AusCERT 2012 Day 1 : IDS too noisy, too demanding: Stratsec

IDS is nearly as ubiquitous as the firewall, yet companies are still suffering intrusions because of failed implementations, according to Shane Biggins of Stratsec.

IDS is nearly as ubiquitous as the firewall, yet companies are still suffering intrusions because of failed implementations, according to Shane Biggins of Stratsec.

Intrusion detection systems’ “needy and noisy” behaviour is aligning with a serious, ongoing skills shortage in IT security to turn the IDS into a box that generates alerts which are largely ignored, he told delegates to AusCERT.

Too many IDS’ are installed with a “box drop” mentality, followed by the heavy lifting of learning the system and configuring its rules – after which, the ongoing workload becomes so great that final role of the IDS turns out to be collecting millions of alerts that nobody watches.

“IDS are needy – they do not work out-of-the-box, you have to make rules that are a reflection of your business, and they make too much noise,” he said.

Describing his own company’s research into tools to try and deal with the huge amounts of data that the typical IDS will generate, Biggins said that the development of data mining techniques for analyzing social networks is helping to slim down the bloated alert log an IDS produces.

Biggins also noted that there’s no point, in the longer term, in insisting that all IDS analysis be handled in real time. Instead, he said, Stratsec has learned that it’s safe to “let go” of a real-time mindset.

The solution is pre-processing the huge amount of alert data an IDS generates to prioritise it and discard trivial alerts; and then giving analysts the right tools to work through and respond to the important alerts.

“You won’t stop it getting through the door. What’s importance is reducing the ‘dwell time’ that the attacker is inside,” he said.

Follow @CSO_Australia and sign up to the CSO Australia newsletter.

2 Comments

Databinding a GridView in C# with ADO.NET

1

I drop a comment each time I like a article on a site or I have something to add to the conversation.

Usually it's triggered by the fire displayed in the post I browsed. And on this article AusCERT 2012 Day 1 : IDS too noisy, too demanding: Stratsec - stratsec, intrusion detection systems, IDS - CSO | The Resource for Data Security Executives. I was excited enough to drop a leave a responsea response ;) I do have 2 questions for you if it's okay.
Could it be simply me or does it look like a few of these
responses appear as if they are written by
brain dead visitors? :-P And, if you are posting on other social sites, I'd like to keep up with everything new you have to post. Could you make a list every one of all your public pages like your Facebook page, twitter feed, or linkedin profile?

Databinding a GridView in C# with ADO.NET

2

I drop a comment each time I like a article
on a site or I have something to add to the conversation.

Usually it's triggered by the fire displayed in the post I browsed. And on this article AusCERT 2012 Day 1 : IDS too noisy, too demanding: Stratsec - stratsec, intrusion detection systems, IDS - CSO | The Resource for Data Security Executives. I was excited enough to drop a leave a responsea response ;) I do have 2 questions for you if it's okay.

Could it be simply me or does it look like a few of these responses appear as if they are written by brain dead visitors?
:-P And, if you are posting on other social sites, I'd like to keep up with everything new you have to post. Could you make a list every one of all your public pages like your Facebook page, twitter feed, or linkedin profile?

Comments are now closed

CSO Corporate Partners
  • f5
  • Webroot
  • Trend Micro
  • NetIQ
rhs_login_lockGet exclusive access to CSO, invitation only events, reports & analysis.
CSO Directory

Fraud Management Solutions

Reduce fraud losses regardless of channel by preventing cybercrime, identity theft, and other threats targeting your customers.

Security Awareness Tip
Security ABC Guides

Warning: Tips for secure mobile holiday shopping

I’m dating myself, but I remember when holiday shopping involved pouring through ads in the Sunday paper, placing actual phone calls from tethered land lines to research product stock and availability, and actually driving places to pick things up. Now, holiday shoppers can do all of that from a smartphone or tablet in a few seconds, but there are some security pitfalls to be aware of.