Next-generation intrusion prevention: The post-attack period

Martin Roesch, lead developer of Snort IDS, explains the role of intrusion prevention during the post attack period of the attack timeline.

As with the pre-attack period, it is helpful to sub-divide the post-attack period, although this time the basis is function/purpose as opposed to time sequence.

The first sub-division deals with the extension of detection efforts beyond the time-zero period and is largely about correlation. For example, network behavior anomaly detectors (NBADs) use statistical correlation to establish rate-based thresholds for various types of events. However, security event/security information management systems provide an even clearer example. These products afford the opportunity to correlate events gathered by a wide variety of networked devices, potentially leading to the discovery of attacks that are being coordinated across multiple paths or over a relatively long time period.

The second sub-division is less technology centric and more process oriented. Overall it can be called incident response, which is intended to include forensic and remedial activities. Fundamentally, it is about dealing with a successful attack, and ideally it should also involve taking steps to prevent recurrence.

And with that, the attack timeline is fully defined. The final part in this series describes the vision of next-generation intrusion prevention, a system that integrates capabilities across this time continuum and aspires to provide a truly self-defending environment.


NEXT-GENERATION INTRUSION PREVENTION

  A continuum of capabilities
  The pre-attack period
  Time zero (during the attack)
  The post-attack period
  The power of an integrated system

ABOUT THE AUTHOR:
Martin Roesch founded Sourcefire in 2001 and serves as its Chief Technology Officer. A respected authority on intrusion detection technology and forensics, he is responsible for the technical direction and product development efforts. Martin, who has 17 years industry experience in network security and embedded systems engineering, is also the author and lead developer of the Snort Intrusion Detection System (www.snort.org) that forms the foundation for the Sourcefire 3D System.

This was first published in September 2005
This Content Component encountered an error

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close