General Monitoring and Detection Guideline

UC Berkeley security policy mandates compliance with Minimum Security Standard for Electronic Information for devices handling covered data.  The recommendations below are provided as additional guidance to meet the Network Monitoring requirements in MSSEI section 9.1.1.

MSSEI Requirement 9.1.1

Summary: Units must ensure network monitoring is in place to detect signs of attack, compromise, or unauthorized access.  See the full requirement (linked above) for scope, details, and implementation information.

Description of Risk

Attackers can discover and compromise covered data on devices that are not secured against vulnerabilities.

Recommendations

Intrusion Detection Systems (IDS) are automated systems that monitor and analyze network traffic and generate "alerts" in response to activity that either match known patterns of malicious activities or is unusual. In some cases, alerts trigger further automated processes such as recording the suspect activity and/or scanning the computer(s) involved for signs of compromise. IDS allows resource proprietors and custodians to respond timely to covered devices that are compromised or imminently in danger of being compromised.

IDS can be either network or host-based.  A network-based IDS monitors network traffic for particular network segments or devices and analyzes network, transport, and application protocols to identify suspicious activity. A host-based IDS (HIDS) monitors the characteristics of a single host and the events occurring within that host for suspicious activity.  For more discussion on HIDS, please see the relevant section in Additional Resources.

The Information Security Office (ISO) provides a centralized, MSSEI compliant, network-based intrusion detection program that monitors systems on the campus network. By registering as directed in MSSEI “Annual Registration” requirement, covered devices are enrolled in additional monitoring services.  ISO alerts from the IDS program on covered devices should be responded to in a timely fashion, as defined in your system’s Incident Response Plan (see MSSEI requirement 14.2).

Off-campus Networks

In cases where covered devices are hosted outside of campus networks, such as collaborating research labs and agencies, ensure non-campus networks also maintain equivalent intrusion detection controls that follow the recommended practices below:

  1. Use industry-standard network intrusion detection system (IDS) tools to analyze signatures and network behavior for signs of attack or compromise.  See Additional Resources for examples of common IDS tools.
  2. Secure IDS components appropriately. See Additional Resources section for additional guidance.
  3. Schedule automated regular updates to detection signatures such that new and emerging threats can be detected.  
  4. Capture at least packet headers of traffic and retain for at least 7 days, to be used as forensic data in case of a possible compromise.
  5. Develop processes to send suspicious activities alerts to the appropriate resource custodians and proprietors.
  6. Integrate incident response procedures to investigate and escalate confirmed incidents detected by IDS.

Additional Resources

Securing IDS

Securing IDS components is very important because IDSs are often targeted by attackers who want to prevent the IDSs from detecting attacks or want to gain access to sensitive information in the IDSs, such as host configurations and known vulnerabilities.  IDSs are composed of several types of components, including sensors or agents, management servers, database servers, user and administrator consoles, and management networks.  All components’ operating systems and applications should be kept fully up-to-date, and all software-based IDS components should be hardened against threats.  Specific protective actions of particular importance include

  • keeping operating systems and applications fully up-to-date with latest versions from the software vendor
  • creating separate accounts for each IDS user and administrator
  • restricting network access to IDS components, and
  • ensuring that IDS management communications are protected appropriately, such as encrypting them or transmitting them over a physically or logically separate network
  • back up configuration settings periodically and before applying updates to ensure that existing settings are not inadvertently lost.

Administrators should maintain the security of the IDS components on an ongoing basis, including verifying that the components are functioning as desired, monitoring the components for security issues, performing regular vulnerability assessments, responding appropriately to vulnerabilities in the IDS components, and testing and deploying IDS updates.  

Source: NIST Guide to Intrusion Detection and Prevention Systems

Common IDS Tools

  • Suricata - Suricata is an open source network intrusion prevention and detection system (IDS/IPS). Combining the benefits of signature, protocol, and anomaly-based inspection, Suricata is one of the most widely deployed IDS/IPS technologies today.
  • Zeek - Zeek is an open-source, Unix-based Network Intrusion Detection System (NIDS) that passively monitors network traffic and looks for suspicious activity. It detects intrusions by first parsing network traffic to extract its application-level semantics and then executing event-oriented analyzers that compare the activity with patterns deemed troublesome.

Topics

On This Page