APPENDIX E: MANAGING AND RESPONDING TO INTRUSION DETECTION EVENTS 133
Appendix E: Managing and Responding to
Intrusion Detection Events
This appendix is intended to provide a little insight as to how Raritan goes about assessing the
traffic that the CC-NOC sees, determining what constitutes an event, and in turn, what that
event should mean to you.
How the Intrusion Detection works
The CC-NOC can act as a network-based intrusion detection system (NIDS), listening to
network traffic and indicating when certain behaviors are identified, traffic patterns appear, or
recognized character strings are passed. This provides an easy-to-deploy and technically sound
approach to analyzing your traffic for things that probably shouldn’t be there.
Raritan’s team of security experts is constantly monitoring security-related news sources, as well
as doing internal testing and analysis, ferreting out information related to the latest hacker threats
and system vulnerabilities. Once identified, these threats and vulnerabilities are distilled down to
their simplest form—the network traffic they generate. Armed with this information, our team
creates a series of “signatures” that uniquely, or as uniquely as possible, identify those threats that
could be encountered in your network. However, because it’s impossible to say that a specific
behavior, traffic pattern, or character string could be associated only with malicious traffic, there
are times that the CC-NOC will trigger an event not associated with an actual threat. These
situations are referred to as false positives, and are inevitable in the world of intrusion detection.
Raritan falls on the side of “better safe than sorry”, and would rather give you the information to
disprove, then to let a hacker have his way. And we’re not alone—this approach is considered by
many to be an industry best practice. But too many false positives is not good either, so Raritan
has taken great strides to help you reduce them in your environment by leveraging the
information you have about your IT infrastructure.
Reducing False Positives with the Signature Profiler
Because Raritan provides signature files for your CC-NOC as part of our Advanced
Administration options, you needn’t worry about keeping up to date on all of the latest threats –
we will do the investigation and make the new signatures available. But no two networks are
alike, we must provide all of the available signatures to each of our CC-NOCs that are in the field.
This means that every CC-NOC has a copy of every signature that we distribute. And in many
cases, not all of these signatures are necessary for the environment in which the CC-NOC is
installed. For example, one of our signatures watches for traffic attempting to exploit the
ToolTalk database server on Sun Solaris platforms. And by default, if we see the traffic that
indicates this particular threat, we will notify you—even if you don’t have any Sun Solaris
platforms running the ToolTalk database server. This is specifically why we’ve built the
Signature Profiler.
The Signature Profiler is a way for you to deploy an CC-NOC with customizations for its
environment once, and our rules engine will maintain those customizations for you as new
signatures and features are rolled out. How does it work? Good question!
Signature Profiler and the Rules Engine
The Signature Profiler provides an easy-to-use, web-based interface that asks simple questions:
Are you running this platform or that? What platforms do you use for email? Web services?
What kinds of routers do you use? By simply moving through the web page and checking or un-
checking the boxes that correspond to your configuration, you are building the rules necessary to
keep the CC-NOC up-to-date. Once complete, the Rules Engine makes decisions on your behalf