Cisco Secure Endpoint offers several protection engines which fight against threats like ransomware and zero-day.
Are you an admin looking for protection on a short to mid-term basis or beginning to roll out protection across your organisation? The best place to start is protecting your devices from attacks that are exploiting vulnerabilities of user applications and operating system, commonly known as file-less malware.
File-less malware threats are becoming more common as attackers have learned that traditional file-based malware can be easily detected. Ponemon Institute's 2017 State of Endpoint Security report said that about 77% of malware was file-less and they tend to be 10 times more successful than traditional file-based attacks.
Below are two protection engines you can use to help address these problems and protect your organization:
Malicious Activity Protection (MAP) | Enables on-disk run-time detection and blocking of abnormal behaviour on the endpoint by constantly checking for certain changes on the protected system to identify the processes that will be deemed as malicious if they demonstrate a certain set of behaviours or activities laid out in the ruleset. · Example: If the process reads, writes, and renames a set of files within a short span of time, then the rule can trigger to act on that process. However, the admin can choose that if the process reads and writes the content of a file to a different file and then deletes the original files, then the MAP engine can trigger to take a different action defined in the policy. Legitimate user applications demonstrate this behaviour such as archiving software so process exclusions (and optionally child process) to prevent Cisco Secure Endpoint from monitoring them. · Common ransomware which MAP can prevent are: SamSam, WannaCry, Jigsaw, Jaffe, Cerber, TeslaCrypt etc. · MAP also works offline so even when it is not connected to the internet, the connector will detect and respond to such threats. |
Here's a video walk through that shows how to enable MAP for your connectors:
Exploit Prevention | Defend your endpoints from memory injections attacks also commonly known as file-less attacks. · File-less attacks harness existing vulnerabilities lying in operating systems or apps. In an ideal case, you should be patching and updating these regularly but unfortunately, users typically tend to forgo these updates. · Examples of such attacks include Java exploits that use shellcode to run payload, malicious Adobe or MS Office files or any attacks on software vulnerabilities that have not been patched yet. |
Here’s where Malicious Activity Prevention and Exploit Prevention fall in the protection spectrum:
If you want to dig deeper, you can join a live Q&A session at the following Ask the Experts Sessions:
- Installation / Implementation Best Practices: Endpoint Protection
- Architecture Transformation Planning: Endpoint Protection
Review Schedule and Register
Comment on this post if you have any questions
Eric Conrad, ... Joshua Feldman, in
Eleventh Hour CISSP® (Third Edition), 2017 A network-based intrusion detection system (NIDS) detects malicious traffic on a network. NIDS usually require promiscuous
network access in order to analyze all traffic, including all unicast traffic. NIDS are passive devices that do not interfere with the traffic they monitor; Fig. 7.2 shows a typical NIDS architecture. The NIDS sniffs the internal interface of the firewall in read-only mode and sends alerts to a NIDS Management server via a different (ie, read/write) network interface.Domain 7
NIDS and NIPS
Fig. 7.2. NIDS architecture.
The difference between a NIDS and a NIPS is that the NIPS alters the flow of network traffic. There are two types of NIPS: active response and inline. Architecturally, an active response NIPS is like the NIDS in Fig. 7.2; the difference is that the monitoring interface is read/write. The active response NIPS may “shoot down” malicious traffic via a variety of methods, including forging TCP RST segments to source or destination (or both), or sending ICMP port, host, or network unreachable to source.
An inline NIPS is “in line” with traffic, acting as a Layer 3–7 firewall by passing or allowing traffic, as shown in Fig. 7.3.
Fig. 7.3. Inline NIPS architecture.
Note that a NIPS provides defense-in-depth protection in addition to a firewall; it is not typically used as a replacement. Also, a false positive by a NIPS is more damaging than one by a NIDS because legitimate traffic is denied, which may cause production problems. A NIPS usually has a smaller set of rules compared to a NIDS for this reason, and only the most trustworthy rules are used. A NIPS is not a replacement for a NIDS; many networks use both a NIDS and a NIPS.
Read full chapter
URL: //www.sciencedirect.com/science/article/pii/B9780128112489000073
Introduction to Intrusion Detection Systems
In Cisco Security Professional's Guide to Secure Intrusion Detection Systems, 2003
Network IDS
Network-based intrusion detection systems (NIDS) are devices intelligently distributed within networks that passively inspect traffic traversing the devices on which they sit. NIDS can be hardware or software-based systems and, depending on the manufacturer of the system, can attach to various network mediums such as Ethernet, FDDI, and others. Oftentimes, NIDS have two network interfaces. One is used for listening to network conversations in promiscuous mode and the other is used for control and reporting.
With the advent of switching, which isolates unicast conversations to ingress and egress switch ports, network infrastructure vendors have devised port-mirroring techniques to replicate all network traffic to the NIDS. There are other means of supplying traffic to the IDS such as network taps. Cisco uses Switched Port Analyzer (SPAN) functionality to facilitate this capability on their network devices and, in some network equipment, includes NIDS components directly within the switch. We’ll discuss Cisco’s IDS products in the next chapter.
While there are many NIDS vendors, all systems tend to function in one of two ways; NIDS are either signature-based or anomaly-based systems. Both are mechanisms that separate benign traffic from its malicious brethren. Potential issues with NIDS include high-speed network data overload, tuning difficulties, encryption, and signature development lag time. We’ll cover how IDS work and the difficulties involved with them later in this section.
