Obviously this hasn’t proven to be the case. Even though intrusion-detection systems are readily available, many organizations still don’t use them effectively. Too often the IDS sits without maintenance or updates, poorly monitored, generating alerts that are completely irrelevant to the daily work of the security and staff.

The key to realizing the benefits an IDS offers is to focus less on the technology, and more on how it will be used by a security analyst. This article explores the discipline of intrusion analysis, focusing primarily on techniques to extend IDS capabilities beyond simple alert data into a tool for attack indications and warning, policy enforcement, and network defense.

Emphasize the Analyst, not the IDS

By now pretty much everyone in the security industry understands the basic ideas behind an IDS: monitor observable behavior, conduct some kind of automated test to determine if it is potentially malicious, and alert the analyst as required. While the security industry and professionals continue to seek the "Best in Class" solution to all IDS needs, the reality is there is no solution that eliminates reliance on human decision-making as part of the analysis process. Too many companies forget this, investing heavily in the infrastructure without making a comparable investment in their analytical personnel. Even large companies make the mistake of relying on the machine rather than the analyst.

From a balance-sheet perspective, it makes a weird sort of sense. On one hand, you have a capital asset you can depreciate annually, while on the other, you have a recurring expense in training. Many companies simply stop right there. The reality, however, is that a sufficiently skilled analyst can analyze network or host data with even the most rudimentary of tools. In fact, that’s how the industry got started with tools as simple as tcpdump, shadow, and the early versions of snort.

This is one of the classic mistakes in deploying IDS: over-reliance on the technology. Whether the solution is network or host-based, whether it works on a traffic analysis, signature matching, anomaly detection, or a hybrid model, ultimately all IDS does is present data of potential interest to a human analyst.

One good model for training IDS analysts can be found in the Department of Defense’s Information Assurance Workforce Improvement Program, documented in DoD Instruction 8570.01-M. This program establishes a training plan for Computer Network Defense (CND) analysts that yields an extremely effective skill set for IDS analysis, regardless of the technology used in the enterprise. Using this standard, a workforce model might look like the table below.

Pre-Deployment Planning

Many times companies deploy IDS too early. Before investing heavily in an IDS solution, it is a good idea to have a security program and architecture for it to operate within.