Back to article
Network Intrusion Detection, Neighborhood Watch Style
Sophisticated New Methods
October 11, 2004
Keeping an eye on the valuables stored away in your network is a tough job these days. Thugs and criminals are trying to jimmy your ports. Terrorists are lurking around your network neighborhood. And stealthy email spy-ware may already be in employee mailboxes, just waiting to silently ship secrets out to the cyber underworld.
Conventional programs like Tripwire and Snort do a great job of looking for sneaky file timestamp changes and malicious code signatures. Unfortunately, these don't provide complete solutions.
Global DataGuard takes up where Tripwire and Snort leave off. You can put a Global DataGuard sensor on your network and, after a week or two, a unique profile of your network and server behaviors will develop. That profile will then serve as the starting baseline to watch for funny programs, strange access requests and outbound activity that might indicate some sinister force is at work. It will correlate those activities over time to identify trends that would be impossible to connect using normal attack signature review or log reading methods.
"With Snort, if it doesn't have a signature you can't see it," said Mike Stute, co-founder and Chief Technology Officer. "ESP (Empirical Surveillance Program) is behavioral based. It looks at traffic, hosts, types of protocols, the time of day, etc. and then makes predictions. If something is wrong, it goes to find out what's different," Stute continued. "Actually, ESP has a memory."
The Global DataGuard system is really a collection of components, consisting of Linux-based client site sensors, a MySQL database, a Linux cluster, and proprietary behavioral analysis software--all with web-based reporting and management programs.
The client site sensor (a one- or two-processor 1U Intel-based machine)passively sits on a client's network and grabs packet data on everything that goes by. "The best place is right before the firewall. It's a good place for a lot of different data," said Stute.
Scanning is done with Nessus. The sensor has a one-way VPN connection that sends the packet data back to GDG servers. Customers can take comfort in knowing that the heavily encrypted data only flows to the GDG servers without any remote external access back into the sensor appliance. Each sensor is equipped with an extensively developed self diagnostics suite, to keep itself healthy. It can even reboot itself, if needed.
As you might guess, a cluster of Linux machines are a necessity to process the volumes and volumes of packet data that can be collected on a 100 Mb/s or 1000 Mb/s Ethernet leg.
"Our cluster is a cluster in the sense that each component is virtual, meaning that one function is spread across multiple systems and each system can perform any job in the machine. For example, the packet analysis is a function that can be performed by one or more systems and will be farmed to the system with the most available resources. This is more like load balancing each individual component in a distributed system," Stute said.
Even with the processing power of multiple machines, developing a baseline profile can take a little time.
"It takes about 2 to 4 weeks for the system to be pretty well tuned," Stute said.
Over time, the Global DataGuard adapts to the client network's behavior, continuously updating the profile database to allow for recognition of new threats.
If something is amiss, operators in the Global DataGuard monitoring center are alerted. Since the reporting and management software are web based, a monitoring operator could be physically located anywhere.