Intrusion Detection/Prevention System Services

 

Welcome to our core business, we currently offer a wide range of services centred around IDS/IPS.

 

Security Operations Center/Centre (SOC) Development

Computer Network Defence has a solid background stretching back many years, building many Security Operations Centre's for our clients.  We have established extremely robust facilities, and where the client wishes to keep control in house, handed the facilities over to the customer with the option of us fulfilling a regular supporting role or manning the SOC's permanently for many years. The network sizes have varied considerably from less than 100 users to over 200,000. 

 

Independent SOC Assessment

If you already have a SOC in place, either in house, or as a managed service, we can provide an independent study of their capabilities both procedural and technical, identifying any weak areas from a fresh perspective. We can also exercise staff and policies by injecting benign events into the system. Escalating treat scenarios from initial reconnaissance to system compromise identifying any weaknesses in staff complacency or over zealous false positive tuning.

 

IDS/IPS Augmentation (temps)

We can provide IDS analysts at very short notice to fill a gap in your staffing levels, whether to tackle a crisis or to replace staff through sickness etc. We have in house analysts and also have a number of analysts from other organisations willing to step in on their days off. Currently all our temps are UK security cleared. Our staff can provide cover from a few hours to many months. With prior notice we will arrange for you to have a preferred Analyst who will work with you beforehand to familiarise themselves with your system and procedures. Our Clients have been blown away with both the speed of response and the quality of analyst, who are mostly consultants in their own right.

 

Vendor Agnostic IDS/IPS Selection - Security Architecture

Selecting the appropriate IDS/IPS for your network is essential and there are many factors to consider. From the ability of your staff to maintain and monitor the IDS/IPS to the nature of your network traffic and how your network operates.  Computer Network Defence IDS consultants will discuss these and many other factors, recommending various IDS/IPS products suitable to your infrastructure.  We understand that IDS/IPS forms a small part of your defence in depth security posture, we will identify gaps and recommend solutions these would also be considered as part of the criteria for vendor selection, thereby ensuring a fuly compatible security architecture.

 

IDS/IPS Evaluation

Post selection we will evaluate the selected IDS/IPS solution in situ, either in isolation or in a test situation alongside other products ensuring the compatibility with both the network and staff prior to purchase. The nature of the evaluation is focused on the operational capabilities of the IDS/IPS rather than it's technical architecture though the technical performance is covered.  Our experience has found that whilst many products are extremely fast they do not provide a great deal of value to the analyst to enable him/her to handle the incident effectively.  An analogy would be buying a Ferrari to take the family of 4 on a camping expedition.

 

IDS/IPS In-Sourcing

Managed security services are not ideal to many organisations for the monitoring of their security products, either for reasons of cost or quality of service.  Computer Network Defence Ltd will help you develop the capability either by introducing a brand new capability or in assisting the migration from managed service to in house, filling the capability gap. The level of our involvement is flexible according to your needs, we can perform the entire operation or provide supervision or guidance. The approach is modular allowing the customer to reduce our involvement as the organisation's staff become more proficient.

 

Recruitment of IDS Analysts

IDS analysts are 2 a penny,  good IDS analysts are not. From experience we have seen individuals with minimal IT experience call themselves an IDS analyst. We will help you through the onerous process of finding/selecting staff suitable for the task either from within your organisation, recruiting externally or a combination of the 2. We can source contractors, permanent staff or a hybrid mix depending on your circumstances.

 

Levels Of Analyst

  • IDS Manager - These maintain the IDS ensuring signature delivery and configuration control and optimum running of the IDS, they also carry out managerial control of the analysts.  In times of crisis they will fill the advanced analysis role.
  • Advanced Analyst/Incident Handler (Level 3) - These are practitioners that have been working on the operational front end of an IDS for many years, they are familiar with deep packet analysis as well as many operating systems, network architecture and are experienced in handling real incidents.
  • IDS Analyst (Level 2) - These are analysts that are trained and experienced in handling IDS, can work unsupervised and are capable of triaging incidents and events either in isolation or that have been passed by the IDS Operator.
  • IDS Operator (Level 1) - These are trained individuals that lack experience, they can triage events and pass events of significance to the IDS Analyst (supervisor)

 

Training IDS Analysts and Operators

We will help your organisation bring the IDS Analysts skills up to a level appropriate to the task, furthermore we can bring inexperienced but passionate IDS Operators up to the required standard through On The Job (OJT) and developing IDS training plans; selecting the best IDS and security courses from around the World to meet your budget.

 

IDS Analyst Operator Evaluation

Our experienced IDS consultants will work with you to establish the criteria against which to evaluate the Analysts/Operators.  This criteria should include  processes, product familiarity, technical competence, false positive identification, tuning, deep packet analysis and identifying pseudo attacks through their various stages.

 

IDS/IPS Tuning

Whether part of your SOC development or as an individual requirement, our staff will assist you in tuning the IDS/IPS to your environment. Once again the degree of tuning is your decision based on the investment you wish to make.  The first step is to create a signature policy where signatures are selected for inclusion, selection is based on your infrastructure, sensor positioning and security policy.  The objective is to achieve a healthy signal to noise ratio on your IDS consoles providing the analysts with sufficient low level traffic to feel for things as they start to develop whilst making high level events stand out.  At the same time the growth of the database is monitored to calculate it's size versus the data retention period required in policy.  As the signatures fire, the false positives are tuned out either within the global policy or through the development of sensor specific policies. Where the IDS/IPS permits, custom signatures are created for specific customer requirements.

 

IDS/IPS Thresholds

Some IDS have default thresholds which dictate what constitutes a particular attack.  Attackers, understanding these thresholds will try and stay below them, therefore we will reduce certain thresholds staying just above the normal network traffic level.

 

Tuning Audit

Tuning IDS/IPS is a continual process, occasionally mistakes occur resulting in events being missed through over zealous tuning or tuning to alleviate a rush of events caused through a temporary problem.  Identifying these errors retrospectively is extremely difficult.  We will perform an independent audit of the policy, verifying every omitted signature and ensuring any tuned signatures are appropriate.