Read full chapter
URL: //www.sciencedirect.com/science/article/pii/B9781932266696500215
Local Area Network Security
Pramod Pandya, in Computer and Information Security Handbook (Third Edition), 2013
10 Network Intrusion Detection System: Scope and Limitations
NIDS sensors scan network packets at the router or host level, auditing data packets and logging any suspicious packets to a log file. Fig. e16.2 is an example of an NIDS. The data packets are captured by a sniffer program, which is a part of the IDS software package. The node on which the IDS software is enabled runs in promiscuous mode. In promiscuous mode, the NIDS node captures all of the data packets on the network as defined by the configuration script. NIDSs have become a critical component of network security management because the number of nodes on the Internet has grown exponentially over the past few years. Some common malicious attacks on networks are:
Figure e16.2. An example of a network-based intrusion detection system (NIDS). LAN, local area network; NAT, Network Address Translation; OUT, external network.
•IP address spoofing
•media access control (MAC) address spoofing
Address Resolution Protocol (ARP) cache poisoning
•DNS name corruption
Read full chapter
URL: //www.sciencedirect.com/science/article/pii/B9780128038437000168
Locking Down Your XenApp Server
Tariq Bin Azad, in Securing Citrix Presentation Server in the Enterprise, 2008
Network IDS
The NIDS derives its name from the fact that it monitors the entire network. More accurately, it monitors an entire network segment. Normally, a computer network interface card (NIC) operates in nonpromiscuous mode. In this mode of operation, only packets destined for the NICs specific media access control (MAC) address are forwarded up the stack for analysis. The NIDS must operate in promiscuous mode to monitor network traffic not destined for its own MAC address. In promiscuous mode, the NIDS can eavesdrop on all communications on the network segment. Operation in promiscuous mode is necessary to protect your network. However, in view of emerging privacy regulations, monitoring network communications is a responsibility that must be considered carefully.
In Figure 7.2, we see a network using three NIDS. The units have been placed on strategic network segments and can monitor network traffic for all devices on the segment. This configuration represents a standard perimeter security network topology where the screened subnets on the DMZ housing the public servers are protected by NIDS. When a public server is compromised on a screened subnet, the server can become a launching platform for additional exploits. Careful monitoring is necessary to prevent further damage.
Figure 7.2. NIDS Network
The internal host systems inside the firewall are protected by an additional NIDS to mitigate exposure to internal compromise. The use of multiple NIDS within a network is an example of a defense-in-depth security architecture.
Read full chapter
URL: //www.sciencedirect.com/science/article/pii/B978159749281200007X
Embedded security
J. Rosenberg, in Rugged Embedded Systems, 2017
2.3.1 Network intrusion-detection systems
NIDS are placed at a strategic point or points within the network to monitor traffic to and from all devices on the network. It performs an analysis of passing traffic on the entire subnet, and matches the traffic that is passed on the subnets to the library of known attacks. Once an attack is identified, or abnormal behavior is sensed, the alert can be sent to the administrator. An example of an NIDS would be installing it on the subnet where firewalls are located in order to see if someone is trying to break into the firewall. Ideally one would scan all inbound and outbound traffic, however doing so might create a bottleneck that would impair the overall speed of the network.
Read full chapter
URL: //www.sciencedirect.com/science/article/pii/B9780128024591000117
Guarding Against Network Intrusions
Thomas M. Chen, Patrick J. Walsh, in Network and System Security (Second Edition), 2014
Traffic Monitoring
Network-based IDSs typically monitor network packets for signs of reconnaissance, exploits, DoS attacks, and malware. They have strengths to complement host-based IDSs: Network-based IDSs can see traffic for a population of hosts; they can recognize patterns shared by multiple hosts; and they have the potential to see attacks before they reach the hosts.
IDSs are placed in various locations for different views, as shown in Figure 3.6. An IDS outside a firewall is useful for learning about malicious activities on the Internet. An IDS in the DMZ will see attacks originating from the Internet that are able to get through the outer firewall to public servers. Lastly, an IDS in the private network is necessary to detect any attacks that are able to successfully penetrate perimeter security.
Figure 3.6. IDSs monitoring various network zones.
Read full chapter
URL: //www.sciencedirect.com/science/article/pii/B9780124166899000034
Intrusion Prevention and Detection Systems
Christopher Day, in Computer and Information Security Handbook, 2009
11. Network-based Intrusion Prevention Systems
NIDS are designed to passively monitor traffic and raise alarms when suspicious traffic is detected, whereas network-based intrusion prevention systems (NIPS) are designed to go one step further and actually try to prevent the attack from succeeding. This is typically achieved by inserting the NIPS device inline with the traffic it is monitoring. Each network packet is inspected and only passed if it does not trigger some sort of alert based on a signature match or anomaly threshold. Suspicious packets are discarded and an alert is generated.
The ability to intervene and stop known attacks, in contrast to the passive monitoring of NIDS, is the greatest benefit of NIPS. However, NIPS suffers from the same drawbacks and limitations as discussed for NIDS, such as heavy reliance on static signatures, inability to examine encrypted traffic, and difficulties with very high network speeds. In addition, false alarms are much more significant due to the fact that the NIPS may discard that traffic even though it is not really malicious. If the destination system is business or mission critical, this action could have significant negative impact on the functioning of the system. Thus, great care must be taken to tune the NIPS during a training period where there is no packet discard before allowing it to begin blocking any detected, malicious traffic.
Read full chapter
URL: //www.sciencedirect.com/science/article/pii/B9780123743541000182