The threat landscape continues to expand as both the frequency and the financial impact of cyber security incidents increase. As a result, traditional host-based security evolves to counter new attack vectors and types of infections. On rare occasions however, two separate, independently evolving technologies can come together in a way that benefits both – and so it is, with host-based intrusion detection systems (IDS) and the cloud.
Great applied technology typically needs enabling partner technology, and it will struggle to make headway until that partner appears. For decades, Intrusion Detection System (IDS) technology struggled to deliver efficient, high quality intrusion monitoring, and is only now experiencing success with the arrival of an unintentional enabling partner technology – cloud computing.
To truly appreciate why companies like Threat Stack point to the Cloud as a watershed event in their corner of the software industry, one must push past the hype and worn platitudes about “the Cloud with a capital C.” The reality is that it is the side effects that have caused such a large impact, like cost of operation as a function of scaled purchasing power and the forcing of software-only solutions.
This has certainly been felt in intrusion detection systems (IDS). They have traditionally been deployed as network hardware devices enabled by access to the network infrastructure, but are struggling to find relevance in a world where the traditional network boundary no longer exists.
Tuning your IDS ruleset to limit false positive alerts and silence non-applicable rules is a critical part of running any competent IDS security strategy. Despite that fact, we’ve always been surprised at how difficult distributing, maintaining, synchronizing, and tuning an efficient set of rules can be.
More mature security shops have had to solve this problem, so they’ve turned to many of the great community and paid tools that are out there. We have seen sophisticated teams leverage everything from popular configuration management tools such as Puppet or Chef, to relying on bash scripts that utilize rsync or SCP to synchronize rules files and configurations across sensors. At the end of the day, none of these solutions are ideal as they still require manual effort and create a system operations expertise barrier to rules tuning.