For example, we use SSL over SMTP because we authenticate to our mail server before sending e-mail. IDP triggered on there being binary data where SMTP commands should have been because it didn't recognize the STARTTLS command. We added a new signature that detected the STARTTLS command, created a rule that detected STARTTLS and then ignored the rest of the flow. We placed that rule at the top of the rule base so it would be triggered first.
Next, we had to deal with IDP thinking that our NTP server was UDP-scanning a remote host that was trying to synchronize time. We used WildPackets' EtherPeekNX to analyze traffic between the two hosts, which was NTP traffic while the IDP was alerting us about a UDP port scan!
IntruShield had a few quirks, too. For example, it claimed that SNMP traps (UDP 162) sent to the broadcast address were overly long NetBIOS name queries, and that SNMP responses were another form of UDP port scanning. Once we had things tuned (a never-ending process, really) we were able to track all those pesky attackers trying to break in. False positives happen, so we strongly urge you to thoroughly understand why an alert is being generated before you decide to block that traffic.
Something To Talk About
Before we decided to block traffic, we had to investigate the alerts and log entries we were seeing. In the deluge of events, information management is key. IntruShield excelled in this area with its simple but powerful tools to filter alert presentations and delve into specific areas. For example, IntruShield Manager let us drill down into the alerts via a variety of avenues. We had more than 15,000 entries, but we could sort them by individual protocols, eight of which carried alerts. That's a manageable starting point. After several weeks of monitoring, IntruShield detected 33 individual attacks, with the bulk of the attacks in the top 10 of the total 33 discovered. Individual views could be sorted by any column, and packet capture was available and predefined for certain alerts. You will need to install Ethereal or another protocol analyzer capable of reading pcap files.
To realize the benefits of cloud-native software, an application must actually be cloud-native—designed to run in the cloud, interacting with disaggregated cloud services, fully manageable as code—to deliver the expected benefits.
By combining resources and expertise, the AI-Enabled ICT Workforce Consortium will offer a blueprint for how industries can adapt to an AI-dominated future.
IT leaders should heed the guidance of cybersecurity insurance providers who think businesses should prioritize security education, incident preparedness, regular internal audits, and ongoing vulnerability scanning and patching.
