SlideShare a Scribd company logo

Best practices in NIPS - Brighttalk - January 2010

EQS Group
EQS Group

Marco Ermini, Network Security Manager will discuss his best practices of Network Intrusion Detection and Prevention and deployment of the overall NIDS/NIPS infrastructure and network vulnerability.

Technology
1 of 15
Best practices in Intrusion Prevention Marco Ermini Vodafone ICT Security 12 January 2010 1 Presentation title in footer Confidentiality level on title master January 3, 2013 Department on title master Version number on title master
W this is about hat …and what is not about! This presentation is not about… > …explaining what NIPS are – but let’s be clear about what you can expect > …choosing a vendor/brand – even if we may mention something briefly – heard about Gartner? > …discussing if you need a NIPS or not, or which technology do you need (maybe a short note…) > … “off the shelves” or “vendor provided” best practices – you can just Google for “be s t p ra c tic e s intrus io n p re ve ntio n” - it will do the job! > I assume you need and want NIPS, or you already have NIPS – You want to use them effectively – Maybe you are just sticking to “default” “vendor suggested” rule-sets – You want to avoid headaches managing them day by day – You want to have a metric to compare your performances What you are looking for, are best practices to make your investment worth 2 Presentation title in footer Version number on title master January 3, 2013 Confidentiality level on title master Department on title master
W is speaking? ho This is not a bio… W are you listening to me? – 1 hy > I am supposed to know what I am talking about > Yes, that’s my daily job. No, I am not a trainer or something like that > No, this is not academia or pure science. There is hardly here! > I know what the market offers. Everyone can download Snort. It’s not about that > I have a realistic view about this technology > Yes, I have been under a real attack. And not just once! > I am a customer of NIPS. I don’t sell them. I will not try to contact you and sell you anything  > Yes, this will be my personal, partial, questionable, but realistic point of view You are not drinking from the fountain of truth  3 Presentation title in footer Version number on title master January 3, 2013 Confidentiality level on title master Department on title master
W is this for? ho Why do you care? W are you listening to me? – 2 hy > You are a security or network engineer, and need to… – have an added value from the investment – are thinking/need to deploy NIPS into your networks > You are a security or network manager, and need to… – understand the true value of NIPS > You are just curious – graduate student getting into the network and/or security job World – experienced security or network personnel trying to understand NIPS You are welcome to share your expectation, doubts, questions! 4 Presentation title in footer Version number on title master January 3, 2013 Confidentiality level on title master Department on title master
W I am doing today with my NIPS? hat Let’s assume you have NIPS already, or are going to install them What are the common mistakes with NIPS? > They are deployed in the wrong place in the network > Are deployed and then forget > Are running the “suggested” rule sets from the supplier > It is assumed they are invincible and protect against all 0-days attacks > Are confused with NIDS (detection) > There is no measurable improvement on the overall security > No one is there around that can access and use them when you are under attacks > They are not really enabled for fear of false positives > You are subject to (vendors-diffused?) urban legends (“behavioural based”? “auto- learn”?) > Use them because they are cool, or my boss told me, or “for compliance” (sic!!!) – They add latency and false positives Behold the common mistakes of NIPS!!  5 Presentation title in footer Version number on title master January 3, 2013 Confidentiality level on title master Department on title master
W to really expect from NIPS? hat …or, “avoid being ripped of my money” How can NIPS help me? > Do not test to bypass them. That’s futile. You can do it. Save your time. – Ever heard of “SSL”, “event horizon” and “inspect the first 512 bytes only”? > You need to use them in conjunction with other instruments – Coordination between different departments of your organisation > You need to update, patch the NIPS > You need to continually follow and profile the design of your network, applications, business > They will not protect you against 0days (despite what vendors say) > You cannot treat them as NIDS – they are a specific tool (cannot afford false positives) > You need to establish a metric and evaluate the real improvements over the overall security > You need to have operational procedures to use NIPS on the network > You need to enable useful signatures and test them in production If you don’t do those steps, you better save your money! 6 Presentation title in footer Version number on title master January 3, 2013 Confidentiality level on title master Department on title master
W you want to do with your NIPS? hat What does my company need? I can use NIPS for… > Mitigate specific attacks. For the rest, I need to integrate with other tools – Will not protect against all of web application attacks, DDoS, malware… – Will protect against many – but if you want a locked down environment, you need to complement – 100% protection is not realistic, 0-days protection is marketing > As an effective tool for immediate reaction to threats – They are in-line > Enforce company policies – Security is a process. NIPS must be part of the processes – Many can do traffic shaping/policing – Some can communicate with NAC/NAP or firewalls > Can do tunnel inspection, stop exploits, detect anomalies and normalise traffic, detect scans… They can be an effective tool if used wisely 7 Presentation title in footer Version number on title master January 3, 2013 Confidentiality level on title master Department on title master
Basic evaluation/ purchasing recommendations This is not a shopping guide!!! Some very quick and rough tips and guidelines > They will not sustain the bandwidth they claim to > The real cost is by network interface – NIPS may need from one to four network interfaces to protect a single network segment! > Asymmetric traffic path – state table synchronisation – May use one or two network interfaces! – May confuse your NIPS – layer 4/7 reassembling-synchronisation > VRRP may be problematic > Evaluate that the capabilities are what you need > Evaluate how effective is the vendor itself – Customer satisfaction track record – will it just sell and then forget you? > RTFM – do your research Use your brain! 8 Presentation title in footer Version number on title master January 3, 2013 Confidentiality level on title master Department on title master
Border deployment Don’t leave them alone Some tips and guidelines > Border edges of the Data Centre/border routers > They can apply traffic policing/shaping > Can be the first barrier against malware and attacks against publically-exposed services – Cannot do miracles, generally do not inspect TLS/SSL/encrypted protocols – Often cannot scan inside emails – mail servers today use SMTP over TLS – Will only detect what is in the their event horizon > Better have them working in conjunction with other tools that work on the border routers/firewalls – Before or after routers/firewalls? Depends on your policies > You need to pre-emptively discuss with your ISP and establish a network security policy > Evaluate the impact on the performances > Remain realistic: they will add latency and will be bypassed Remain focused on making them an useful tool! 9 Presentation title in footer Version number on title master January 3, 2013 Confidentiality level on title master Department on title master
Inner deployment Protection of the service Some tips and guidelines > They can be deployed strategically in front of an important service – Achieving compliance? PCI-DSS? SOX? > They can sit around in the network – Enterprise Office network – connected with NAC/NAP and block the rogue clients on the switch – Inside a DMZ/production segment – need to create a profile > What is your policy? – I want to detect everything that is attempted against me – deploy wide rule set – I want only to protect against attacks that can hit me – deploy specific rule set > What is the default fall-back scenario? – Pass-through or drop? Again: remain focused on making them an useful tool! 10 Department on title mastertitle in footer Version number on title master Presentation January 3, 2013 Confidentiality level on title master
Baseline rule set tuning and deployment Tune your rule set Some tips and guidelines > Establish your baseline for a specific environment – As described before > Test in a test environment – If it is possible! > Agree on a deployment window – Verify if important things are going to happen… don’t deploy before a new release gets into production! – Monitor for a couple of hours and a couple of days thereafter > Create a report over the differences with the baseline > If you prefer: a report about attacks mitigated Something changes in the service/ network? Repeat the process! 11 Department on title mastertitle in footer Version number on title master Presentation January 3, 2013 Confidentiality level on title master
Monitoring Don’t forget them! Some tips and guidelines > You need to create profiles/deploy rule sets that are useful – Many outsourced managed SOC uses statistical tools on which I strongly doubt – You need to have a network diagram/maps of your networks and services! – You need to profile – the services you are protecting – the traffic of your networks – You need then to tailor your rule sets – There is no magic wand, or bayesian-behavioural-self adapting etc. – this is marketing – You need correlation with other tools – anti viruses, NIDS, network scanners… – You need to have personnel monitoring 24X7X365 that can also access and know how to use the NIPS! Again: remain focused on making them an useful tool! 12 Department on title mastertitle in footer Version number on title master Presentation January 3, 2013 Confidentiality level on title master
Measure effectiveness Because you have to renew your contracts sooner or later  Some tips and guidelines > How they did behave under attack? – Have they detected it at all? – Have they been useful in mitigating it? – Were they manageable under attack? > Peer with other NIPS customers – Different companies, also from different market segments > Do not believe the vendors. Use basic math. > Be paranoid > Finally: create reports that are readable – Your management doesn’t understand a bunch of IP addresses and the signature names Again: remain focused on making them an useful tool! 13 Department on title mastertitle in footer Version number on title master Presentation January 3, 2013 Confidentiality level on title master
Correlation and SOC Effective security 24X7X365 Some tips and guidelines > Do not import all of your events in your SEM/SIM tool – Often you just overwhelm it, even with NIPS – Do not work “statistically” and blindly about your architecture > The rule set you deployed have an impact on what you get! – Often you pay the SEM/SIM or the outsourced SOC by number of events! > Does the SOC (either out-sourced or in-sourced) have access to the NIPS? – Have you defined a user management for the NIPS? – What about operational procedures? – What about technical skills of the personnel? Again and again: remain focused on making them an useful tool! 14 Department on title mastertitle in footer Version number on title master Presentation January 3, 2013 Confidentiality level on title master
Thank you 15 Presentation title in footer Confidentiality level on title master January 3, 2013 Department on title master Version number on title master

