 2016
So You Think You Can Hack | sitNL 2016Twan van den Broek
 
2019 FRSecure CISSP Mentor Program: Class Eleven
2019 FRSecure CISSP Mentor Program: Class Eleven2019 FRSecure CISSP Mentor Program: Class Eleven
2019 FRSecure CISSP Mentor Program: Class ElevenFRSecure
 
Lecture 12 -_internet_security
Lecture 12 -_internet_securityLecture 12 -_internet_security
Lecture 12 -_internet_securitySerious_SamSoul
 
HOW TO PREPARE FOR AND RESPOND TO A RANDSOMWARE ATTACK [Webinar]
HOW TO PREPARE FOR AND RESPOND TO A RANDSOMWARE ATTACK [Webinar]HOW TO PREPARE FOR AND RESPOND TO A RANDSOMWARE ATTACK [Webinar]
HOW TO PREPARE FOR AND RESPOND TO A RANDSOMWARE ATTACK [Webinar]Stanton Viaduc
 
Fns Incident Management Powered By En Case
Fns Incident Management Powered By En CaseFns Incident Management Powered By En Case
Fns Incident Management Powered By En Casetbeckwith
 
2019 FRSecure CISSP Mentor Program: Class Three
2019 FRSecure CISSP Mentor Program: Class Three 2019 FRSecure CISSP Mentor Program: Class Three
2019 FRSecure CISSP Mentor Program: Class Three FRSecure
 
Stone gate ips
Stone gate ipsStone gate ips
Stone gate ipsMultibyte Consultoria
 
FRSecure 2018 CISSP Mentor Program Session 10
FRSecure 2018 CISSP Mentor Program Session 10FRSecure 2018 CISSP Mentor Program Session 10
FRSecure 2018 CISSP Mentor Program Session 10FRSecure
 
How To Create Ppt Ver1
How To Create Ppt Ver1How To Create Ppt Ver1
How To Create Ppt Ver1Abhishek Kapoor
 
Achieving PCI-DSS compliance with network security implementations - April 2011
Achieving PCI-DSS compliance with network security implementations - April 2011Achieving PCI-DSS compliance with network security implementations - April 2011
Achieving PCI-DSS compliance with network security implementations - April 2011EQS Group
 
Intro to-ssdl--lone-star-php-2013
Intro to-ssdl--lone-star-php-2013Intro to-ssdl--lone-star-php-2013
Intro to-ssdl--lone-star-php-2013nanderoo
 
10 Tips to Strengthen Your Insider Threat Program
10 Tips to Strengthen Your Insider Threat Program 10 Tips to Strengthen Your Insider Threat Program
10 Tips to Strengthen Your Insider Threat Program Dtex Systems
 
Securing Mobile Devices in the Workplace - Six Tips For Midsize Businesses
Securing Mobile Devices in the Workplace - Six Tips For Midsize BusinessesSecuring Mobile Devices in the Workplace - Six Tips For Midsize Businesses
Securing Mobile Devices in the Workplace - Six Tips For Midsize BusinessesMidmarketIBM
 
Opsec for security researchers
Opsec for security researchersOpsec for security researchers
Opsec for security researchersvicenteDiaz_KL
 
The Cloud 9 - Threat & Solutions 2016 by Bobby Dominguez
The Cloud 9 - Threat & Solutions 2016 by Bobby DominguezThe Cloud 9 - Threat & Solutions 2016 by Bobby Dominguez
The Cloud 9 - Threat & Solutions 2016 by Bobby DominguezEC-Council
 
IT Security Management -- People, Procedures and Tools
IT Security Management -- People, Procedures and ToolsIT Security Management -- People, Procedures and Tools
IT Security Management -- People, Procedures and ToolsAndrew S. Baker (ASB)
 
Small Business Administration Recommendations
Small Business Administration RecommendationsSmall Business Administration Recommendations
Small Business Administration RecommendationsMeg Weber
 
Elastix network security guide
Elastix network security guideElastix network security guide
Elastix network security guideCristian Calderon
 
You Give Us The Fire We'll Give'em Hell!
You Give Us The Fire We'll Give'em Hell!You Give Us The Fire We'll Give'em Hell!
You Give Us The Fire We'll Give'em Hell!wmetcalf
 

