Extrusion Detection is the new black … Ok, perhaps I exaggerate a little, but it does seem to be one of the more fashionable things at the moment. The funny thing is, it isn’t really anything new – a few years back in the Snort Cookbook Angela Orebaugh, Jacob Babbin and I discussed all of the required components for the creation of pretty much any form of network traffic monitoring that you might like to imagine. The book has now been released on the O’Reilly Commons – a free resource where I am hoping to bring the book up-to-date to reflect the current iterations of Snort and correct any errors that have crept in over the last few years.
Extrusion detection, it seems to me, encompasses two distinct areas : (1) detecting attacks that are emanating from the inside of your network ( e.g. compromised hosts attempting further attacks – think botnets, viruses or worms as an example ) and (2) detecting the movement of your data to out of your network to where it shouldn’t be going ( e.g. your customers credit card details being posted to an FTP or Web Server ).
In this respect, it is clear that option (2) is of great interest to those who are seeking compliance be it PCI/DSS, ISO27001 or any other. Like many systems, there is no guarantee that this will detect or stop everything – people are infinitely inventive and stupid in equal measure, so nothing is for certain – but it does give some level of assurance that things aren’t happening that shouldn’t be.
Crafting and tuning your IDS rules is something that takes time and effort, and also requires a fundamental understanding of the data that exists within your company – one of the hardest parts of any of the work that Thinking Security does is the process of ensuring that we identify our clients data down to the last little detail so that we can write policies, procedures and rules that _do_ meet the needs of the organisation.
I’m working on a White Paper at the moment regarding the use of Snort for Extrusion Detection and Policy Enforcement and I’ll announce it here when it is done, and you’ll be able to find it on the Thinking Security site – we are also working on some training in association with O’Reilly and the UK Unix Users Groups on Snort in 2012. In the meantime, the Snort Cookbook is a great resource, and I’d be happy to chat about it more specifically if you want to drop me a line.