The 2017 Ponemon Cost of Data Breach Study from IBM recently reported that average data breach costs organizations $3.62 million, approximately $141 per lost or stolen record. Their research indicates that the average size of a breach has increased, 1.8%, the equivalent of 24,000 records per breach.That being said, malicious activity can be very serious for a number of reasons in addition to cost and should be investigated promptly. For those working in a larger organization, handling a lot of traffic, or those with a small security team, being constantly on the lookout for threats is simply not enough. That’s where an intrusion detection and prevention system such as Snort from Cisco comes in.You can provide tremendous value to your organization by learning how to manage this technology and stopping threats in their tracks. It is by doing so you can prevent damage and optimize your security strategy for future threats.
What is an Intrusion Detection/ Intrusion Prevention System (IDS/IPS)?
An IPS is an active system that sits on the network and intercepts network traffic, analyzes and stops anything deemed malicious. Intrusion prevention systems that are installed are able to actively block any intrusions that are detected. For example, an IPS can drop malicious packets, blocking the traffic an offending IP address, etc. Whereas IDS is a passive system; it doesn’t stop network traffic, but instead sets alerts and sends messages if something happens.“Broadly speaking, an intrusion prevention system can be said to include any product or practice used to keep attackers from gaining access to your network, such as firewalls and anti-virus software.”IPS and IDS appliances can be either behavior based or signature based, network based or host based. It’s good to have a combination of components for maximum network security.
What is Snort?
Created in 1998 by Martin Roesch, the founder of Sourcefire and chief security architect at Cisco, Snort is defined by Cisco as “an open-source, rule-based, intrusion detection and prevention system. It combines the benefits of signature-, protocol-, and anomaly-based inspection methods to deliver flexible protection from malware attacks.”According to Cisco’s count, Snort has over 4 million downloads and over 500,000 registered users, making it the most widely deployed intrusion prevention system in the world.
What sets Snort apart?
Many will know Snort as being able to detect threats at incredibly high speeds, a necessary function for today’s rapidly changing technology landscape where threats can pop up within a moment’s notice.Additionally, it is recognized for providing rapid response, offering greater accuracy, and being an adaptable system.For more advanced options, you may choose to extend your Snort investment through a partnership with Cisco through one of three paths. These involve the Cisco Intrusion Agent, Cisco Intrusion Prevention System (IPS) solutions, and our next-generation intrusion prevention system (NGIPS).
What are some of the features of Snort?
Some of the most notable features of Snort include its’ ease of installation and use, quick detection, and cost effectiveness. Those who can customize their IDS will reap a number of benefits and gain insight into their networks like they’d never imagined.“With Snort, rules are powerful, flexible and relatively easy to write, so new rules to detect the latest malware
are often written by the Snort community within hours of an outbreak. Add one to your local or experimental rules file, restart Snort, and you're well on your way to detecting, containing and eliminating any infestation that makes it past your other layers of security.”
What is Snort used for?
Snort has three primary functions. First and foremost, it is used as a network intrusion detection and prevention system. It can also be used as a packet sniffer, a tool that intercepts data flowing in a network, and as a packet logger, a tool that makes copies of the packets transmitted in a network. The difference between a packet logger and a packet sniffer is that the logger only records the data, whereas the sniffer interprets it.“These features allow for various types of useful security analysis to be performed, including closer examination of the contents of potential attacks, live traffic sampling or ongoing security events, and historical data on past network events.”
Why should I learn Snort?
For organizations who need an added layer of security, implementing an IDS/IPS may seem like a no-brainer, but properly utilizing these devices takes a good amount of customization to your specific network. Otherwise, the system will disrupt the flow and report a high number or false positive/negatives. That being said, there is also the question of which IDS/IPS to use in the first place. Having familiarity of one of the more common IDS/IPS provides you with a great advantage.In addition to knowing the strengths and weaknesses of a product like Snort, knowing how to install, manage, customize, etc. an IDS/IPS can provide a critical piece of the enterprise defense strategy. Imagine to be the one responsible for this aspect at your organization.
Cybrary Resources for Learning IDS/IPS
Currently, Cybrary offers an IDS/IPS micro course
that will help you learn ‘intrusion’ basics in under and hour. To earn your micro cert, take the exam at the end of the free course. Use code OBLOG50 for half off your exam.If you want to work with Snort hands-on, check out the NEW Cyberscore Network Essentials Bundle.
which features labs like ‘Using Snort and Wireshark to Analyze Traffic.’
Intrusion detection and prevention are major components of a layered security strategy. Learning to utilize this technology to enhance the corporate security environment in any capacity can provide a unique advantage as a security professional. Whether you’re hoping to enter a security role, or are interested in deploying Snort for your current company, you will find a thorough knowledge to be useful.
Looking for More?
Comment below with your request for future posts.