More Related Content

What's hot

7 Things Every Ceo Should Know About Information Security
7 Things Every Ceo Should Know About Information Security7 Things Every Ceo Should Know About Information Security
7 Things Every Ceo Should Know About Information SecurityCindy Kim
 
Webinar: Ransomware Checklist – Are You Ready For Ransomware’s Next Wave?
Webinar: Ransomware Checklist – Are You Ready For Ransomware’s Next Wave?Webinar: Ransomware Checklist – Are You Ready For Ransomware’s Next Wave?
Webinar: Ransomware Checklist – Are You Ready For Ransomware’s Next Wave?Storage Switzerland
 
2019 FRSecure CISSP Mentor Program: Class Nine
2019 FRSecure CISSP Mentor Program: Class Nine2019 FRSecure CISSP Mentor Program: Class Nine
2019 FRSecure CISSP Mentor Program: Class NineFRSecure
 
So You Think You Can Hack | sitNL 2016
So You Think You Can Hack | sitNL 2016So You Think You Can Hack | sitNL 2016
So You Think You Can Hack | sitNL 2016Twan van den Broek
 
2019 FRSecure CISSP Mentor Program: Class Eleven
2019 FRSecure CISSP Mentor Program: Class Eleven2019 FRSecure CISSP Mentor Program: Class Eleven
2019 FRSecure CISSP Mentor Program: Class ElevenFRSecure
 
Lecture 12 -_internet_security
Lecture 12 -_internet_securityLecture 12 -_internet_security
Lecture 12 -_internet_securitySerious_SamSoul
 
HOW TO PREPARE FOR AND RESPOND TO A RANDSOMWARE ATTACK [Webinar]
HOW TO PREPARE FOR AND RESPOND TO A RANDSOMWARE ATTACK [Webinar]HOW TO PREPARE FOR AND RESPOND TO A RANDSOMWARE ATTACK [Webinar]
HOW TO PREPARE FOR AND RESPOND TO A RANDSOMWARE ATTACK [Webinar]Stanton Viaduc
 
Fns Incident Management Powered By En Case
Fns Incident Management Powered By En CaseFns Incident Management Powered By En Case
Fns Incident Management Powered By En Casetbeckwith
 
2019 FRSecure CISSP Mentor Program: Class Three
2019 FRSecure CISSP Mentor Program: Class Three 2019 FRSecure CISSP Mentor Program: Class Three
2019 FRSecure CISSP Mentor Program: Class Three FRSecure
 
FRSecure 2018 CISSP Mentor Program Session 10
FRSecure 2018 CISSP Mentor Program Session 10FRSecure 2018 CISSP Mentor Program Session 10
FRSecure 2018 CISSP Mentor Program Session 10FRSecure
 

What's hot (12)

7 Things Every Ceo Should Know About Information Security
7 Things Every Ceo Should Know About Information Security7 Things Every Ceo Should Know About Information Security
7 Things Every Ceo Should Know About Information Security
 
Webinar: Ransomware Checklist – Are You Ready For Ransomware’s Next Wave?
Webinar: Ransomware Checklist – Are You Ready For Ransomware’s Next Wave?Webinar: Ransomware Checklist – Are You Ready For Ransomware’s Next Wave?
Webinar: Ransomware Checklist – Are You Ready For Ransomware’s Next Wave?
 
2019 FRSecure CISSP Mentor Program: Class Nine
2019 FRSecure CISSP Mentor Program: Class Nine2019 FRSecure CISSP Mentor Program: Class Nine
2019 FRSecure CISSP Mentor Program: Class Nine
 
So You Think You Can Hack | sitNL 2016
So You Think You Can Hack | sitNL 2016So You Think You Can Hack | sitNL 2016
So You Think You Can Hack | sitNL 2016
 
2019 FRSecure CISSP Mentor Program: Class Eleven
2019 FRSecure CISSP Mentor Program: Class Eleven2019 FRSecure CISSP Mentor Program: Class Eleven
2019 FRSecure CISSP Mentor Program: Class Eleven
 
Lecture 12 -_internet_security
Lecture 12 -_internet_securityLecture 12 -_internet_security
Lecture 12 -_internet_security
 
HOW TO PREPARE FOR AND RESPOND TO A RANDSOMWARE ATTACK [Webinar]
HOW TO PREPARE FOR AND RESPOND TO A RANDSOMWARE ATTACK [Webinar]HOW TO PREPARE FOR AND RESPOND TO A RANDSOMWARE ATTACK [Webinar]
HOW TO PREPARE FOR AND RESPOND TO A RANDSOMWARE ATTACK [Webinar]
 
