Read sec-us-snortbasednetworkintrusiondetectionservice.pdf text version

Savvis IT Infrastructure

SecuRITy SeRvIceS

SNORT®-Based Network Intrusion Detection Service

Overview

Cybercrimerepresentsoneofthemostcriticalthreatstobusinessestoday. Theseattackscancausedowntime,createholesinsystemsecuritythatresult indatabreaches,andleadtofinanciallosses,brandcredibilityproblems,or evenjailtimeinthoseextremecaseswherecorporateexecutivesareperceived asnegligent.Attacksaresovastandcomplexthatithasbecomeimpossible todetectandprotectagainstthemmanually.Businessesneedanautomated solutionthatcanhelpthemidentifywhenanattackisunderwayandtake proactivemeasuresbeforecriticalsystemsordataaredamaged,stolen, ordestroyed.WorkingwithSavvistomonitorandmanageyourintrusion detectionsystemsdeliversapositivereturnoninvestment,bycost-effectively augmentingyourITresourceswithexperiencedpersonnelandrelieving employeesfromroutine24/7alarmmanagementandmonitoringduties.

Key Features

· lertsagainstunwanted A internalorexternalnetwork threatswithoutdegrading networkperformance · tilizesaNIDSinfrastrucU turethatleveragesopen source-basedSNORT® technology · mploysrigorousdetection E rulesthataredeveloped bySourcefire'sVulnerability ResponseTeam(VRT) andarerigorously-tested bySavvispriortotheir implementation · rovidesround-the-clock P accesstoSavvis'Incident Responseteam(Note: IncidentResponseService issoldseparately)

SISD SNORT-Based Network Intrusion Detection Service

SavvisIntegratedSecurityDevice(SISD)networkintrusiondetectionservice (NIDS)isthecoretechnologyinafullsetofsecuritydetectiontoolsthatoffer customerstheabilitytoviewsecuritythreatsenroutetoahost.Weinstall, configure,monitor,andmaintaintheNIDSsensorsforyourorganizationin ourdatacenters,wheretheydetectpotentialattacksagainstyournetwork. Inaddition,detailedmonitoringenablesidentificationofmalicioustraffic, determineswhetherthetraffichaspassedthroughyourfirewall,andeven helpsdeterminewhereanattacker'soriginatingcomputermaybelocated.

Service Highlights:

SavvisprovisionsaSNORT-basedNIDSdeviceandworkswithyour organizationtoimplementthedevice.Inadditiontodefiningyour organization'seventescalationprocess,theSISDNIDSimplementation includes: · Ongoingsignatureevent-tuningfornewly-releasedsignatures · anagementofyourdedicatedSISDSNORT-basedintrusion M detectiondeviceona24/7basis · Reviewofyourintrusiondetectionsystem(IDS)eventsona24/7basis · RoutineupdatesofyourIDSsensorleveragingSourcefire-basedsignatures

SNORT ®isaregisteredtrademark ofSourcefire,Inc.

Security ServiceS

SNOrt ®-Based Network intrusion Detection Service

Detection Rules Developed by Sourcefire's vulnerability Research Team

Toprovideyouwithahighlevelofprotectionagainstpotentialthreats, ourserviceutilizesrulesthataredevelopedbytheSourcefireVulnerability ResearchTeam(VRT),agroupofleadingintrusiondetectionspecialists. Savvis'useoftheserulesprovidesyourorganizationwiththefollowing benefits: · ourcefire'srule-basedprotectionmethodologyaimstoprovide S protectionbeforeanexploitisreleasedtothegeneralpublic,thus reducingyourpotential"windowofexposure." · llrulesarerigorouslytestedbySourcefireandSavvis,withthegoalof A producingasfew"falsepositive"resultsforyourorganizationtoreview aspossible. · omaintainyournetworkperformance,rulesarecustomizedsothat T theyareonlytriggeredbycertaincommunicationstates,networkpacket fields,andnetworkmessagefields.Therulesarefurthertestedand verifiedbySourcefiretoconfirmthattheydonotcreateperformance issueswhenimplemented.

