Re: Tracking back internal incidents to users, not IPs



We went through this exact exercise 3 years ago. We implemented a
WAN-wide deployment of snort IDS servers, monitoring both DMZ and WAN
links. This rapidly proved to be more useful in monitoring and
responding to *internal* threats, as an internal alert is actually
something that can be FIXED - vs a remote attack where you end up
needing to contact some email address who is supposed to be a site
contact in some other company on the other side of the planet ;-)

Anyway, all an IDS has to initially go on is the source IP. So we had to
put some "glue" together to cross-reference that against more useful
information, to turn an IDS event into a consice, useful alert.

Our current alerts tell us what site and country the offending address
lives in, whether it is a RAS/VPDN or local network address, what it's
(typically) NetBIOS name is, who its suspected owner is, and what their
email and phone number is. Quite a lot to go on :-)

In the past, tracking down such information typically was a manual
process - involved talking to the network team (to find out what
site/country that address is from), the Windows server team (to find out
NetBIOS details/etc), and the Helpdesk team (to find owner/etc). Now,
it's automated and takes about 20 secs :-)

Still doesn't make me coffee tho' :-(

--
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1


------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------



Relevant Pages

  • Re: IDS recommendations
    ... extensively for both "normal" IDS operations and investigative work. ... Some people find that the flexibility can be a bit of a challenge to manage. ... cohesive host / network sensor architecture. ... to a common network/host security monitoring station. ...
    (Focus-IDS)
  • Re: How much Commercial IDSes cost?
    ... Is the management solution integrated with the monitoring solution? ... How does the IDS send data to the monitor? ...
    (Focus-IDS)
  • RE: IDS recommendations
    ... Subject: IDS recommendations ... Some people find that the flexibility can be a bit of a challenge to manage. ... cohesive host / network sensor architecture. ... to a common network/host security monitoring station. ...
    (Focus-IDS)
  • Re: distributed IDS/sensor network
    ... Take a look of IBM ISS Site Protector + IBM ISS IDS Network Sensors ... *Real-time monitoring of threats, ... distributed IDS/sensor networks, and real-time monitoring systems? ...
    (Security-Basics)
  • Re: IDS 4215, right place for a sniffing interface (DMZ or LAN)
    ... It doesn't matter which interface is used for sensing and which for ... monitoring as long as you use one for each. ... maintenance on your sensor, ... According to the specification in the table 5-2 (under IDS 4125, ...
    (Focus-IDS)