Recommended

Best practices in NIPS - IDC Sofia - March 2010
Best practices in NIPS - IDC Sofia - March 2010Best practices in NIPS - IDC Sofia - March 2010
Best practices in NIPS - IDC Sofia - March 2010EQS Group
 
Top risks in using NIPS - Brighttalk - July 2010
Top risks in using NIPS - Brighttalk - July 2010Top risks in using NIPS - Brighttalk - July 2010
Top risks in using NIPS - Brighttalk - July 2010EQS Group
 
Building The Framework For A Culture Of Security
Building The Framework For A Culture Of SecurityBuilding The Framework For A Culture Of Security
Building The Framework For A Culture Of Securitymguenther
 
Corona| COVID IT Tactical Security Preparedness: Threat Management
Corona| COVID IT Tactical Security Preparedness: Threat ManagementCorona| COVID IT Tactical Security Preparedness: Threat Management
Corona| COVID IT Tactical Security Preparedness: Threat ManagementRedZone Technologies
 
10 Myths about DDoS attacks
10 Myths about DDoS attacks10 Myths about DDoS attacks
10 Myths about DDoS attacksIntruGuard
 
10 things to teach end users
10 things to teach end users10 things to teach end users
10 things to teach end usersProgressive Integrations
 
2019 FRSecure CISSP Mentor Program: Class Ten
2019 FRSecure CISSP Mentor Program: Class Ten2019 FRSecure CISSP Mentor Program: Class Ten
2019 FRSecure CISSP Mentor Program: Class TenFRSecure
 
