This article can also be found in the Premium Editorial Download "Information Security magazine: Betting the house on network anomaly detection systems."
Download it now to read this article plus other related content.
|The Real Deal|
Network anomaly detection has been around for a few years, and the concept of anomaly detection in network defense even longer. The following debunks a few myths surrounding NAD:
Automated profiling/modeling/training eliminates tuning.
Automated response capabilities to enable containment, like
pushing ACLs to network infrastructure, can protect against threats.
NAD catches hard-to-detect insider misuse that cannot be addressed by firewalls and IPS.
NAD detects zero-day exploits.
NAD is the last line of defense.
It doesn't eliminate it; it changes the nature of the tuning from which signatures should be enabled to which anomalies you choose to highlight and address.
Automated response features are present, but — as was the case with early adopters of IPS products — most operators are reluctant to turn on automated response because of the high potential for false positives. While NAD produces interesting intelligence, the collected data is better suited for investigative rather than automated responses.
Technically, yes, but it's subject to the limitations of determining which anomalies are really important. NAD doesn't substantially affect the difficulty of detecting and addressing malicious insiders.
NAD detects infections and helps organizations contain them before they spread, which could be argued as the only really effective way to deal with zero-day attacks. There's no magic that understands zero-day exploits any better than any other technology.
This may be true. As a decision-support system, NAD helps organizations address the impacts of various attacks and behaviors on their network.
Not Really an IPS
To understand the value and limitations of NAD technology, it helps to understand the differences between it and a traditional IDS/IPS. NADS are more complementary than competitive solutions to the signature-based technologies. While the systems have the ability to trigger automated responses and/or blocking like IDS/IPS, they're used most frequently to create a presentation of the network traffic that allows a security manager with good contextual knowledge of his network to identify otherwise elusive behavior. They can be thought of as a last line of defense when preventive tools like firewalls and IPSes fail to stop real-time exploitation of vulnerabilities. And, they can be used to detect new applications, behavior and devices for investigation.
The most significant difference between NADS and IPS/IDS is the class of attacks each addresses. An IPS primarily detects (and possibly blocks) attacks that can be predefined. The size and comprehensiveness of the attacks that can be blocked is dependent on many factors, such as placement of the sensors and quality of the signatures.
Despite vendor claims to the contrary, NAD is primarily an investigative technology. While it has the potential to detect zero-day and other stealthy attacks, confidence in its results remains a problem in enabling automated response mechanisms. This isn't unlike the early versions of IDS/IPS products, which weren't reliable enough to enable automated responses. In this light, NAD is best used to detect, investigate and manually address suspected incidents and problems.
Herein lies its advantage and differentiation from IDS/IPS: NADS may not be able to automatically detect and block with the confidence of an IPS signature, but neither can an IDS/IPS help an organization if the enabled signature set misses something. This is where NAD shines.
One company reported installing a NAD product after Nimda hit its network, penetrated 70 percent of its servers and took four days to bring under control. With NAD firmly in place, the company was then hit by the MyTob virus. The system discovered MyTob on five PCs within a few minutes of the first infection, and sysadmins manually blocked ports to contain the virus. This is a typical success story with NADS, where they provide early warning and investigation to isolate the problem, but aren't used for automated response.
In addition to detecting ongoing attacks, NADS can work with policy compliance or vulnerability management applications to monitor and prevent incidents. For instance, NADS can detect machine-to-machine connections, unauthorized applications and processes, protocol and port usage, misconfigured systems, network traffic loads and bandwidth consumption.
This was first published in July 2005