Savvis' Security Operations center Team

NIDSismonitoredona24/7basisbySavvis'experiencedandcredentialed SecurityOperationsCenter(SOC)teamforanypotentialthreatactivity. Whenanalertarrives,itistriagedbytheteam,determiningifyour organization'snetworkand/orapplicationhostisunderattack,orpossibly breached.TheSOCTeamwillthennotifyyouandimplementtheincident responseandcyber-forensicsplanthatwascreatedspecificallyforyour organization.Savvis'NIDSServicesareconfiguredandinstalledbased onyourrequirements,andmaybereviewedwithyouonasemi-annual basis.Accesstoyouralertreports,signatures,anddeviceactivity(for theprevious90days)isprovidedviaourSavvisStationPortal. AdditionalinformationregardingNIDSreportingisavailableinthe Appendixthatfollows.

Appendix: SavvisStation NIDS Reporting

ReportingforSavvis'NIDSServicesiscurrentlyavailablethroughour SavvisStationPortal,asecureWeb-basedreportinginterface.Toenhance yourorganization'soverallsecurity,accesstotheportalisavailablesolely toindividualswhohavepreviouslybeenidentifiedas"securitycontacts"by yourorganization.Portalsupportisavailabletocustomersona24/7basis viaaphonecallorane-mailtotheSavvisSupportCenter. Theportalprovidesfunctionalitythatallowsyourorganizationtosearch forspecificsignatures,Internetprotocols(IPs),timeperiods,andpriorities amongallthealertsgeneratedbyyourNIDSsensorsorhost-based intrusiondetectionsystem(HIDS)instances.Youalsohavethecapability toe-mailyourselfentirereports,generategraphs,anddownloadsmall sectionsofyourdatatoExcelfiles. ForafullexplanationofSavvisStationportalfunctionality(includingserver performancereporting,networkperformancereporting,andbillinginvoice options),pleasecontactyourSavvisAccountExecutive.

Security ServiceS

SNOrt ®-Based Network intrusion Detection Service

Thefollowingscreendepictionsareforillustrativepurposesonly.

Total Number of IDS Sensor High-Priority events: Weekly view

Thisscreenshowsthetotalnumberofhigh-priorityIDS Sensoreventsonaweeklybasisoveraneight-month period.Ifthisgraphdepictedyourorganization'sactual networkactivity,youwouldwanttofurtherresearch whatpromptedalargespikeineventsduringthefirst andsecondweeksofJanuary2007.

Total Number of IDS Sensor Medium-Priority events: Weekly view

ThisscreenprovidesthetotalnumberofmediumpriorityIDSSensoreventsonaweeklybasisover thesameeight-monthperiod.Ifthisgraphdepicted yourorganization'sactualactivity,youwouldwant tofurtherresearchwhatpromptedalargespikein eventsduringMarchandApril2007.

Total Number of IDS Sensor Low-Priority events: Weekly view

Thisscreenprovidesthetotalnumberoflow-priority IDSSensoreventsonaweeklybasisoverthesame eight-monthperiod.Ifthisgraphdepictedyour organization'sactualactivity,youwouldwantto furtherresearchwhateverpromptedalargespike ineventsinlateJanuary2007.

Security ServiceS

SNOrt ®-Based Network intrusion Detection Service

Top 10 IDS Sensor events for Time Period (excluding Worm-Related Signatures)

BasedontheIDSSensoractivitythatwaspresented inthefirstscreenshot,thisscreensummarizesthe Top10sensorevents,includingthenumberoftimes thattheeventoccurred.Youcanseethattheprimary eventaffectingthedemosensorisBitTorrentClient Activity.Also,itshouldbenotedthatWorm-related signaturesarenotincludedinthesummarythat appearstotheright.