2018 CISSP Mentor Program Session 3
2018 CISSP Mentor Program Session 32018 CISSP Mentor Program Session 3
2018 CISSP Mentor Program Session 3FRSecure
 

Recommended

Best practices in NIPS - IDC Sofia - March 2010
Best practices in NIPS - IDC Sofia - March 2010Best practices in NIPS - IDC Sofia - March 2010
Best practices in NIPS - IDC Sofia - March 2010EQS Group
 
Top risks in using NIPS - Brighttalk - July 2010
Top risks in using NIPS - Brighttalk - July 2010Top risks in using NIPS - Brighttalk - July 2010
Top risks in using NIPS - Brighttalk - July 2010EQS Group
 
Building The Framework For A Culture Of Security
Building The Framework For A Culture Of SecurityBuilding The Framework For A Culture Of Security
Building The Framework For A Culture Of Securitymguenther
 
Corona| COVID IT Tactical Security Preparedness: Threat Management
Corona| COVID IT Tactical Security Preparedness: Threat ManagementCorona| COVID IT Tactical Security Preparedness: Threat Management
Corona| COVID IT Tactical Security Preparedness: Threat ManagementRedZone Technologies
 
10 Myths about DDoS attacks
10 Myths about DDoS attacks10 Myths about DDoS attacks
10 Myths about DDoS attacksIntruGuard
 
10 things to teach end users
10 things to teach end users10 things to teach end users
10 things to teach end usersProgressive Integrations
 
2019 FRSecure CISSP Mentor Program: Class Ten
2019 FRSecure CISSP Mentor Program: Class Ten2019 FRSecure CISSP Mentor Program: Class Ten
2019 FRSecure CISSP Mentor Program: Class TenFRSecure
 
2018 CISSP Mentor Program Session 3
2018 CISSP Mentor Program Session 32018 CISSP Mentor Program Session 3
2018 CISSP Mentor Program Session 3FRSecure
 
7 Things Every Ceo Should Know About Information Security
7 Things Every Ceo Should Know About Information Security7 Things Every Ceo Should Know About Information Security
7 Things Every Ceo Should Know About Information SecurityCindy Kim
 
Webinar: Ransomware Checklist – Are You Ready For Ransomware’s Next Wave?
Webinar: Ransomware Checklist – Are You Ready For Ransomware’s Next Wave?Webinar: Ransomware Checklist – Are You Ready For Ransomware’s Next Wave?
Webinar: Ransomware Checklist – Are You Ready For Ransomware’s Next Wave?Storage Switzerland
 
2019 FRSecure CISSP Mentor Program: Class Nine
2019 FRSecure CISSP Mentor Program: Class Nine2019 FRSecure CISSP Mentor Program: Class Nine
2019 FRSecure CISSP Mentor Program: Class NineFRSecure
 
So You Think You Can Hack | sitNL 2016
So You Think You Can Hack | sitNL 2016So You Think You Can Hack | sitNL 2016
So You Think You Can Hack | sitNL 2016Twan van den Broek
 
2019 FRSecure CISSP Mentor Program: Class Eleven
2019 FRSecure CISSP Mentor Program: Class Eleven2019 FRSecure CISSP Mentor Program: Class Eleven
2019 FRSecure CISSP Mentor Program: Class ElevenFRSecure
 
Lecture 12 -_internet_security
Lecture 12 -_internet_securityLecture 12 -_internet_security
Lecture 12 -_internet_securitySerious_SamSoul
 
HOW TO PREPARE FOR AND RESPOND TO A RANDSOMWARE ATTACK [Webinar]
HOW TO PREPARE FOR AND RESPOND TO A RANDSOMWARE ATTACK [Webinar]HOW TO PREPARE FOR AND RESPOND TO A RANDSOMWARE ATTACK [Webinar]
HOW TO PREPARE FOR AND RESPOND TO A RANDSOMWARE ATTACK [Webinar]Stanton Viaduc
 
Fns Incident Management Powered By En Case
Fns Incident Management Powered By En CaseFns Incident Management Powered By En Case
Fns Incident Management Powered By En Casetbeckwith
 
2019 FRSecure CISSP Mentor Program: Class Three
2019 FRSecure CISSP Mentor Program: Class Three 2019 FRSecure CISSP Mentor Program: Class Three
2019 FRSecure CISSP Mentor Program: Class Three FRSecure
 
Stone gate ips
Stone gate ipsStone gate ips
Stone gate ipsMultibyte Consultoria
 
FRSecure 2018 CISSP Mentor Program Session 10
FRSecure 2018 CISSP Mentor Program Session 10FRSecure 2018 CISSP Mentor Program Session 10
FRSecure 2018 CISSP Mentor Program Session 10FRSecure
 
How To Create Ppt Ver1
How To Create Ppt Ver1How To Create Ppt Ver1
How To Create Ppt Ver1Abhishek Kapoor
 
Achieving PCI-DSS compliance with network security implementations - April 2011
Achieving PCI-DSS compliance with network security implementations - April 2011Achieving PCI-DSS compliance with network security implementations - April 2011
Achieving PCI-DSS compliance with network security implementations - April 2011EQS Group
 
Intro to-ssdl--lone-star-php-2013
Intro to-ssdl--lone-star-php-2013Intro to-ssdl--lone-star-php-2013
Intro to-ssdl--lone-star-php-2013nanderoo
 
10 Tips to Strengthen Your Insider Threat Program
10 Tips to Strengthen Your Insider Threat Program 10 Tips to Strengthen Your Insider Threat Program
10 Tips to Strengthen Your Insider Threat Program Dtex Systems
 
