Tapping IDS for automated incidence response

This month Guidance Software will release its Automated Incident Response Suite, add-on software that runs on top of the company's EnCase Enterprise forensic product, which monitors intrusion-detection system events and performs automated incident response tasks based on the nature of these events.

We saw a demonstration of AIRS beta code and found that the automation will help a junior-level investigator who needs to be presented with just enough information to make an escalation decision. However, veteran IDS and incident-response folks may become frustrated with the limited view of information provided.

The base functionality - referred to as "taking a snapshot" - is a subset of what can be accomplished with the Enterprise Sweep feature in EnCase Enterprise. Security administrators define thresholds and filters on IDS events that triggers AIRS to automatically take a snapshot of the target system. In its first iteration, AIRS will support Internet Security Systems' Site Protector and the open source program, Snort .

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

This month Guidance Software will release its Automated Incident Response Suite, add-on software that runs on top of the company's EnCase Enterprise forensic product, which monitors intrusion-detection system events and performs automated incident response tasks based on the nature of these events.

We saw a demonstration of AIRS beta code and found that the automation will help a junior-level investigator who needs to be presented with just enough information to make an escalation decision. However, veteran IDS and incident-response folks may become frustrated with the limited view of information provided.

The base functionality - referred to as "taking a snapshot" - is a subset of what can be accomplished with the Enterprise Sweep feature in EnCase Enterprise. Security administrators define thresholds and filters on IDS events that triggers AIRS to automatically take a snapshot of the target system. In its first iteration, AIRS will support Internet Security Systems' Site Protector and the open source program, Snort .

An important detail of the AIRS system is that the information gathered via an AIRS snapshot is a subset of that gathered by EnCase Enterprise's Enterprise Sweep. The benefit of AIRS lies in its automation and Web presentation, not in the depth of data gathered. When the profiles are being built, EnCase Enterprise users will feel comfortable, as the screens look similar, but there aren't as many snapshot modules from which to choose.

The administrator must specifically define what information will be collected via an AIRS snapshot before the snapshot is taken, as AIRS does not dynamically determine what to gather. Different profiles can be built for event severity levels defined by the IDS vendor. In addition, the administrator has the ability to configure the profile explicitly to the system and its configuration. For example, Windows-specific modules would not be enabled in the snapshot profile for a Linux system.

The work underlying this process is completed via two EnScripts (scripted programs in Guidance Software parlance). The first queries the IDS database (currently supported database formats are MySQL, Postgres, and MS SQL databases with Oracle ties on the company's road map) via Open Database Connecitivity. Currently AIRS can use Secure Shell and SSL for encrypted connections between it and the IDS database. Once the IDS event data has been retrieved, the first EnScript populates a separate EnCase database on the AIRS server. The second AIRS EnScript monitors the EnCase database and triggers the snapshots as needed. The snapshot results then are presented via a Web-based interface to the administrator.

Filtering is arguably the most important aspect of this tool because many corporate IDS environments can generate hundreds of thousands, if not millions, of IDS events each day. The trick is in setting up the AIRS filters. If these are not properly configured, AIRS could automatically query any number of systems in the EnCase monitored network, creating a huge amount of traffic on the network and mass amounts of data to sift through.