Fns Incident Management Powered By En Case
Fns Incident Management Powered By En CaseFns Incident Management Powered By En Case
Fns Incident Management Powered By En Case
 
2019 FRSecure CISSP Mentor Program: Class Three
2019 FRSecure CISSP Mentor Program: Class Three 2019 FRSecure CISSP Mentor Program: Class Three
2019 FRSecure CISSP Mentor Program: Class Three
 
Stone gate ips
Stone gate ipsStone gate ips
Stone gate ips
 
FRSecure 2018 CISSP Mentor Program Session 10
FRSecure 2018 CISSP Mentor Program Session 10FRSecure 2018 CISSP Mentor Program Session 10
FRSecure 2018 CISSP Mentor Program Session 10
 
How To Create Ppt Ver1
How To Create Ppt Ver1How To Create Ppt Ver1
How To Create Ppt Ver1
 

Similar to Best practices in NIPS - Brighttalk - January 2010

Achieving PCI-DSS compliance with network security implementations - April 2011
Achieving PCI-DSS compliance with network security implementations - April 2011Achieving PCI-DSS compliance with network security implementations - April 2011
Achieving PCI-DSS compliance with network security implementations - April 2011EQS Group
 
Intro to-ssdl--lone-star-php-2013
Intro to-ssdl--lone-star-php-2013Intro to-ssdl--lone-star-php-2013
Intro to-ssdl--lone-star-php-2013nanderoo
 
10 Tips to Strengthen Your Insider Threat Program
10 Tips to Strengthen Your Insider Threat Program 10 Tips to Strengthen Your Insider Threat Program
10 Tips to Strengthen Your Insider Threat Program Dtex Systems
 
Securing Mobile Devices in the Workplace - Six Tips For Midsize Businesses
Securing Mobile Devices in the Workplace - Six Tips For Midsize BusinessesSecuring Mobile Devices in the Workplace - Six Tips For Midsize Businesses
Securing Mobile Devices in the Workplace - Six Tips For Midsize BusinessesMidmarketIBM
 
Opsec for security researchers
Opsec for security researchersOpsec for security researchers
Opsec for security researchersvicenteDiaz_KL
 
The Cloud 9 - Threat & Solutions 2016 by Bobby Dominguez
The Cloud 9 - Threat & Solutions 2016 by Bobby DominguezThe Cloud 9 - Threat & Solutions 2016 by Bobby Dominguez
The Cloud 9 - Threat & Solutions 2016 by Bobby DominguezEC-Council
 
IT Security Management -- People, Procedures and Tools
IT Security Management -- People, Procedures and ToolsIT Security Management -- People, Procedures and Tools
IT Security Management -- People, Procedures and ToolsAndrew S. Baker (ASB)
 
Small Business Administration Recommendations
Small Business Administration RecommendationsSmall Business Administration Recommendations
Small Business Administration RecommendationsMeg Weber
 
Elastix network security guide
Elastix network security guideElastix network security guide
Elastix network security guideCristian Calderon
 
You Give Us The Fire We'll Give'em Hell!
You Give Us The Fire We'll Give'em Hell!You Give Us The Fire We'll Give'em Hell!
You Give Us The Fire We'll Give'em Hell!wmetcalf
 
COMPLETE NETWORK SECURITY PROTECTION FOR SME’SWITHIN LIMITED RESOURCES
COMPLETE NETWORK SECURITY PROTECTION FOR SME’SWITHIN LIMITED RESOURCESCOMPLETE NETWORK SECURITY PROTECTION FOR SME’SWITHIN LIMITED RESOURCES
COMPLETE NETWORK SECURITY PROTECTION FOR SME’SWITHIN LIMITED RESOURCESIJNSA Journal
 
Keynote Information Security days Luxembourg 2015
Keynote Information Security days Luxembourg 2015Keynote Information Security days Luxembourg 2015
Keynote Information Security days Luxembourg 2015Claus Cramon Houmann
 
Chapter 5Overview of SecurityTechnologiesWe can’t h
Chapter 5Overview of SecurityTechnologiesWe can’t hChapter 5Overview of SecurityTechnologiesWe can’t h
Chapter 5Overview of SecurityTechnologiesWe can’t hWilheminaRossi174
 