Securing Mobile Devices in the Workplace - Six Tips For Midsize Businesses
Securing Mobile Devices in the Workplace - Six Tips For Midsize BusinessesSecuring Mobile Devices in the Workplace - Six Tips For Midsize Businesses
Securing Mobile Devices in the Workplace - Six Tips For Midsize BusinessesMidmarketIBM
 
Opsec for security researchers
Opsec for security researchersOpsec for security researchers
Opsec for security researchersvicenteDiaz_KL
 
The Cloud 9 - Threat & Solutions 2016 by Bobby Dominguez
The Cloud 9 - Threat & Solutions 2016 by Bobby DominguezThe Cloud 9 - Threat & Solutions 2016 by Bobby Dominguez
The Cloud 9 - Threat & Solutions 2016 by Bobby DominguezEC-Council
 
IT Security Management -- People, Procedures and Tools
IT Security Management -- People, Procedures and ToolsIT Security Management -- People, Procedures and Tools
IT Security Management -- People, Procedures and ToolsAndrew S. Baker (ASB)
 
Small Business Administration Recommendations
Small Business Administration RecommendationsSmall Business Administration Recommendations
Small Business Administration RecommendationsMeg Weber
 
Elastix network security guide
Elastix network security guideElastix network security guide
Elastix network security guideCristian Calderon
 
You Give Us The Fire We'll Give'em Hell!
You Give Us The Fire We'll Give'em Hell!You Give Us The Fire We'll Give'em Hell!
You Give Us The Fire We'll Give'em Hell!wmetcalf
 

More Related Content

What's hot

7 Things Every Ceo Should Know About Information Security
7 Things Every Ceo Should Know About Information Security7 Things Every Ceo Should Know About Information Security
7 Things Every Ceo Should Know About Information SecurityCindy Kim
 
Webinar: Ransomware Checklist – Are You Ready For Ransomware’s Next Wave?
Webinar: Ransomware Checklist – Are You Ready For Ransomware’s Next Wave?Webinar: Ransomware Checklist – Are You Ready For Ransomware’s Next Wave?
Webinar: Ransomware Checklist – Are You Ready For Ransomware’s Next Wave?Storage Switzerland
 
2019 FRSecure CISSP Mentor Program: Class Nine
2019 FRSecure CISSP Mentor Program: Class Nine2019 FRSecure CISSP Mentor Program: Class Nine
2019 FRSecure CISSP Mentor Program: Class NineFRSecure
 
So You Think You Can Hack | sitNL 2016
So You Think You Can Hack | sitNL 2016So You Think You Can Hack | sitNL 2016
So You Think You Can Hack | sitNL 2016Twan van den Broek
 
2019 FRSecure CISSP Mentor Program: Class Eleven
2019 FRSecure CISSP Mentor Program: Class Eleven2019 FRSecure CISSP Mentor Program: Class Eleven
2019 FRSecure CISSP Mentor Program: Class ElevenFRSecure
 
Lecture 12 -_internet_security
Lecture 12 -_internet_securityLecture 12 -_internet_security
Lecture 12 -_internet_securitySerious_SamSoul
 
HOW TO PREPARE FOR AND RESPOND TO A RANDSOMWARE ATTACK [Webinar]
HOW TO PREPARE FOR AND RESPOND TO A RANDSOMWARE ATTACK [Webinar]HOW TO PREPARE FOR AND RESPOND TO A RANDSOMWARE ATTACK [Webinar]
HOW TO PREPARE FOR AND RESPOND TO A RANDSOMWARE ATTACK [Webinar]Stanton Viaduc
 
Fns Incident Management Powered By En Case
Fns Incident Management Powered By En CaseFns Incident Management Powered By En Case
Fns Incident Management Powered By En Casetbeckwith
 
2019 FRSecure CISSP Mentor Program: Class Three
2019 FRSecure CISSP Mentor Program: Class Three 2019 FRSecure CISSP Mentor Program: Class Three
2019 FRSecure CISSP Mentor Program: Class Three FRSecure
 
FRSecure 2018 CISSP Mentor Program Session 10
FRSecure 2018 CISSP Mentor Program Session 10FRSecure 2018 CISSP Mentor Program Session 10
FRSecure 2018 CISSP Mentor Program Session 10FRSecure
 

What's hot (12)

7 Things Every Ceo Should Know About Information Security
7 Things Every Ceo Should Know About Information Security7 Things Every Ceo Should Know About Information Security
7 Things Every Ceo Should Know About Information Security
 
Webinar: Ransomware Checklist – Are You Ready For Ransomware’s Next Wave?
Webinar: Ransomware Checklist – Are You Ready For Ransomware’s Next Wave?Webinar: Ransomware Checklist – Are You Ready For Ransomware’s Next Wave?
Webinar: Ransomware Checklist – Are You Ready For Ransomware’s Next Wave?
 
