Corporate Partners

AusCERT 2012 Day 1 : IDS too noisy, too demanding: Stratsec

IDS is nearly as ubiquitous as the firewall, yet companies are still suffering intrusions because of failed implementations, according to Shane Biggins of Stratsec.

IDS is nearly as ubiquitous as the firewall, yet companies are still suffering intrusions because of failed implementations, according to Shane Biggins of Stratsec.

Intrusion detection systems’ “needy and noisy” behaviour is aligning with a serious, ongoing skills shortage in IT security to turn the IDS into a box that generates alerts which are largely ignored, he told delegates to AusCERT.

Too many IDS’ are installed with a “box drop” mentality, followed by the heavy lifting of learning the system and configuring its rules – after which, the ongoing workload becomes so great that final role of the IDS turns out to be collecting millions of alerts that nobody watches.

“IDS are needy – they do not work out-of-the-box, you have to make rules that are a reflection of your business, and they make too much noise,” he said.

Describing his own company’s research into tools to try and deal with the huge amounts of data that the typical IDS will generate, Biggins said that the development of data mining techniques for analyzing social networks is helping to slim down the bloated alert log an IDS produces.

Biggins also noted that there’s no point, in the longer term, in insisting that all IDS analysis be handled in real time. Instead, he said, Stratsec has learned that it’s safe to “let go” of a real-time mindset.

The solution is pre-processing the huge amount of alert data an IDS generates to prioritise it and discard trivial alerts; and then giving analysts the right tools to work through and respond to the important alerts.

“You won’t stop it getting through the door. What’s importance is reducing the ‘dwell time’ that the attacker is inside,” he said.

Follow @CSO_Australia and sign up to the CSO Australia newsletter.

Join the CSO newsletter!

Error: Please check your email address.

More about CERT AustraliaIntrusionStratsec

2 Comments

Databinding a GridView in C# with ADO.NET

1

I drop a comment each time I like a article on a site or I have something to add to the conversation.

Usually it's triggered by the fire displayed in the post I browsed. And on this article AusCERT 2012 Day 1 : IDS too noisy, too demanding: Stratsec - stratsec, intrusion detection systems, IDS - CSO | The Resource for Data Security Executives. I was excited enough to drop a leave a responsea response ;) I do have 2 questions for you if it's okay.
Could it be simply me or does it look like a few of these
responses appear as if they are written by
brain dead visitors? :-P And, if you are posting on other social sites, I'd like to keep up with everything new you have to post. Could you make a list every one of all your public pages like your Facebook page, twitter feed, or linkedin profile?

Databinding a GridView in C# with ADO.NET

2

I drop a comment each time I like a article
on a site or I have something to add to the conversation.

Usually it's triggered by the fire displayed in the post I browsed. And on this article AusCERT 2012 Day 1 : IDS too noisy, too demanding: Stratsec - stratsec, intrusion detection systems, IDS - CSO | The Resource for Data Security Executives. I was excited enough to drop a leave a responsea response ;) I do have 2 questions for you if it's okay.

Could it be simply me or does it look like a few of these responses appear as if they are written by brain dead visitors?
:-P And, if you are posting on other social sites, I'd like to keep up with everything new you have to post. Could you make a list every one of all your public pages like your Facebook page, twitter feed, or linkedin profile?

Comments are now closed

Market Place