Pratum Blog

Intrusion Detection System

At one time, everyone considered intrusion detection (IDS) or prevention (IPS) systems critical to overall information security success. But in recent years, observers keep declaring IDS/IPS dead, only to see it keep hanging on. And while we’re still not ready to bury IDS/IPS today, we DO urge you to consider how you’re deploying these tools within your overall information security strategy. Without proper tuning and deployment, IDS/IPS solutions can't do their jobs properly. And the current landscape of cloud computing and dispersed workforces means protection tied to a firewall misses a lot of activity. Read on to learn how to properly leverage IDS/IPS in a modern environment.

How IDS/IPS Works

The goal of IDS is to detect cyberattacks by analyzing the signature of data packets as they traverse the network. When the system detects a suspicious packet, it generates an alert. IDS is a passive tool that simply detects and alerts. IPS goes a step farther by adding an active protection method of adapting to the threat and blocking the traffic from reaching the intended victim host. Most IDS/IPS solutions are now available as a bundle with your firewall subscription.

Intrusion Detection System Diagram showing how Endpoint Detection and Response will protect workstations that bypass company firewall

Weaknesses in IDS and IPS Systems

To effectively use IDS/IPS systems, you should be aware of a couple of inherent limitations:

  • They rely on signatures, which means they only watch for what you tell them to. These systems require constant tuning to keep up with changing attack vectors used by cybercriminals. Tuning signatures to eliminate false positives and alert fatigue is a full-time job. In fact, there’s an entire industry providing these services. Even if you purchase these feeds of updated signatures, you still need to test and tweak them to match each unique environment. This explains why most IT teams use IDS rather than IPS. They don’t have time to tune the system, so they just skip the protection tools rather than risk constant business interruptions caused by false positives.
  • They can see only traffic that passes by them. All too often, we see IDS/IPS implementations provide a false sense of security to an organization because of poor network design. Organizations frequently rely on a unified threat management (UTM) type of firewall to provide their IPS. In that setup, the IPS sees only the traffic that is routed through the firewall. Most of the time, this is only internet traffic to the DMZ servers (such as websites and email) and outbound traffic to the internet from the workstations on the local network.

    While a UTM setup is a start, it leaves major gaps in coverage. The setup typically lacks monitoring within security zones or between local workstations, servers and remote workforces. You may have compromised systems attempting to breach other internal systems, but you can’t see it because the IPS isn’t privy to the traffic on those network segments without it passing through the IDS/IPS.

How to Use IDS/IPS Effectively

Follow these steps to ensure that these tools provide the protection you’re expecting:

  • Get a risk assessment. Many organizations implement IDS/IPS simply to fulfill a compliance checkbox. But you need a full information security risk assessment to get a true picture of your organizational risk. Plus, you may still be non-compliant with IDS/IPS in place because most compliance requirements such as HIPAA, PCI, FISMA, etc. require a risk assessment.
  • Ingest IDS/IPS data into your SIEM. Your SIEM provides a centralized log and alerting system for the entire environment. An IDS keeps its own logs, but how often are you looking at them? By ingesting the IDS/IPS data into your SIEM, you’ll have a clear look at what’s happening. This process will probably show you just how noisy most IDS/IPS’ are in terms of alerts generated, which will probably motivate you to do some tuning.
  • Add EDR (endpoint detection and response). Protection tied to your firewall doesn’t account for today’s distributed workforces. Many of your users now work remotely, which means their activities never pass through your corporate firewall. The solution is EDR, which bundles active detection and response into each workstation. A full Managed Extended Detection and Response (XDR) system protects workstations, IoT devices, BYOD issues and more.
  • Leverage XDR to make IDS/IPS more effective. With the detailed information and correlation provided by XDR, you’ll be able to spot poorly tuned IDS/IPS, antivirus and other tools and make the right adjustments.

For help reviewing your security system’s architecture, contact us today.

