This section, we're going to talk about defensive tools for the modern enterprise. Primarily, we're going to be looking at five different types of tools, there are more tools and more types of tools that you will see depending on the scope of your enterprise or your organization. But these are the five types that you're going to primarily see, you'll be dealing with every day working as a network defender. Bring to talk about intrusion detection software which identifies possible malicious activity on the network or system intrusion prevention software. This is similar, but different the way that it tends to block my secretary from region in order system data loss prevention software techniques. The idea here is the is preventing attackers or malicious users from stealing sensitive data from your organization, stopping them from emailing and some data outside of the network. Network traffic analysis, analyzing traffics, looking for potentially malicious patterns or anomalies. And event monitoring and logging, consolidate sort of been some blogs looking for potentially malicious activities. So we're going to spend a lot of time talking about each one of these. What they do was from the pitfalls of them are, and then we'll try and show some them at least briefly. So let's start by talking about intrusion detection software, intrusion detection systems or IDS. Is a device or software application that monitors the network or system from which the activity or policy violations when such a problem is detected. And IDs flirt alerts the administrator, but doesn't necessarily take any other action. There are two common types of IDS, there's network intrusion detection systems and host based intrusion detection systems. The difference there is that when you have network intrusion detection systems those are going to sit at a network boundary or a switch or some sort of checkpoint in your internet work. And they're going to look at the traffic that goes through that choke point on host based intrusion detection systems. This is a piece of a piece of software that sits on your local host our system and it looks at traffic going in and out of that host and it looks at things that may happen in the hosts, file rights or events. There are also two primary methods of detection, signature-based detection and anomaly-based detection. Signature-based detection is kind of your typical concept anything with antivirus where all the bad stuff's already been predefined. And it sits in a database whatever something happens on the system are on the network, the ideas checks its database of signatures. If the current events happening matches a signature that's in this database it alerts. Whereas anomaly detection is where you kind of train your system to know normal. I'm going to keep repeating no normal because that's a very important concept in defender land is to know how the machine operates daily. So you teach your IDS how you kind of get it into the process of typical operating hours, how much traffic is typical, what kind of applications logins, things of this nature. Everything can imagine different types of events not often they happen and once it learns what normal is it locks that in and then whenever there's something that's abnormal, it alerts on that. That's an important takeaway here is that IDS doesn't necessarily take any action, it just alerts an administrator. Intrusion prevention systems take action, they prevent the attack, they drop the packets, they block the system, whatever the case is, so IDS just alerts IPS prevents or blocks. And then we have two different types of IDS which is NIDS and HIDS and an anomaly and signature-based or the methods. There are other methods that you'll hear about protocol methods where it looks for insecure method, insecure protocols like HTTP or HTTPS. A lot of times though, these protocol methods or these or you'll also hear about reputation methods are not the main method used by an idea system. And to that end, most IDS modern-day IDS systems are a combination of everything here. They're either a HIDS or NIDS because it's really hard to be both. But they usually use all of the methods of detection that they can they'll use signature-based, use anomaly-base, use protocol bases, reputation based whatever they can use they will. So HIDS versus NIDS network intrusion detection systems, they monitor package moving into and out of a network or a subset of network, remember that choke point on your network where maybe it's a switch. Maybe it's not a gateway, that's where your needs is going to sit, it could monitor all traffic or just a selection to catch security threats. And what we mean by that is it could automatically allow all internet HTTP web traffic to go through and it doesn't even want to look at, it does not concerned about that. But if it sees something like ssh for instance it immediately looks at that and stop and inspects it to make sure it's safe, that's one example. Generally speaking depending on your capabilities of resources, what resources you have, your capabilities and organization. The more things you can look at effectively the better. Whereas HIDS, HIDS is going to live on each system and it monitors a single host. It might monitor traffic, but it's also going to monitor activity online computer. Now the HIDS can alert immediately to the end user and the image here we show up pushing to a centralized control module. Sometimes that's the case if you're in the case of tools like maybe titanium or trip wire or something like this. Where the look for events, they push it off to a event consolidator and that convent consolidator is what alerts you are alerts alerts your IDS which alerts you. But in the case of like Windows defender on your system, it alerts the HIDS immediately, so not everything is going to push it off the host, but they do all look for events in the case of HIDS. Now HIDS and NIDS can be used together to provide extra coverage and this is a preferred approach for the most secure defense and death kind of protection. And the reason why is because they both have their benefits and their downsides, NIDS requires a lot of processing power. If you got a large organization, it does a lot of traffic, it's important you're able to capture that traffic and process it without impacting network flow, right? You don't want to slow down the network trying to inspect it for security. One of the biggest issues that security in general has being a inhibitor, right? We always want to be something that enables the organization, we don't want