2019 FRSecure CISSP Mentor Program: Class Nine
2019 FRSecure CISSP Mentor Program: Class Nine2019 FRSecure CISSP Mentor Program: Class Nine
2019 FRSecure CISSP Mentor Program: Class Nine
 
So You Think You Can Hack | sitNL 2016
So You Think You Can Hack | sitNL 2016So You Think You Can Hack | sitNL 2016
So You Think You Can Hack | sitNL 2016
 
2019 FRSecure CISSP Mentor Program: Class Eleven
2019 FRSecure CISSP Mentor Program: Class Eleven2019 FRSecure CISSP Mentor Program: Class Eleven
2019 FRSecure CISSP Mentor Program: Class Eleven
 
Lecture 12 -_internet_security
Lecture 12 -_internet_securityLecture 12 -_internet_security
Lecture 12 -_internet_security
 
HOW TO PREPARE FOR AND RESPOND TO A RANDSOMWARE ATTACK [Webinar]
HOW TO PREPARE FOR AND RESPOND TO A RANDSOMWARE ATTACK [Webinar]HOW TO PREPARE FOR AND RESPOND TO A RANDSOMWARE ATTACK [Webinar]
HOW TO PREPARE FOR AND RESPOND TO A RANDSOMWARE ATTACK [Webinar]
 
Fns Incident Management Powered By En Case
Fns Incident Management Powered By En CaseFns Incident Management Powered By En Case
Fns Incident Management Powered By En Case
 
2019 FRSecure CISSP Mentor Program: Class Three
2019 FRSecure CISSP Mentor Program: Class Three 2019 FRSecure CISSP Mentor Program: Class Three
2019 FRSecure CISSP Mentor Program: Class Three
 
Stone gate ips
Stone gate ipsStone gate ips
Stone gate ips
 
FRSecure 2018 CISSP Mentor Program Session 10
FRSecure 2018 CISSP Mentor Program Session 10FRSecure 2018 CISSP Mentor Program Session 10
FRSecure 2018 CISSP Mentor Program Session 10
 
How To Create Ppt Ver1
How To Create Ppt Ver1How To Create Ppt Ver1
How To Create Ppt Ver1
 

Similar to Best practices in NIPS - Brighttalk - January 2010

Achieving PCI-DSS compliance with network security implementations - April 2011
Achieving PCI-DSS compliance with network security implementations - April 2011Achieving PCI-DSS compliance with network security implementations - April 2011
Achieving PCI-DSS compliance with network security implementations - April 2011EQS Group
 
Intro to-ssdl--lone-star-php-2013
Intro to-ssdl--lone-star-php-2013Intro to-ssdl--lone-star-php-2013
Intro to-ssdl--lone-star-php-2013nanderoo
 
10 Tips to Strengthen Your Insider Threat Program
10 Tips to Strengthen Your Insider Threat Program 10 Tips to Strengthen Your Insider Threat Program
10 Tips to Strengthen Your Insider Threat Program Dtex Systems
 
Securing Mobile Devices in the Workplace - Six Tips For Midsize Businesses
Securing Mobile Devices in the Workplace - Six Tips For Midsize BusinessesSecuring Mobile Devices in the Workplace - Six Tips For Midsize Businesses
Securing Mobile Devices in the Workplace - Six Tips For Midsize BusinessesMidmarketIBM
 
Opsec for security researchers
Opsec for security researchersOpsec for security researchers
Opsec for security researchersvicenteDiaz_KL
 
The Cloud 9 - Threat & Solutions 2016 by Bobby Dominguez
The Cloud 9 - Threat & Solutions 2016 by Bobby DominguezThe Cloud 9 - Threat & Solutions 2016 by Bobby Dominguez
The Cloud 9 - Threat & Solutions 2016 by Bobby DominguezEC-Council
 
IT Security Management -- People, Procedures and Tools
IT Security Management -- People, Procedures and ToolsIT Security Management -- People, Procedures and Tools
IT Security Management -- People, Procedures and ToolsAndrew S. Baker (ASB)
 
Small Business Administration Recommendations
Small Business Administration RecommendationsSmall Business Administration Recommendations
Small Business Administration RecommendationsMeg Weber
 
Elastix network security guide
Elastix network security guideElastix network security guide
Elastix network security guideCristian Calderon
 
You Give Us The Fire We'll Give'em Hell!
You Give Us The Fire We'll Give'em Hell!You Give Us The Fire We'll Give'em Hell!
You Give Us The Fire We'll Give'em Hell!wmetcalf
 
COMPLETE NETWORK SECURITY PROTECTION FOR SME’SWITHIN LIMITED RESOURCES
COMPLETE NETWORK SECURITY PROTECTION FOR SME’SWITHIN LIMITED RESOURCESCOMPLETE NETWORK SECURITY PROTECTION FOR SME’SWITHIN LIMITED RESOURCES
COMPLETE NETWORK SECURITY PROTECTION FOR SME’SWITHIN LIMITED RESOURCESIJNSA Journal
 
Keynote Information Security days Luxembourg 2015
Keynote Information Security days Luxembourg 2015Keynote Information Security days Luxembourg 2015
Keynote Information Security days Luxembourg 2015Claus Cramon Houmann
 
Chapter 5Overview of SecurityTechnologiesWe can’t h
Chapter 5Overview of SecurityTechnologiesWe can’t hChapter 5Overview of SecurityTechnologiesWe can’t h
Chapter 5Overview of SecurityTechnologiesWe can’t hWilheminaRossi174
 
Privacies are Coming
Privacies are ComingPrivacies are Coming
Privacies are ComingErnest Staats
 
Complete network security protection for sme's within limited resources
Complete network security protection for sme's within limited resourcesComplete network security protection for sme's within limited resources
Complete network security protection for sme's within limited resourcesIJNSA Journal
 
The Silver Bullet of Cyber Security v1.1
The Silver Bullet of Cyber Security v1.1The Silver Bullet of Cyber Security v1.1
The Silver Bullet of Cyber Security v1.1William Kiss
 
Survey Presentation About Application Security
Survey Presentation About Application SecuritySurvey Presentation About Application Security
Survey Presentation About Application SecurityNicholas Davis
 
