IDS mailing list archives
Re: Changes in IDS Companies?
From: scottw () cylant com
Date: Thu, 17 Oct 2002 18:58:16 -0700
Clint, Excellent metaphor! The situation is actually worse. Every few days, a new door is put in the building. This door isn't authorized, doesn't go through the architects, doesn't get approved, it just shows up. And, the alarm company isn't called out to install a sensor for it. Reality is harsh. Regards, scottwimer On Thu, Oct 17, 2002 at 06:16:57PM -0700, Clint Byrum wrote:
On Thu, 2002-10-17 at 00:26, Eye Dius wrote:In-Reply-To: <003101c27594$5de8e970$01000001 () SecurityConscious com> - snip -IDS vendors have not been able to get false alarm/postive rates down to a level where organizations would trust an IDS alert to enforce network policy. Nothing I've seen or read from these new vendors gives me any reason to believe they have cured the cancer of IDS - false alarms/positives.What are some of the big reasons for false positives? What is preventing new or existing vendors from fixing this problem?This is a good question. I think we can look to other intrusion detection systems for the answer. By that, I mean conventional physical alarm systems. Typically when you add an alarm system to your building, the installer finds all of the possibly vulnerable points of entry, and protects those with peripheral sensors such as motion detectors or glass break detectors. After that, the installer will consult with you on any other areas of great interest, such as accounting, the server rooms, or maybe areas with precious merchandise/raw materials. These are guarded with greater physical barriers, such as larger doors, chain link fence, etc. Then the system is setup with schedules, to allow for the expected behaviors of arrivals and departures, cleaning, etc. Finally, once the system is in place, the various classes of building tenants, from janitors to CEO's, are informed of any changes to their routines if necessary. Now, when NIDS is installed, similar things happen. Sensors are placed in vulnerable peripheral areas of the network, i.e. outside the firewall, on the DMZ.. etc. And then more sensors, and maybe even the actual NIPS are placed around critical machines such as authentication servers and ERP systems. Once this is done, the IDS's are tuned to allow for normal behavior, and possibly any previously unknown problems are fixed. This usually involves walking around and removing things like Kazaa and ICQ from peoples' machines. ;) So.. wait.. this sounds like we're doing things the same way.. right? Well, we are. The problem is, the traditional security system is handling people moving through a building. People generally walk pretty slow, and only so many can fit in the building at one time. These people also probably manage to trigger false alarms once or twice a year... depending on how many of them there are, and how tight the system is. With NIDS and NIPS, its like you're setting up a security system to monitor and control access to a building in which 10 million people work every day. Ok, so with that in mind.. how do we make false positives go away? Some things we can specify as known bad... like virus signatures and such. Other things just look suspicious, and we have to make a judgement call as to whether or not we're going to alert, or even shut down a connection, based on that suspicion. Now.. how to make that judgement call easy, is anyone's guess. :-P
-- Scott M. Wimer, CTO Cylant www.cylant.com 121 Sweet Ave. v. (208) 883-4892 Suite 123 c. (208) 850-4454 Moscow, ID 83843 There is no Security without Control.
Current thread:
- RE: Changes in IDS Companies?, (continued)
- RE: Changes in IDS Companies? Alan Shimel (Oct 16)
- RE: Changes in IDS Companies? Avi Chesla (Oct 16)
- RE: Changes in IDS Companies? Alan Shimel (Oct 16)
- Re: Changes in IDS Companies? Martin Roesch (Oct 16)
- RE: Changes in IDS Companies? Brian Brotschi (Oct 16)
- RE: Changes in IDS Companies? Ralph Los (Oct 17)
- Re: Changes in IDS Companies? Jason Falciola (Oct 17)
- Re: Changes in IDS Companies? Eye Dius (Oct 17)
- Re: Changes in IDS Companies? Clint Byrum (Oct 17)
- Re: Changes in IDS Companies? Stephane Nasdrovisky (Oct 18)
- Re: Changes in IDS Companies? scottw (Oct 18)
- Re: Changes in IDS Companies? Clint Byrum (Oct 17)
- RE: Changes in IDS Companies? tcleary2 (Oct 17)
- FW: Changes in IDS Companies? Avi Chesla (Oct 22)
- Re: Changes in IDS Companies? Proxy Administrator (Oct 25)
- Re: Changes in IDS Companies? Aaron Turner (Oct 25)
- Re: Changes in IDS Companies? A.S.Rajendran (Oct 25)
- Re: Changes in IDS Companies? Aaron Turner (Oct 25)
- Re: Changes in IDS Companies? Matt Harris (Oct 28)
- Re: Changes in IDS Companies? Aaron Turner (Oct 28)
- Re: Changes in IDS Companies? Matt Harris (Oct 29)
- Re: Changes in IDS Companies? Aaron Turner (Oct 29)