Project 7: Create Anomaly Detection Capabilities
Signature based technologies alone do not provide the amount of detection that organizations require. When a signature is released for a particular malware program it's similar to releasing a description of a criminal suspect.
All of the signature based technologies (Antivirus, etc) are looking for a male with brown hair and brown eyes who is wearing a blue shirt. However, if a slightly different version of that malware program is introduced into the environment that doesn't exactly match the description it will not be quarantined or reported.
In this case, the suspect could be a male with brown hair and brown eyes who is wearing a red shirt. The malware still has the same function; it's just slightly altered its appearance.
This is where anomaly detection comes in to play. By looking for abnormal patterns in system, application, and network activity it can detect malicious activity and do so with a largely reduced set of data.
It will catch new malware (the man in the red shirt) due to a large number of machines attempting to send large amounts of data to a "www.yourhaxored.com". Some examples of anomaly detection systems are:
• Honeypots
• Security Event Information Management (SEIM) Solutions
• Threat management systems based upon anomaly analysis and behavioral testing
Using anomaly based technologies is one of the most effective ways to monitor your environment. These solutions can vary drastically in price and should be evaluated before purchase.
Don't forget to include funding for the security team to get training on installation, administration, and backups of the solution.