to disable the organization. And with HIDS that one of the downsides there is in order to effectively do HIDS, you have to effectively have asset management under control. You have to know what host you have, you have to ensure that you have HIDS coverage on all of your host and you have to be able to respond when there's an alert. So it's good to use both of them especially because if we look at defense in depth, which is this assumption that things can fell at different standpoints within your network or defense layers. It's something bypasses your NIDS, IDS, you want to be able to get detected by your HIDS and vice versa, you're going to have the extra step the attackers would have to bypass. And there are two main detection types or anomaly-based and signature-based, signature-based IDS relies on a program list of pre-programmed list of known attack behaviors. Signature-based ideas is extremely popular and it's effective, but it's only because database of known signatures. And this is important because it's very easy and very common born attacker to encode or modify their attacks to try and bypass signatures. A lot of times they go out to a site like virus total and they will check to see if there virus that they've created a piece of our they've just created alerts on anything with virus total. If it does, then they keep refining it to try and bypass more and more things which typically means stripping out maybe specific verb is used or encoding things more until it doesn't detect anything and by our sole. And then once they know it's not being detected by any antivirus engine than they use it as an attack. So since signature-base is very popular, it's very easy to use, but it can be bypassed by a determined enough attacker. And what do I mean by this when we talk about like stripping out and modifying. If we have a piece of Malware that the name of the Malware is virus.exe and the signature is this the exe's name virus.exe see if it is then that's bad an alert. Well, if the attacker just changes it to not a virus.exe does that not bypasses signature and that sounds very simple that is a very simple use case. But you can think about this in terms of library usage within an application or an exe. That maybe some sort of binary the Attackers using, do they rename all their libraries? This is what we call obfuscation, do they obfuscate all their function calls and their libraries, so that you don't see malicious libraries being used, you just see some sort of gibberish that's being used. And you see some sort of gibberish function call and it doesn't specifically say what you're trying to do. So communication is really common technique to help bypass signature-based IDS. Anomaly-base, anomaly-basic IDS begins with a model, normal behavior on the network then alerts and anytime it detects any deviation from that model of normal behavior. This can be more useful than signature-based because it's better protecting new and unrecognized attacks. The benefit to this, right, is that if it's a zero-day, for instance, and it doesn't have a signature, anomaly-based detection can detect it because it's not like specifics is just looking for heuristics. How are they can set off many false positives, and the reason for this is because again, if we say anomaly-base gets tuned, so that it only it registers. A the system has these ten applications that it runs and the user logs in and works from 9:00AM to 5:00PM every day on these ten applications. Well one day that user decides to work some overtime or one day they come in early and they log in at 8 O'clock. And the anomaly-based ideas maybe sends an alert that says, hey, there isn't really login or this person forgot their password. That's going to send an alert that can create a lot of noise for your network defenders to have to sort through, and it's a false positive because ultimately the network defender is going to look through it. They're going to reach out to the system. The system owner see if it's a legitimate issue or not. And they'll say they'll find out the person just came in to work earlier, they forgot their password or what have you. The other thing with the anomaly-base is that concept of a model of normal behavior can be very hard to obtain. This is general, we call putting it into a learning state. So you can imagine when you roll out your anomaly-based ideas on the system, you have to basically just put it in a passive mode. So it just sits there and it sees what traffic looks like and it sees what event logs look like as a normal environment here, what's normal for the environment. Again, that no normal, it has to know what normal is before it can detect what is abnormal. The problem with this is that normal can be hard if you have we have a security incident in the middle of your learning process for IDS. Well now it baked in that security incident as a potentially normal thing. If you already get a packers on your network when you roll out your IDS it may bake in the attacker characteristics as normal traffic on the network. So it can be very difficult to get a good knowledge-base for your anomaly-based IDS, on the right here we've kind of got a flow chart for how needed to IDS systems work. They started your data source and your data source is going to be your network or your host either way and then signature-based detection. Once a piece of data comes to your match goes from your host to your IDS, it has to match the pattern, so it has to get is the file name here on the exe virus.exe. So then it goes through the security rules and see if there's a match pattern yes virus that exe is national database of known bad things will then generate alert where the anomaly-base you have your data source. This is a generate activity profile that's no normal time, that's that learning time and once it has that learning time data that comes from the data source through the learning time. If it's anomalies to what should be normal behavior on that system at the new generation alert for security onion and what would be doing a little bit later, we're using Sarah Kata. Sarah Kata is open-source tool and Sraha Kata is actually an IDS and an IPS. It is a NIDS based IDS and it uses all of the detection types. So it's going to use signature-based, anomaly-based, protocol-based, all of these things. So that's very common and typical and newer applications, they combine as many of those resources as possible. People could be a more full coverage tool and be as effective as possible. Next up, we're going to talk about intrusion detection software.