Privacies are Coming
Privacies are ComingPrivacies are Coming
Privacies are ComingErnest Staats
 
Complete network security protection for sme's within limited resources
Complete network security protection for sme's within limited resourcesComplete network security protection for sme's within limited resources
Complete network security protection for sme's within limited resourcesIJNSA Journal
 
The Silver Bullet of Cyber Security v1.1
The Silver Bullet of Cyber Security v1.1The Silver Bullet of Cyber Security v1.1
The Silver Bullet of Cyber Security v1.1William Kiss
 
Survey Presentation About Application Security
Survey Presentation About Application SecuritySurvey Presentation About Application Security
Survey Presentation About Application SecurityNicholas Davis
 
Purple Teaming - The Collaborative Future of Penetration Testing
Purple Teaming - The Collaborative Future of Penetration TestingPurple Teaming - The Collaborative Future of Penetration Testing
Purple Teaming - The Collaborative Future of Penetration TestingFRSecure
 

Similar to Best practices in NIPS - Brighttalk - January 2010 (20)

Achieving PCI-DSS compliance with network security implementations - April 2011
Achieving PCI-DSS compliance with network security implementations - April 2011Achieving PCI-DSS compliance with network security implementations - April 2011
Achieving PCI-DSS compliance with network security implementations - April 2011
 
Intro to-ssdl--lone-star-php-2013
Intro to-ssdl--lone-star-php-2013Intro to-ssdl--lone-star-php-2013
Intro to-ssdl--lone-star-php-2013
 
10 Tips to Strengthen Your Insider Threat Program
10 Tips to Strengthen Your Insider Threat Program 10 Tips to Strengthen Your Insider Threat Program
10 Tips to Strengthen Your Insider Threat Program
 
Securing Mobile Devices in the Workplace - Six Tips For Midsize Businesses
Securing Mobile Devices in the Workplace - Six Tips For Midsize BusinessesSecuring Mobile Devices in the Workplace - Six Tips For Midsize Businesses
Securing Mobile Devices in the Workplace - Six Tips For Midsize Businesses
 
Opsec for security researchers
Opsec for security researchersOpsec for security researchers
Opsec for security researchers
 
The Cloud 9 - Threat & Solutions 2016 by Bobby Dominguez
The Cloud 9 - Threat & Solutions 2016 by Bobby DominguezThe Cloud 9 - Threat & Solutions 2016 by Bobby Dominguez
The Cloud 9 - Threat & Solutions 2016 by Bobby Dominguez
 
IT Security Management -- People, Procedures and Tools
IT Security Management -- People, Procedures and ToolsIT Security Management -- People, Procedures and Tools
IT Security Management -- People, Procedures and Tools
 
Small Business Administration Recommendations
Small Business Administration RecommendationsSmall Business Administration Recommendations
Small Business Administration Recommendations
 
Elastix network security guide
Elastix network security guideElastix network security guide
Elastix network security guide
 
You Give Us The Fire We'll Give'em Hell!
You Give Us The Fire We'll Give'em Hell!You Give Us The Fire We'll Give'em Hell!
You Give Us The Fire We'll Give'em Hell!
 
COMPLETE NETWORK SECURITY PROTECTION FOR SME’SWITHIN LIMITED RESOURCES
COMPLETE NETWORK SECURITY PROTECTION FOR SME’SWITHIN LIMITED RESOURCESCOMPLETE NETWORK SECURITY PROTECTION FOR SME’SWITHIN LIMITED RESOURCES
COMPLETE NETWORK SECURITY PROTECTION FOR SME’SWITHIN LIMITED RESOURCES
 
Keynote Information Security days Luxembourg 2015
Keynote Information Security days Luxembourg 2015Keynote Information Security days Luxembourg 2015
Keynote Information Security days Luxembourg 2015
 
Security and SMBs
Security and SMBsSecurity and SMBs
Security and SMBs
 
Chapter 5Overview of SecurityTechnologiesWe can’t h
Chapter 5Overview of SecurityTechnologiesWe can’t hChapter 5Overview of SecurityTechnologiesWe can’t h
Chapter 5Overview of SecurityTechnologiesWe can’t h
 
Privacies are Coming
Privacies are ComingPrivacies are Coming
Privacies are Coming
 
