Intrusion Detection System (IDS)

Accelerate Your Threat Detection and Response with a Complete Set of Security Technologies

Anchor Point Integrated Threat Response for AWS

Intrusion Detection Systems for Any Environment

Get intrusion detection for your network that enables you to inspect traffic between devices, not just at the edge. As part of the AnchorPoint ITR service, our Security Engineers can also correlate events from your existing IDS/IPS into a single console for complete network visibility while preserving your investments.

Network Intrusion Detection System (NIDS)

Catch threats targeting your vulnerable systems with signature-based anomaly detection and protocol analysis technologies. Identify the latest attacks, malware infections, system compromise techniques, policy violations, and other exposures.

Host-based Intrusion Detection System (HIDS) and File Integrity Monitoring (FIM)

Analyze system behavior and configuration status to track user access and activity. Detect potential security exposures such as system compromise, modification of critical configuration files (e.g. registry settings, /etc/passwd), common rootkits, and rogue processes.

ids-diagram.png

Deploys in Less Than One Hour

Sign up and get started with AnchorPoint Integrated Threat Response quickly. Start seeing actionable alarms in less than one hour.

Integrated SIEM Correlation

More than 2,000 correlation directives (and growing) to alert you to the most important threats.

Always Vigilant

Our SOC automatically receive new IDS signatures and updates correlation directives for the latest threats.

Works with Other IDS

AnchorPoint’s Security Engineers will help you forward IDS and IPS event logs from your existing devices to the ITR Sensor for event correlation.

Quickly View Threats
in the Dashboard

We utilize the Kill Chain Taxonomy to highlight the most important threats facing your network and the anomalies you should investigate. You can easily see the types of threats directed against your network and when known bad actors have triggered an alarm.

Attack Intent & Strategy

The Kill Chain Taxonomy breaks out threats into five categories, allowing you to understand the intent of the attacks and how they’re interacting with your network and assets:

  • System Compromise – Behavior indicating a compromised system.
  • Exploitation & Installation – Behavior indicating a successful exploit of a vulnerability or backdoor/RAT being installed on a system.
  • Delivery & Attack – Behavior indicating an attempted delivery of an exploit.
  • Reconnaissance & Probing – Behavior indicating an actor attempt to discover information about your network.
  • Environmental Awareness – Behavior indicating policy violations, vulnerable software, or suspicious communications.

External Known Bad Actors

Alarms and events associated with known Indicators of Compromise (IoCs) are highlighted throughout our reports. This allows you to prioritize security events that contain data linked to malicious activity..

Reduced Noise

Correlating IDS/IPS data with multiple security tools reduces false positives and increases accuracy of alarms.

Complete Threat Evidence

See attack type, number of events, duration, source and destination IP addresses, and more.

Automatic Notifications

AnchorPoint will set up email notifications and implement phone messaging services such as SMS.

Workflow Management

Our SOC will generate tickets for alarms based on our service-level agreement, or you can manage your own ticket delegation. You have access to our built-in ticketing system and you may choose to use an external ticketing system and we’ll help with the integration.

ids-eye.png

Respond to Threats Faster

Accelerate your response work by reviewing consolidated threat details provided by the AnchorPoint SOC. Exclusively for AnchorPoint Integrated Threat Response (ITR) customers.

Event Details

We’ll show you the directive event, the individual event(s) that triggered the directive event, and the correlation
level of the directive rule.

Here are examples of the visibility you get as an AnchorPoint ITR customer:

  • Normalized event
  • SIEM information
  • Reputation of source and destination IP addresses
  • Knowledge base about the event
  • Payload of the packet triggering the event

Leverage Our Powerful Analytics Capabilities to Uncover Threat and Vulnerability Details

We Search SIEM Events

The AnchorPoint Security Analysts will conduct their own, random analysis. For example, we will search the SIEM database for events that came from the same host as the offending traffic triggering an alarm.

  • We look at events stored in the database
  • We use filters to help us find more granular data
  • Our SOC Analysts can sort by event name, IP address, and more

 

We Check Assets and Vulnerabilities

AnchorPoint’s Security Analysts search the your asset inventory for assets involved with an alarm. Integrated vulnerability assessment scans indicate whether an attack is relevant by identifying vulnerable operating systems, applications and services and more.

  • Our Security Analysts can show you all reported alarms and events by asset
  • We can modify your mitigation / remediation strategy based on presence of threats targeting vulnerable systems
  • With AnchorPoint ITR, reported vulnerabilities that are correlated with malicious traffic

 

We Inspect Packet Captures

AnchorPoint’s SOC team uses integrated packet capture functionality to capture interesting traffic for offline analysis. Our analysts inspect packets using the Tshark tool, but you can download the capture as a PCAP file and view it using the tool of your choice.

  • We will set capture timeout
  • We can select number of packets to capture
  • We can choose source and destination IP addresses to capture

 

We Examine Raw Logs

Our team searches for any raw logs that are related to activity reported by an alarm. For example, we look for logs that are related to the source IP address that was reported in the alarm.

  • Raw logs are digitally signed for evidentiary purposes
  • We can filter by time range and search pattern
  • We can always export raw logs as a text file

 

Getting Started with AnchorPoint ITR for Intrusion Detection

Network Intrusion Detection System

The network intrusion detection system (NIDS) component available in AnchorPoint’s Integrated Threat Response service is deployed and configured by our Security Engineers.

Some key benefits of NIDS are:

  • Does not require an agent to be installed on a host, therefore not impacting the performance of any hosted applications
  • Since NIDS detection is essentially transparent, it is highly unlikely that an attacker could interfere with its operation.
  • NIDS sensors are able to collect data from multiple devices, if deployed downstream from them
  • Can work in many different network architectural scenarios and can easily be “moved” to a different location
Host Intrusion Detection System

The host intrusion detection system (HIDS) component available with AnchorPoint’s Integrated Threat Response service is simple to set up.

Here’s what our Security Engineers will do:

1. Build an agent in our Security Operations Center (SOC).
2. Deploy the HIDS agent to the target system, either automatically from AnchorPoint’s back-end console, or by manually downloading and installing it.
3. Change the configuration file on the agent to specify the files, folders, and registry keys that you would like monitored.
4. Verify HIDS operations by looking at the HIDS events.

Some key benefits of HIDS are:

  • In terms of deployment, host based IDS sensors tend to be easier since it usually only involves running an installation file.
  • Unlike network based sensors, HIDS does not involve the mirroring of traffic and does not have an impact on the network.
  • Host based intrusion detection is able to log verbose application activity, providing security visibility at the application layer.
  • With HIDS, you are able to run file (and even Windows registry) integrity scans to spot any tampering with sensitive and/or essential files.
  • Only a host based sensor will be able to detect rootkit and other malware installations on your servers and workstations.