Purple Teaming - The Collaborative Future of Penetration Testing
Purple Teaming - The Collaborative Future of Penetration TestingPurple Teaming - The Collaborative Future of Penetration Testing
Purple Teaming - The Collaborative Future of Penetration TestingFRSecure
 

Similar to Best practices in NIPS - Brighttalk - January 2010 (20)

Achieving PCI-DSS compliance with network security implementations - April 2011
Achieving PCI-DSS compliance with network security implementations - April 2011Achieving PCI-DSS compliance with network security implementations - April 2011
Achieving PCI-DSS compliance with network security implementations - April 2011
 
Intro to-ssdl--lone-star-php-2013
Intro to-ssdl--lone-star-php-2013Intro to-ssdl--lone-star-php-2013
Intro to-ssdl--lone-star-php-2013
 
10 Tips to Strengthen Your Insider Threat Program
10 Tips to Strengthen Your Insider Threat Program 10 Tips to Strengthen Your Insider Threat Program
10 Tips to Strengthen Your Insider Threat Program
 
Securing Mobile Devices in the Workplace - Six Tips For Midsize Businesses
Securing Mobile Devices in the Workplace - Six Tips For Midsize BusinessesSecuring Mobile Devices in the Workplace - Six Tips For Midsize Businesses
Securing Mobile Devices in the Workplace - Six Tips For Midsize Businesses
 
Opsec for security researchers
Opsec for security researchersOpsec for security researchers
Opsec for security researchers
 
The Cloud 9 - Threat & Solutions 2016 by Bobby Dominguez
The Cloud 9 - Threat & Solutions 2016 by Bobby DominguezThe Cloud 9 - Threat & Solutions 2016 by Bobby Dominguez
The Cloud 9 - Threat & Solutions 2016 by Bobby Dominguez
 
IT Security Management -- People, Procedures and Tools
IT Security Management -- People, Procedures and ToolsIT Security Management -- People, Procedures and Tools
IT Security Management -- People, Procedures and Tools
 
Small Business Administration Recommendations
Small Business Administration RecommendationsSmall Business Administration Recommendations
Small Business Administration Recommendations
 
Elastix network security guide
Elastix network security guideElastix network security guide
Elastix network security guide
 
You Give Us The Fire We'll Give'em Hell!
You Give Us The Fire We'll Give'em Hell!You Give Us The Fire We'll Give'em Hell!
You Give Us The Fire We'll Give'em Hell!
 
COMPLETE NETWORK SECURITY PROTECTION FOR SME’SWITHIN LIMITED RESOURCES
COMPLETE NETWORK SECURITY PROTECTION FOR SME’SWITHIN LIMITED RESOURCESCOMPLETE NETWORK SECURITY PROTECTION FOR SME’SWITHIN LIMITED RESOURCES
COMPLETE NETWORK SECURITY PROTECTION FOR SME’SWITHIN LIMITED RESOURCES
 
Keynote Information Security days Luxembourg 2015
Keynote Information Security days Luxembourg 2015Keynote Information Security days Luxembourg 2015
Keynote Information Security days Luxembourg 2015
 
Security and SMBs
Security and SMBsSecurity and SMBs
Security and SMBs
 
Chapter 5Overview of SecurityTechnologiesWe can’t h
Chapter 5Overview of SecurityTechnologiesWe can’t hChapter 5Overview of SecurityTechnologiesWe can’t h
Chapter 5Overview of SecurityTechnologiesWe can’t h
 
Privacies are Coming
Privacies are ComingPrivacies are Coming
Privacies are Coming
 
Complete network security protection for sme's within limited resources
Complete network security protection for sme's within limited resourcesComplete network security protection for sme's within limited resources
Complete network security protection for sme's within limited resources
 
The Silver Bullet of Cyber Security v1.1
The Silver Bullet of Cyber Security v1.1The Silver Bullet of Cyber Security v1.1
The Silver Bullet of Cyber Security v1.1
 
Abb e guide3
Abb e guide3Abb e guide3
Abb e guide3
 
Survey Presentation About Application Security
Survey Presentation About Application SecuritySurvey Presentation About Application Security
Survey Presentation About Application Security
 
Purple Teaming - The Collaborative Future of Penetration Testing
Purple Teaming - The Collaborative Future of Penetration TestingPurple Teaming - The Collaborative Future of Penetration Testing
Purple Teaming - The Collaborative Future of Penetration Testing
 

More from EQS Group

Blockchain: everyone wants to sell me that - but is that really right for my ...
Blockchain: everyone wants to sell me that - but is that really right for my ...Blockchain: everyone wants to sell me that - but is that really right for my ...
Blockchain: everyone wants to sell me that - but is that really right for my ...EQS Group
 
Impact of GDPR on Third Party and M&A Security
Impact of GDPR on Third Party and M&A SecurityImpact of GDPR on Third Party and M&A Security
Impact of GDPR on Third Party and M&A SecurityEQS Group
 
Mergers & Acquisitions security - (ISC)2 Secure Summit DACH
Mergers & Acquisitions security - (ISC)2 Secure Summit DACHMergers & Acquisitions security - (ISC)2 Secure Summit DACH
Mergers & Acquisitions security - (ISC)2 Secure Summit DACHEQS Group
 
M&A security - E-crime Congress 2017
M&A security - E-crime Congress 2017M&A security - E-crime Congress 2017
M&A security - E-crime Congress 2017EQS Group
 
Architecting Security across global networks
Architecting Security across global networksArchitecting Security across global networks
Architecting Security across global networksEQS Group
 
313 – Security Challenges in Healthcare IoT - ME
313 – Security Challenges in Healthcare IoT - ME313 – Security Challenges in Healthcare IoT - ME
313 – Security Challenges in Healthcare IoT - MEEQS Group
 

More from EQS Group (6)

Blockchain: everyone wants to sell me that - but is that really right for my ...
Blockchain: everyone wants to sell me that - but is that really right for my ...Blockchain: everyone wants to sell me that - but is that really right for my ...
Blockchain: everyone wants to sell me that - but is that really right for my ...
 
Impact of GDPR on Third Party and M&A Security
Impact of GDPR on Third Party and M&A SecurityImpact of GDPR on Third Party and M&A Security
Impact of GDPR on Third Party and M&A Security
 
Mergers & Acquisitions security - (ISC)2 Secure Summit DACH
Mergers & Acquisitions security - (ISC)2 Secure Summit DACHMergers & Acquisitions security - (ISC)2 Secure Summit DACH
Mergers & Acquisitions security - (ISC)2 Secure Summit DACH
 
M&A security - E-crime Congress 2017
M&A security - E-crime Congress 2017M&A security - E-crime Congress 2017
M&A security - E-crime Congress 2017
 
Architecting Security across global networks
Architecting Security across global networksArchitecting Security across global networks
Architecting Security across global networks
 
313 – Security Challenges in Healthcare IoT - ME
313 – Security Challenges in Healthcare IoT - ME313 – Security Challenges in Healthcare IoT - ME
313 – Security Challenges in Healthcare IoT - ME
 

Recently uploaded

SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embeddingZilliz
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersRaghuram Pandurangan
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 

Recently uploaded (20)

SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embedding
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information Developers
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 

Best practices in NIPS - Brighttalk - January 2010

  • 1. Best practices in Intrusion Prevention Marco Ermini Vodafone ICT Security 12 January 2010 1 Presentation title in footer Confidentiality level on title master January 3, 2013 Department on title master Version number on title master
  • 2. W this is about hat …and what is not about! This presentation is not about… > …explaining what NIPS are – but let’s be clear about what you can expect > …choosing a vendor/brand – even if we may mention something briefly – heard about Gartner? > …discussing if you need a NIPS or not, or which technology do you need (maybe a short note…) > … “off the shelves” or “vendor provided” best practices – you can just Google for “be s t p ra c tic e s intrus io n p re ve ntio n” - it will do the job! > I assume you need and want NIPS, or you already have NIPS – You want to use them effectively – Maybe you are just sticking to “default” “vendor suggested” rule-sets – You want to avoid headaches managing them day by day – You want to have a metric to compare your performances What you are looking for, are best practices to make your investment worth 2 Presentation title in footer Version number on title master January 3, 2013 Confidentiality level on title master Department on title master
  • 3. W is speaking? ho This is not a bio… W are you listening to me? – 1 hy > I am supposed to know what I am talking about > Yes, that’s my daily job. No, I am not a trainer or something like that > No, this is not academia or pure science. There is hardly here! > I know what the market offers. Everyone can download Snort. It’s not about that > I have a realistic view about this technology > Yes, I have been under a real attack. And not just once! > I am a customer of NIPS. I don’t sell them. I will not try to contact you and sell you anything  > Yes, this will be my personal, partial, questionable, but realistic point of view You are not drinking from the fountain of truth  3 Presentation title in footer Version number on title master January 3, 2013 Confidentiality level on title master Department on title master
  • 4. W is this for? ho Why do you care? W are you listening to me? – 2 hy > You are a security or network engineer, and need to… – have an added value from the investment – are thinking/need to deploy NIPS into your networks > You are a security or network manager, and need to… – understand the true value of NIPS > You are just curious – graduate student getting into the network and/or security job World – experienced security or network personnel trying to understand NIPS You are welcome to share your expectation, doubts, questions! 4 Presentation title in footer Version number on title master January 3, 2013 Confidentiality level on title master Department on title master
  • 5. W I am doing today with my NIPS? hat Let’s assume you have NIPS already, or are going to install them What are the common mistakes with NIPS? > They are deployed in the wrong place in the network > Are deployed and then forget > Are running the “suggested” rule sets from the supplier > It is assumed they are invincible and protect against all 0-days attacks > Are confused with NIDS (detection) > There is no measurable improvement on the overall security > No one is there around that can access and use them when you are under attacks > They are not really enabled for fear of false positives > You are subject to (vendors-diffused?) urban legends (“behavioural based”? “auto- learn”?) > Use them because they are cool, or my boss told me, or “for compliance” (sic!!!) – They add latency and false positives Behold the common mistakes of NIPS!!  5 Presentation title in footer Version number on title master January 3, 2013 Confidentiality level on title master Department on title master
  • 6. W to really expect from NIPS? hat …or, “avoid being ripped of my money” How can NIPS help me? > Do not test to bypass them. That’s futile. You can do it. Save your time. – Ever heard of “SSL”, “event horizon” and “inspect the first 512 bytes only”? > You need to use them in conjunction with other instruments – Coordination between different departments of your organisation > You need to update, patch the NIPS > You need to continually follow and profile the design of your network, applications, business > They will not protect you against 0days (despite what vendors say) > You cannot treat them as NIDS – they are a specific tool (cannot afford false positives) > You need to establish a metric and evaluate the real improvements over the overall security > You need to have operational procedures to use NIPS on the network > You need to enable useful signatures and test them in production If you don’t do those steps, you better save your money! 6 Presentation title in footer Version number on title master January 3, 2013 Confidentiality level on title master Department on title master
