Focus on IDS
Re: Ideal IDS/IPS Jun 07 2011 01:45PM
krymson gmail com
I'll take a stab!

I would say there are two sorts of audiences for IDS/IPS: Those who care and those who want it to run on its own with as little care and feeding as possible. For those that care, I'm not actually all that concerned about false positives as I think a good analyst team should always go through the manual tuning process themselves so they learn what their environment feels like, but also determine for themselves the amount of noise they want to see. Sometimes a rise or lull in noise is an indication of something strange.

Signature visibility - Essentially if there is an alert, I want to know definitively why it triggered, whether a sig or statistics or whatever. I don't want to ever guess.

Traffic visibility - I don't want to call my IPS a full content capture tool, but I would like to see complete-enough traffic captures to match up why an alert came up. As a bonus, it might be nice to manually trigger a realtime capture just to see if a system is still spewing weird things or to possibily investigate a strange endpoint.

in-line fail open - as much as possible anyway. Nothing gets an IPS further behind in software than needing black-out windows for upgrades. Security via TCP resets is lame. Auto-changing device configs to implement blocks is lame and doesn't scale with size or change. The "self-defending" network is scary.

high degree of tuning ability - Some orgs only want to see clear attacks. Some orgs have a real SOC and analysts who want to see as much as they can spend time seeing. Tuning should accomodate both sets, and be detailed enough to ignore alert X that originates from system A to system B, but still alerts on everything else.

report on tuning/exceptions - Not much sucks more in an IPS than losing track of what is tuned out. If an analyst makes a mistake and ignores half your network, it would be nice to have any chance at all to see that mistake if you regularly review your configs. A change like that in too many commercial tools will be utterly lost forever. An emailed change report on every change might help (and I'm not talking only a syslog entry you then have to handle with other tools).

clear, useful automated reporting - Customizable is fine.

relatively free of bloat - A tool or feature that one customer requests and thus gets put into the tool makes for bloat and confusion and being overwhelmed for everyone else. This, to me, is the main failing of commercial security tools: So many features to appeal to every customer whim that no single customer uses even 10% of the functionality. This results in almost always being lost in the tool or feeling overwhelmed with what you're clearly not using. The same difference between a scalpel and a 100-tool swiss knife.

One wish-list item would be some pretty realtime graphs or dashboards or something that show traffic patterns. I know there were some guys working on a sniffing tool called Eve (white-dust guys who are no longer around) some time back, which had really pretty 3D visualizations for network traffic. I know I'm bending the point of an IPS into a netflow type of device, but sometimes an analyst's eyes will cross too much with 1000's of lines of alerts and logs. Sometimes, having a visual to look at not only gives managers warm fuzzies, but can offer new insight into strange things.

<- snip ->

What would we like to have in an ideal IDS/IPS system? I am not

restricting the list to existing approaches such as signature based,

anomaly based, statistical or specification based IDS. Just trying to

get the wish list sort of. Any feedback is much appreciated.

Low false negatives - maximize detection and prevention of

intrusions, detect zero day attacks, detect variations

Low false positives - don't waste analyst time

Ease of use - installation and configuration

Low resource usage - minimize resource usage, degrade gracefully

when resource usage exceeds limits

High Performance - good scalability with increasing network speeds

Stability, Robustness - no crashes, and resistance to attacks againt IDS

Minimal ongoing maintainence - Run with minimal human supervision

Thanks

-----------------------------------------------------------------
Securing Your Online Data Transfer with SSL.
A guide to understanding SSL certificates, how they operate and their application. By making use of an SSL certificate on your web server, you can securely collect sensitive information online, and increase business by giving your customers confidence that their transactions are safe.
http://www.dinclinx.com/Redirect.aspx?36;5001;25;1371;0;1;946;9a80e04e1a
17f194

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus