AusCERT 2012 Day 1 : IDS too noisy, too demanding: Stratsec
- — 16 May, 2012 18:14
IDS is nearly as ubiquitous as the firewall, yet companies are still suffering intrusions because of failed implementations, according to Shane Biggins of Stratsec.
Intrusion detection systems’ “needy and noisy” behaviour is aligning with a serious, ongoing skills shortage in IT security to turn the IDS into a box that generates alerts which are largely ignored, he told delegates to AusCERT.
Too many IDS’ are installed with a “box drop” mentality, followed by the heavy lifting of learning the system and configuring its rules – after which, the ongoing workload becomes so great that final role of the IDS turns out to be collecting millions of alerts that nobody watches.
“IDS are needy – they do not work out-of-the-box, you have to make rules that are a reflection of your business, and they make too much noise,” he said.
Describing his own company’s research into tools to try and deal with the huge amounts of data that the typical IDS will generate, Biggins said that the development of data mining techniques for analyzing social networks is helping to slim down the bloated alert log an IDS produces.
Biggins also noted that there’s no point, in the longer term, in insisting that all IDS analysis be handled in real time. Instead, he said, Stratsec has learned that it’s safe to “let go” of a real-time mindset.
The solution is pre-processing the huge amount of alert data an IDS generates to prioritise it and discard trivial alerts; and then giving analysts the right tools to work through and respond to the important alerts.
“You won’t stop it getting through the door. What’s importance is reducing the ‘dwell time’ that the attacker is inside,” he said.