  • 7. W you want to do with your NIPS? hat What does my company need? I can use NIPS for… > Mitigate specific attacks. For the rest, I need to integrate with other tools – Will not protect against all of web application attacks, DDoS, malware… – Will protect against many – but if you want a locked down environment, you need to complement – 100% protection is not realistic, 0-days protection is marketing > As an effective tool for immediate reaction to threats – They are in-line > Enforce company policies – Security is a process. NIPS must be part of the processes – Many can do traffic shaping/policing – Some can communicate with NAC/NAP or firewalls > Can do tunnel inspection, stop exploits, detect anomalies and normalise traffic, detect scans… They can be an effective tool if used wisely 7 Presentation title in footer Version number on title master January 3, 2013 Confidentiality level on title master Department on title master
  • 8. Basic evaluation/ purchasing recommendations This is not a shopping guide!!! Some very quick and rough tips and guidelines > They will not sustain the bandwidth they claim to > The real cost is by network interface – NIPS may need from one to four network interfaces to protect a single network segment! > Asymmetric traffic path – state table synchronisation – May use one or two network interfaces! – May confuse your NIPS – layer 4/7 reassembling-synchronisation > VRRP may be problematic > Evaluate that the capabilities are what you need > Evaluate how effective is the vendor itself – Customer satisfaction track record – will it just sell and then forget you? > RTFM – do your research Use your brain! 8 Presentation title in footer Version number on title master January 3, 2013 Confidentiality level on title master Department on title master
  • 9. Border deployment Don’t leave them alone Some tips and guidelines > Border edges of the Data Centre/border routers > They can apply traffic policing/shaping > Can be the first barrier against malware and attacks against publically-exposed services – Cannot do miracles, generally do not inspect TLS/SSL/encrypted protocols – Often cannot scan inside emails – mail servers today use SMTP over TLS – Will only detect what is in the their event horizon > Better have them working in conjunction with other tools that work on the border routers/firewalls – Before or after routers/firewalls? Depends on your policies > You need to pre-emptively discuss with your ISP and establish a network security policy > Evaluate the impact on the performances > Remain realistic: they will add latency and will be bypassed Remain focused on making them an useful tool! 9 Presentation title in footer Version number on title master January 3, 2013 Confidentiality level on title master Department on title master
  • 10. Inner deployment Protection of the service Some tips and guidelines > They can be deployed strategically in front of an important service – Achieving compliance? PCI-DSS? SOX? > They can sit around in the network – Enterprise Office network – connected with NAC/NAP and block the rogue clients on the switch – Inside a DMZ/production segment – need to create a profile > What is your policy? – I want to detect everything that is attempted against me – deploy wide rule set – I want only to protect against attacks that can hit me – deploy specific rule set > What is the default fall-back scenario? – Pass-through or drop? Again: remain focused on making them an useful tool! 10 Department on title mastertitle in footer Version number on title master Presentation January 3, 2013 Confidentiality level on title master
  • 11. Baseline rule set tuning and deployment Tune your rule set Some tips and guidelines > Establish your baseline for a specific environment – As described before > Test in a test environment – If it is possible! > Agree on a deployment window – Verify if important things are going to happen… don’t deploy before a new release gets into production! – Monitor for a couple of hours and a couple of days thereafter > Create a report over the differences with the baseline > If you prefer: a report about attacks mitigated Something changes in the service/ network? Repeat the process! 11 Department on title mastertitle in footer Version number on title master Presentation January 3, 2013 Confidentiality level on title master
  • 12. Monitoring Don’t forget them! Some tips and guidelines > You need to create profiles/deploy rule sets that are useful – Many outsourced managed SOC uses statistical tools on which I strongly doubt – You need to have a network diagram/maps of your networks and services! – You need to profile – the services you are protecting – the traffic of your networks – You need then to tailor your rule sets – There is no magic wand, or bayesian-behavioural-self adapting etc. – this is marketing – You need correlation with other tools – anti viruses, NIDS, network scanners… – You need to have personnel monitoring 24X7X365 that can also access and know how to use the NIPS! Again: remain focused on making them an useful tool! 12 Department on title mastertitle in footer Version number on title master Presentation January 3, 2013 Confidentiality level on title master
  • 13. Measure effectiveness Because you have to renew your contracts sooner or later  Some tips and guidelines > How they did behave under attack? – Have they detected it at all? – Have they been useful in mitigating it? – Were they manageable under attack? > Peer with other NIPS customers – Different companies, also from different market segments > Do not believe the vendors. Use basic math. > Be paranoid > Finally: create reports that are readable – Your management doesn’t understand a bunch of IP addresses and the signature names Again: remain focused on making them an useful tool! 13 Department on title mastertitle in footer Version number on title master Presentation January 3, 2013 Confidentiality level on title master
  • 14. Correlation and SOC Effective security 24X7X365 Some tips and guidelines > Do not import all of your events in your SEM/SIM tool – Often you just overwhelm it, even with NIPS – Do not work “statistically” and blindly about your architecture > The rule set you deployed have an impact on what you get! – Often you pay the SEM/SIM or the outsourced SOC by number of events! > Does the SOC (either out-sourced or in-sourced) have access to the NIPS? – Have you defined a user management for the NIPS? – What about operational procedures? – What about technical skills of the personnel? Again and again: remain focused on making them an useful tool! 14 Department on title mastertitle in footer Version number on title master Presentation January 3, 2013 Confidentiality level on title master
  • 15. Thank you 15 Presentation title in footer Confidentiality level on title master January 3, 2013 Department on title master Version number on title master