AusCERT 2012 Day 1 : IDS too noisy, too demanding: Stratsec

IDS is nearly as ubiquitous as the firewall, yet companies are still suffering intrusions because of failed implementations, according to Shane Biggins of Stratsec.

Intrusion detection systemsrsquo; ldquo;needy and noisyrdquo; behaviour is aligning with a serious, ongoing skills shortage in IT security to turn the IDS into a box that generates alerts which are largely ignored, he told delegates to AusCERT.

Too many IDSrsquo; are installed with a ldquo;box droprdquo; mentality, followed by the heavy lifting of learning the system and configuring its rules ndash; after which, the ongoing workload becomes so great that final role of the IDS turns out to be collecting millions of alerts that nobody watches.

ldquo;IDS are needy ndash; they do not work out-of-the-box, you have to make rules that are a reflection of your business, and they make too much noise,rdquo; he said.

Describing his own companyrsquo;s research into tools to try and deal with the huge amounts of data that the typical IDS will generate, Biggins said that the development of data mining techniques for analyzing social networks is helping to slim down the bloated alert log an IDS produces.

Biggins also noted that therersquo;s no point, in the longer term, in insisting that all IDS analysis be handled in real time. Instead, he said, Stratsec has learned that itrsquo;s safe to ldquo;let gordquo; of a real-time mindset.

The solution is pre-processing the huge amount of alert data an IDS generates to prioritise it and discard trivial alerts; and then giving analysts the right tools to work through and respond to the important alerts.

ldquo;You wonrsquo;t stop it getting through the door. Whatrsquo;s importance is reducing the lsquo;dwell timersquo; that the attacker is inside,rdquo; he said.

Follow @CSO_Australia and sign up to the CSO Australia newsletter.

Related:

Copyright © 2012 IDG Communications, Inc.

The 10 most powerful cybersecurity companies