Image of computer alerts over dark background

Here’s the hard truth about monitoring solutions: Most companies haven’t properly configured their SIEM/XDR system. Logging millions of events per day may seem productive. But what good does it do if an IT team is overwhelmed with alert fatigue and learns to ignore most of notifications they get?

“The basic rules in your SIEM may be functioning, but they often aren’t functioning well,” says Pratum Chief Technology Officer Steve Healey. Read on to learn how trained SOC analysts leverage SIEM/XDR tuning to turn out-of-the-box rules into meaningful tools for reducing noise and alert fatigue while stopping attacks before they gain a foothold.

The Problem with Out-of-the-Box SIEM Rules

All SIEM solutions come pre-loaded with a large number of rules. Alert fatigue happens because standard rules can’t possibly work equally well in every environment. “The idea behind those rules is solid, but they’re generic,” Steve says. “The execution will lead to an enormous number of false positives and alert fatigue. You’ll have to tune the rules with additional logic specific to your business to create exceptions without impeding the rule’s original intent.”

Beyond SIEM vendors, many other tech vendors regularly issue new detection rules to close gaps discovered in their own products. Many of those rules also generate a flood of false positives. Pratum’s SOC analysts (who have managed multi-tenant SIEM/XDR solutions for more than a decade) review each new rule’s goal and customize it for every customer’s environment. “We don’t just disable ineffective rules,” Steve says. “We take the core intent of the rule and build it out to get high-fidelity results.” With this kind of tuning, Pratum recently turned 266 million monthly security events in one client’s environment into just 41 alerts sent to the client’s IT team.

Reducing Alert Fatigue

The real art of creating SIEM/XDR rules lies in finding the sweet spot of writing rules sensitive enough to detect real threats but not so sensitive that they cause constant false positives. Nobody wants to get an alert every time someone logs in from a coffee shop using a different IP address. But if a legitimate user who normally uses an iPhone suddenly logs in through an Android device in a new geographic location, that’s worth an alert.

The solution is a team of SOC analysts trained to create models of normal activity. By identifying patterns of typical activity, analysts help the system recognize a scenario that checks all the boxes to be suspicious—but actually isn’t. “We can create threat models based on baseline behavior so we know what’s normal and only send an alert when the pattern changes,” Steve says. “Machine learning can figure that out over time.”

(This blog provides a summary of the logic used to eliminate false positives.)

The following real-world scenarios illustrate how SIEM tuning modified standard rules into more accurate reporting tools that stop the alert fatigue.

Use Case #1:

Fighting Business Email Compromise

Pratum recently revised one rule intended to deal with the growing threat of business email compromise (BEC) attacks. In these situations, hackers take over a legitimate user account. Then they often create email forwarding rules that let them intercept a user’s messages and conceal the fact that the account has been compromised. Many SIEM solutions now include a stock alert designed to watch for the creation of suspicious forwarding rules. But Pratum’s analysts recognized that the stock rule wasn’t catching the forwarding rule hackers are using most right now. So Pratum’s SOC team wrote a new rule, had the Pratum penetration testing team attempt an exploit to validate the rule, then rolled the rule out to Pratum’s entire client base. The new rule not only identifies the activity, but can also automatically orchestrate a response to contain the threat.

Use Case #2:

Eliminating False Positives

“The intent of most rules is terrific. A lot of rules would be amazing if they were accurate 100% of the time. But they aren’t,” Steve says. Pratum’s SOC team noticed that one stock rule started generating 50 tickets a day for every organization Pratum manages. Less than 5% of the alerts were legitimate threats because the rule kept triggering when normal software operations took place.

The analysts disabled the rule to stop the flood of unactionable data, then rewrote it with complex logic that cut the false positives to almost zero. “Within 72 hours of enabling the new rule, it saved one of our customers from an intrusion that the stock rule missed,” Steve says.

Use Case #3:

Tailoring Rules for SMBs

SIEM developers rightfully talk a lot about their solutions’ machine learning capabilities. But the developers tend to focus their machine learning work on big customers, which means some of the tools don’t do much for small organizations generating a limited amount of monthly data. So Pratum’s analysts devote a lot of attention to modifying rule logic so that companies with, say, 30 employees benefit from the next-gen tools as much as companies with 1,000 employees.

