AusCERT 2012 Day 1 : IDS too noisy, too demanding: Stratsec

IDS is nearly as ubiquitous as the firewall, yet companies are still suffering intrusions because of failed implementations, according to Shane Biggins of Stratsec.

IDS is nearly as ubiquitous as the firewall, yet companies are still suffering intrusions because of failed implementations, according to Shane Biggins of Stratsec.

Intrusion detection systems’ “needy and noisy” behaviour is aligning with a serious, ongoing skills shortage in IT security to turn the IDS into a box that generates alerts which are largely ignored, he told delegates to AusCERT.

Too many IDS’ are installed with a “box drop” mentality, followed by the heavy lifting of learning the system and configuring its rules – after which, the ongoing workload becomes so great that final role of the IDS turns out to be collecting millions of alerts that nobody watches.

“IDS are needy – they do not work out-of-the-box, you have to make rules that are a reflection of your business, and they make too much noise,” he said.

Describing his own company’s research into tools to try and deal with the huge amounts of data that the typical IDS will generate, Biggins said that the development of data mining techniques for analyzing social networks is helping to slim down the bloated alert log an IDS produces.

Biggins also noted that there’s no point, in the longer term, in insisting that all IDS analysis be handled in real time. Instead, he said, Stratsec has learned that it’s safe to “let go” of a real-time mindset.

The solution is pre-processing the huge amount of alert data an IDS generates to prioritise it and discard trivial alerts; and then giving analysts the right tools to work through and respond to the important alerts.

“You won’t stop it getting through the door. What’s importance is reducing the ‘dwell time’ that the attacker is inside,” he said.

Follow @CSO_Australia and sign up to the CSO Australia newsletter.

Vulnerabilities in some Netgear router and NAS products open door to remote attacks

READ THIS ARTICLE
DO NOT SHOW THIS BOX AGAIN [ x ]

Comments

Databinding a GridView in C# with ADO.NET

1

I drop a comment each time I like a article on a site or I have something to add to the conversation.

Usually it's triggered by the fire displayed in the post I browsed. And on this article AusCERT 2012 Day 1 : IDS too noisy, too demanding: Stratsec - stratsec, intrusion detection systems, IDS - CSO | The Resource for Data Security Executives. I was excited enough to drop a leave a responsea response ;) I do have 2 questions for you if it's okay.
Could it be simply me or does it look like a few of these
responses appear as if they are written by
brain dead visitors? :-P And, if you are posting on other social sites, I'd like to keep up with everything new you have to post. Could you make a list every one of all your public pages like your Facebook page, twitter feed, or linkedin profile?

Databinding a GridView in C# with ADO.NET

2

I drop a comment each time I like a article
on a site or I have something to add to the conversation.

Usually it's triggered by the fire displayed in the post I browsed. And on this article AusCERT 2012 Day 1 : IDS too noisy, too demanding: Stratsec - stratsec, intrusion detection systems, IDS - CSO | The Resource for Data Security Executives. I was excited enough to drop a leave a responsea response ;) I do have 2 questions for you if it's okay.

Could it be simply me or does it look like a few of these responses appear as if they are written by brain dead visitors?
:-P And, if you are posting on other social sites, I'd like to keep up with everything new you have to post. Could you make a list every one of all your public pages like your Facebook page, twitter feed, or linkedin profile?

Comments are now closed.
CSO Corporate Partners
  • Webroot
  • Trend Micro
  • NetIQ
rhs_login_lockGet exclusive access to CSO, invitation only events, reports & analysis.
CSO Directory

Security Solutions-GigaVUE-420

In partnership, Newgen provides innovative network monitoring and security solutions based upon Gigamon’s GigaVUE-420 systems.

Latest Jobs
Security Awareness Tip

Incident handling is a vast topic, but here are a few tips for you to consider in your incident response. I hope you never have to use them, but the odds are at some point you will and I hope being ready saves you pain (or your job!).


  1. Have an incident response plan.

  2. Pre-define your incident response team 

  3. Define your approach: watch and learn or contain and recover.

  4. Pre-distribute call cards.

  5. Forensic and incident response data capture.

  6. Get your users on-side.

  7. Know how to report crimes and engage law enforcement. 

  8. Practice makes perfect.

For the full breakdown on this article

Security ABC Guides

Warning: Tips for secure mobile holiday shopping

I’m dating myself, but I remember when holiday shopping involved pouring through ads in the Sunday paper, placing actual phone calls from tethered land lines to research product stock and availability, and actually driving places to pick things up. Now, holiday shoppers can do all of that from a smartphone or tablet in a few seconds, but there are some security pitfalls to be aware of.