Complete network security protection for sme's within limited resources
Complete network security protection for sme's within limited resourcesComplete network security protection for sme's within limited resources
Complete network security protection for sme's within limited resources
 
The Silver Bullet of Cyber Security v1.1
The Silver Bullet of Cyber Security v1.1The Silver Bullet of Cyber Security v1.1
The Silver Bullet of Cyber Security v1.1
 
Abb e guide3
Abb e guide3Abb e guide3
Abb e guide3
 
Survey Presentation About Application Security
Survey Presentation About Application SecuritySurvey Presentation About Application Security
Survey Presentation About Application Security
 
Purple Teaming - The Collaborative Future of Penetration Testing
Purple Teaming - The Collaborative Future of Penetration TestingPurple Teaming - The Collaborative Future of Penetration Testing
Purple Teaming - The Collaborative Future of Penetration Testing
 

More from EQS Group

Blockchain: everyone wants to sell me that - but is that really right for my ...
Blockchain: everyone wants to sell me that - but is that really right for my ...Blockchain: everyone wants to sell me that - but is that really right for my ...
Blockchain: everyone wants to sell me that - but is that really right for my ...EQS Group
 
Impact of GDPR on Third Party and M&A Security
Impact of GDPR on Third Party and M&A SecurityImpact of GDPR on Third Party and M&A Security
Impact of GDPR on Third Party and M&A SecurityEQS Group
 
Mergers & Acquisitions security - (ISC)2 Secure Summit DACH
Mergers & Acquisitions security - (ISC)2 Secure Summit DACHMergers & Acquisitions security - (ISC)2 Secure Summit DACH
Mergers & Acquisitions security - (ISC)2 Secure Summit DACHEQS Group
 
M&A security - E-crime Congress 2017
M&A security - E-crime Congress 2017M&A security - E-crime Congress 2017
M&A security - E-crime Congress 2017EQS Group
 
Architecting Security across global networks
Architecting Security across global networksArchitecting Security across global networks
Architecting Security across global networksEQS Group
 
313 – Security Challenges in Healthcare IoT - ME
313 – Security Challenges in Healthcare IoT - ME313 – Security Challenges in Healthcare IoT - ME
313 – Security Challenges in Healthcare IoT - MEEQS Group
 

More from EQS Group (6)

Blockchain: everyone wants to sell me that - but is that really right for my ...
Blockchain: everyone wants to sell me that - but is that really right for my ...Blockchain: everyone wants to sell me that - but is that really right for my ...
Blockchain: everyone wants to sell me that - but is that really right for my ...
 
Impact of GDPR on Third Party and M&A Security
Impact of GDPR on Third Party and M&A SecurityImpact of GDPR on Third Party and M&A Security
Impact of GDPR on Third Party and M&A Security
 
Mergers & Acquisitions security - (ISC)2 Secure Summit DACH
Mergers & Acquisitions security - (ISC)2 Secure Summit DACHMergers & Acquisitions security - (ISC)2 Secure Summit DACH
Mergers & Acquisitions security - (ISC)2 Secure Summit DACH
 
M&A security - E-crime Congress 2017
M&A security - E-crime Congress 2017M&A security - E-crime Congress 2017
M&A security - E-crime Congress 2017
 
Architecting Security across global networks
Architecting Security across global networksArchitecting Security across global networks
Architecting Security across global networks
 
313 – Security Challenges in Healthcare IoT - ME
313 – Security Challenges in Healthcare IoT - ME313 – Security Challenges in Healthcare IoT - ME
313 – Security Challenges in Healthcare IoT - ME
 

Recently uploaded

Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilV3cube
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 

Recently uploaded (20)

Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 

Best practices in NIPS - Brighttalk - January 2010

  • 1. Best practices in Intrusion Prevention Marco Ermini Vodafone ICT Security 12 January 2010 1 Presentation title in footer Confidentiality level on title master January 3, 2013 Department on title master Version number on title master
  • 2. W this is about hat …and what is not about! This presentation is not about… > …explaining what NIPS are – but let’s be clear about what you can expect > …choosing a vendor/brand – even if we may mention something briefly – heard about Gartner? > …discussing if you need a NIPS or not, or which technology do you need (maybe a short note…) > … “off the shelves” or “vendor provided” best practices – you can just Google for “be s t p ra c tic e s intrus io n p re ve ntio n” - it will do the job! > I assume you need and want NIPS, or you already have NIPS – You want to use them effectively – Maybe you are just sticking to “default” “vendor suggested” rule-sets – You want to avoid headaches managing them day by day – You want to have a metric to compare your performances What you are looking for, are best practices to make your investment worth 2 Presentation title in footer Version number on title master January 3, 2013 Confidentiality level on title master Department on title master
  • 3. W is speaking? ho This is not a bio… W are you listening to me? – 1 hy > I am supposed to know what I am talking about > Yes, that’s my daily job. No, I am not a trainer or something like that > No, this is not academia or pure science. There is hardly here! > I know what the market offers. Everyone can download Snort. It’s not about that > I have a realistic view about this technology > Yes, I have been under a real attack. And not just once! > I am a customer of NIPS. I don’t sell them. I will not try to contact you and sell you anything  > Yes, this will be my personal, partial, questionable, but realistic point of view You are not drinking from the fountain of truth  3 Presentation title in footer Version number on title master January 3, 2013 Confidentiality level on title master Department on title master
  • 4. W is this for? ho Why do you care? W are you listening to me? – 2 hy > You are a security or network engineer, and need to… – have an added value from the investment – are thinking/need to deploy NIPS into your networks > You are a security or network manager, and need to… – understand the true value of NIPS > You are just curious – graduate student getting into the network and/or security job World – experienced security or network personnel trying to understand NIPS You are welcome to share your expectation, doubts, questions! 4 Presentation title in footer Version number on title master January 3, 2013 Confidentiality level on title master Department on title master
  • 5. W I am doing today with my NIPS? hat Let’s assume you have NIPS already, or are going to install them What are the common mistakes with NIPS? > They are deployed in the wrong place in the network > Are deployed and then forget > Are running the “suggested” rule sets from the supplier > It is assumed they are invincible and protect against all 0-days attacks > Are confused with NIDS (detection) > There is no measurable improvement on the overall security > No one is there around that can access and use them when you are under attacks > They are not really enabled for fear of false positives > You are subject to (vendors-diffused?) urban legends (“behavioural based”? “auto- learn”?) > Use them because they are cool, or my boss told me, or “for compliance” (sic!!!) – They add latency and false positives Behold the common mistakes of NIPS!!  5 Presentation title in footer Version number on title master January 3, 2013 Confidentiality level on title master Department on title master
  • 6. W to really expect from NIPS? hat …or, “avoid being ripped of my money” How can NIPS help me? > Do not test to bypass them. That’s futile. You can do it. Save your time. – Ever heard of “SSL”, “event horizon” and “inspect the first 512 bytes only”? > You need to use them in conjunction with other instruments – Coordination between different departments of your organisation > You need to update, patch the NIPS > You need to continually follow and profile the design of your network, applications, business > They will not protect you against 0days (despite what vendors say) > You cannot treat them as NIDS – they are a specific tool (cannot afford false positives) > You need to establish a metric and evaluate the real improvements over the overall security > You need to have operational procedures to use NIPS on the network > You need to enable useful signatures and test them in production If you don’t do those steps, you better save your money! 6 Presentation title in footer Version number on title master January 3, 2013 Confidentiality level on title master Department on title master
  • 7. W you want to do with your NIPS? hat What does my company need? I can use NIPS for… > Mitigate specific attacks. For the rest, I need to integrate with other tools – Will not protect against all of web application attacks, DDoS, malware… – Will protect against many – but if you want a locked down environment, you need to complement – 100% protection is not realistic, 0-days protection is marketing > As an effective tool for immediate reaction to threats – They are in-line > Enforce company policies – Security is a process. NIPS must be part of the processes – Many can do traffic shaping/policing – Some can communicate with NAC/NAP or firewalls > Can do tunnel inspection, stop exploits, detect anomalies and normalise traffic, detect scans… They can be an effective tool if used wisely 7 Presentation title in footer Version number on title master January 3, 2013 Confidentiality level on title master Department on title master
