This month I'm going to explain how to fast track your success with intrusion detection in AlienVault USM. We’ll start with a brief description of acronyms and close with some tips for deciding when to use HIDS vs. NIDS. My hope is that you’ll walk away with a better understanding of how these technologies enhance your security posture.
Let's start with HIDS (Host-based Intrusion Detection System). Wikipedia defines it as "A host-based intrusion detection system (HIDS) is an intrusion detection system that monitors and analyzes the internals of a computing system as well as (in some cases) the network packets on its network interfaces (just like a network-based intrusion detection system (NIDS) would do)."
Great! So what does that mean, and how do we use it in AlienVault USM?
AlienVault USM Appliance and AlienVault OSSIM implement HIDS via an agent that can be automatically deployed to Windows machines, and manually deployed to Linux and UNIX machines.
The agent then looks at various logs, registry entries running process, etc. on the machine to which it is deployed (an important distinction I'll get back to later). The agent is able to communicate back to the AlienVault sensor, and provide data to the correlation engine. The HIDS agent also has capability to perform tasks such as running commands in response to certain triggers using its "Active Response" feature. The HIDS agent does not have the innate capability to look directly into network traffic and communication, and therefore can only provide visibility into the host on which it is installed. That is where NIDS comes in.
NIDS (Network Intrusion Detection System) Wikipedia defines it as "An intrusion detection system (IDS) is a device or software application that monitors a network or systems for malicious activity or policy violations."
The way AlienVault USM and AlienVault OSSIM implement NIDS requires some method by which a network interface can "see" all of the network traffic, preferably the traffic travelling across an edge device like a firewall. Since the appliances don't have an inline component, it is typical to mirror or SPAN the internal interface of a firewall, and connect that mirror port via cable to an interface on the USM that is designated "promiscuous" or can see all traffic, whether destined for that interface or not.
Once AlienVault USM can see the traffic, then what? The NIDS engine parses through the network packets, and compares the data to a dataset of signatures, and sends anything that gets triggered as suspicious to a log that the USM will use in its correlation engine. The network traffic being ingested is also used to generate NetFlow data that can be used to further enhance the behavioral analytics of the AlienVault platform.
Simply put, HIDS is your go to for visibility into what's going on on the host, and NIDS is your go to for visibility into what is traversing the network. AlienVault recommends installing the HIDS agent on hosts like web servers, file servers, domain controllers, and other high value targets. NIDS should be enabled where possible, especially in those ingress/egress points between your network and the Internet to provide visibility into what those hosts are communicating with.
These two technologies, coupled with the ingestion of syslog data from those devices that cannot support an agent, give a holistic view into the security of your systems. Couple that with AlienVault's threat detection engine, cross-correlation, and alerting, and you have the tools you need for a successful security regimen.