For more information on how Pratum’s custom SIEM/XDR rules could make your organization more secure and efficient, contact us today.

Multiple padlocks overlaid on blue background

Ransomware is rapidly becoming everyone’s problem. If all the recent headlines have provided the wake-up call you need, we have the tips to help you prevent ransomware. Here's what you can begin doing today:

1. Patch Your Systems

A lot of IT leaders focus their battle against ransomware around stopping zero-day threats. But digest this fact: One recent analysis showed that almost two-thirds of system vulnerabilities involve bugs that were identified two years ago. That literally means that the majority of your vulnerabilities are already solved if you just make the effort to use available patches. Hackers love to grab low-hanging fruit. Don’t let them find it on your system. Get a vulnerability scan and then address the gaps.

2. Use Proper Port Settings

Leaving certain port settings open unnecessarily gives hackers an easy gate into your system. CIS Controls 9 and 12 offer information on some common settings to check.

3. Actively Monitor Your Systems

If a ransomware actor does get a toehold in your system, spotting it immediately lets you shut down the breach before things get out of hand. IBM reports that it takes 280 days to identify the average breach. You can do a lot better. The latest defense is a Managed Extended Detection and Response solution that constantly monitors activity, uses artificial intelligence to recognize multiple different acts as a brewing attack and actively steps in to shut down suspicious activity.

4. Segment your systems

By effectively isolating/air-gapping various parts of your system, you limit how far ransomware hackers can get if they penetrate one part of the network.

5. Limit Each User’s Access

Similar to the previous point, implementing a policy of least-privileged access and Identity and Access Management means you keep hackers from getting into your entire system if they compromise one user’s credentials.

6. Have a Robust Backup Strategy

Even if ransomware locks up your data, an effective backup of your data lets you quickly restore operations. Test the backup often to ensure it’s doing its job.

7. Plan Ahead

A detailed incident response plan helps everyone know what to do to limit the damage when you get a notice that you've been hit by ransomware. Breach costs are 38% lower for companies that have an IR plan in place before the breach.

8. Train Your Team—And Keep Training Them

Ransomware frequently gets onto a system when a user clicks a bogus e-mail link or falls for social engineering via text messages. Engaging every member of your team in cybersecurity of how it keeps the business running—will provide one of the best defenses. Provide regular training on the latest tricks in phishing and other social engineering tactics.

9. Get an outside opinion

An IT risk assessment, vulnerability scan and penetration testing all provide essential checks on your current cybersecurity posture and point to critical remediations you need to make.

Along with making your system more secure, these steps will almost certainly help you get a lower cyber insurance premium at a time when rates are rapidly increasing.

The Government's Response to Ransomware

The U.S. government is also stepping up its response. President Biden issued an executive order in May aimed at, among other actions, strengthening software security in federal agencies and creating a federal board to investigate major breaches. The administration says it intends to shift the focus from incident response to incident prevention.

Dozens of states are working on new regulations to step up cybersecurity across several industries. 

America continues to pressure Russia about its hacker-friendly climate since major attacks such as the JBS breach, the Colonial Pipeline attack and multiple others were almost immediately attributed to criminal organizations in Russia. But if you’re pinning your organization’s safety on the hope that Russia will crack down on hackers, you may also have a tendency to think vampires make excellent stewards of blood banks.

The fact is that the government can’t keep up. Hacking operations are well-run businesses employing some of the world’s best coders. They shift tactics constantly and engage in flexes like quoting your own cybersecurity policy back to you if you claim that you can’t afford the ransom they demand.

Contact Pratum to find out how we can help get your ready to stop ransomware attacks before they strike.

The information we track while users are on our websites helps us analyze site traffic, optimize site performance, improve our services, and identify new products and services of interest to our users. To learn more please see our Privacy Policy.