  • 8. Basic evaluation/ purchasing recommendations This is not a shopping guide!!! Some very quick and rough tips and guidelines > They will not sustain the bandwidth they claim to > The real cost is by network interface – NIPS may need from one to four network interfaces to protect a single network segment! > Asymmetric traffic path – state table synchronisation – May use one or two network interfaces! – May confuse your NIPS – layer 4/7 reassembling-synchronisation > VRRP may be problematic > Evaluate that the capabilities are what you need > Evaluate how effective is the vendor itself – Customer satisfaction track record – will it just sell and then forget you? > RTFM – do your research Use your brain! 8 Presentation title in footer Version number on title master January 3, 2013 Confidentiality level on title master Department on title master
  • 9. Border deployment Don’t leave them alone Some tips and guidelines > Border edges of the Data Centre/border routers > They can apply traffic policing/shaping > Can be the first barrier against malware and attacks against publically-exposed services – Cannot do miracles, generally do not inspect TLS/SSL/encrypted protocols – Often cannot scan inside emails – mail servers today use SMTP over TLS – Will only detect what is in the their event horizon > Better have them working in conjunction with other tools that work on the border routers/firewalls – Before or after routers/firewalls? Depends on your policies > You need to pre-emptively discuss with your ISP and establish a network security policy > Evaluate the impact on the performances > Remain realistic: they will add latency and will be bypassed Remain focused on making them an useful tool! 9 Presentation title in footer Version number on title master January 3, 2013 Confidentiality level on title master Department on title master
  • 10. Inner deployment Protection of the service Some tips and guidelines > They can be deployed strategically in front of an important service – Achieving compliance? PCI-DSS? SOX? > They can sit around in the network – Enterprise Office network – connected with NAC/NAP and block the rogue clients on the switch – Inside a DMZ/production segment – need to create a profile > What is your policy? – I want to detect everything that is attempted against me – deploy wide rule set – I want only to protect against attacks that can hit me – deploy specific rule set > What is the default fall-back scenario? – Pass-through or drop? Again: remain focused on making them an useful tool! 10 Department on title mastertitle in footer Version number on title master Presentation January 3, 2013 Confidentiality level on title master
  • 11. Baseline rule set tuning and deployment Tune your rule set Some tips and guidelines > Establish your baseline for a specific environment – As described before > Test in a test environment – If it is possible! > Agree on a deployment window – Verify if important things are going to happen… don’t deploy before a new release gets into production! – Monitor for a couple of hours and a couple of days thereafter > Create a report over the differences with the baseline > If you prefer: a report about attacks mitigated Something changes in the service/ network? Repeat the process! 11 Department on title mastertitle in footer Version number on title master Presentation January 3, 2013 Confidentiality level on title master
  • 12. Monitoring Don’t forget them! Some tips and guidelines > You need to create profiles/deploy rule sets that are useful – Many outsourced managed SOC uses statistical tools on which I strongly doubt – You need to have a network diagram/maps of your networks and services! – You need to profile – the services you are protecting – the traffic of your networks – You need then to tailor your rule sets – There is no magic wand, or bayesian-behavioural-self adapting etc. – this is marketing – You need correlation with other tools – anti viruses, NIDS, network scanners… – You need to have personnel monitoring 24X7X365 that can also access and know how to use the NIPS! Again: remain focused on making them an useful tool! 12 Department on title mastertitle in footer Version number on title master Presentation January 3, 2013 Confidentiality level on title master
  • 13. Measure effectiveness Because you have to renew your contracts sooner or later  Some tips and guidelines > How they did behave under attack? – Have they detected it at all? – Have they been useful in mitigating it? – Were they manageable under attack? > Peer with other NIPS customers – Different companies, also from different market segments > Do not believe the vendors. Use basic math. > Be paranoid > Finally: create reports that are readable – Your management doesn’t understand a bunch of IP addresses and the signature names Again: remain focused on making them an useful tool! 13 Department on title mastertitle in footer Version number on title master Presentation January 3, 2013 Confidentiality level on title master
  • 14. Correlation and SOC Effective security 24X7X365 Some tips and guidelines > Do not import all of your events in your SEM/SIM tool – Often you just overwhelm it, even with NIPS – Do not work “statistically” and blindly about your architecture > The rule set you deployed have an impact on what you get! – Often you pay the SEM/SIM or the outsourced SOC by number of events! > Does the SOC (either out-sourced or in-sourced) have access to the NIPS? – Have you defined a user management for the NIPS? – What about operational procedures? – What about technical skills of the personnel? Again and again: remain focused on making them an useful tool! 14 Department on title mastertitle in footer Version number on title master Presentation January 3, 2013 Confidentiality level on title master
  • 15. Thank you 15 Presentation title in footer Confidentiality level on title master January 3, 2013 Department on title master Version number on title master