Frequency of NIDS event Activity (Daily view)

ThisscreensummarizesNIDSeventsbydate,allowing yourorganizationalcontacttotracktrendsrelatingto potentialintrusion.Basedonthedemodataabove,it isclearthatintrusioneventsseemtopeakinthefirst andthethirdweeksofthemonth.Also,datesthat showhighlevelsofeventactivity(suchasJuly2 through4andJuly22through25),maybeneeded tobereviewedmorecloselybyyoursecurityteam. (Worm-relatedsignaturesareexcludedfromthe datathatappearstotheright).

NIDS "Day of the Week" Bar

Thisscreenprovidesthetotalnumberofeventsbythe dayoftheweek,allowingyourorganizationtoquickly determinewhichofthedaysresultedinthegreatest numberofnon-worm-relatedIDSevents.Itisclearthat weekendsposethemostpotentialriskforIDSevents, whenconsideringthehistoricaldemoeventdatathat appearstotheright.

Summary of Source IP Addresses for IDS events

ThisfinalscreenshotprovidesthesourceIPaddresses foreachoftheIDSevents.Whenevaluatingthe demodatainthecharttotheright,itisclearthat themostpersistentthreatiscomingfromIPaddress: 64.70.59.70,whichpromptedmorethan200,000IDS eventsduringtheperiod.Eventsoriginatingfromthat particularIPaddresscomprisedmorethan50%of overalleventsfortheperiod.

Security ServiceS

SNOrt ®-Based Network intrusion Detection Service

ForadditionalinformationregardingSavvis'SNORT-basedNIDSServiceor theSavvisStationPortal,pleasecontactyourSavvisAccountExecutive.

About SNORT ®

In1998,MartinRoeschwroteanopensourcetechnologycalledSNORT®, whichhetermeda"lightweight"intrusiondetectiontechnologyin comparisontocommerciallyavailablesystems.Todaythatmonikerdoesn't evenbegintodescribethecapabilitiesSNORT®bringstothetableasthe mostwidelydeployedintrusionpreventiontechnologyworldwide.Over theyearsSNORT®hasevolvedintoamature,featurerichtechnologythat hasbecomethedefactostandardinintrusiondetectionandprevention. Recentadvancesinboththeruleslanguageanddetectioncapabilities offerthemostflexibleandaccuratethreatdetectionavailable,making SNORT®the"heavyweight"championofintrusionprevention.Foradditional informationaboutSNORT®,pleaseconsultwww.snort.org. SavvisisaCertifiedSNORT ®Integrator.Pleaserefertothefollowinglink fordetails:http://www.snort.org/community/integrators.html.

About Savvis

Savvis,Inc.(NASDAQ:SVVS)isanoutsourcingproviderofmanaged computingandnetworkinfrastructureforITapplications.Byoutsourcing toSavvis,enterprisescanfocusontheircorebusinesswhileSavvis ensuresthequalityoftheirITinfrastructure.LeadingITorganizations aroundtheworldhaveselectedSavvistohelpthemimprovetheirservice levels,reducecapitalexpenseanddealwiththerisingcostsofbandwidth, energy,realestate,staffandexpertise.Asapioneerinutilitycomputing, Savvisunderstandsandharnessesthelatestadvancesintechnologylike virtualization,cloudcomputingandsupportprocessautomation.

For more information about Savvis, visit www.savvis.net or call 1.800.SAvvIS.1 (1.800.728.8471).

EMEA Savvis UK Limited Tel +44 (0)118 322 6000 ASIA PAcIfIc Savvis Singapore company Pte Ltd Tel +65 6768 8000 JAPAn Savvis communications K.K. Tel +81.3.5214.0151

©2009Savvis,Inc.Allrightsreserved.Savvis ®istheregisteredtrademarkofSavvisCommunicationsCorporation. Allothertrademarksandservicemarksarethepropertyoftheirrespectiveowners.-2-

Information

5 pages

Find more like this

Report File (DMCA)

Our content is added by our users. We aim to remove reported files within 1 working day. Please use this link to notify us:

Report this file as copyright or inappropriate

1225203