Re: Managed Security Providers (Who do IDS & Firewall Monitoring and Blocking)

From: Burak DAYIOGLU (dayioglu@metu.edu.tr)
Date: 01/31/02 

Date: Thu, 31 Jan 2002 12:16:39 +0200
From: Burak DAYIOGLU <dayioglu@metu.edu.tr>
To: focus-ids@securityfocus.com

Misha wrote:

>>Thats one of the key benefits of outsourcing security monitoring. Your
>>MSSP should be weeding out real alerts from false positives, and be able
>>to escalate the problem to you according to your security policy. Not
>>every problem needs to be escalated in real time, and there are ways to
>>tell whether an IDS alert is a false positive or not without having to
>>contact someone.
>>
And how can an MSSP differ between a real alert and a false positive? It
is a known fact that
NIDSs generate volumous false positives. Furthermore, deciding whether
the alert is real or false
positive sometimes require more than network packet trace analysis (e.g.
host configuration analysis,
host software suites).

AFAIK, the only way to get a *real* MSS, I have to hand all my
administrative access credentials
to the provider or I do have to notify them about every (even the
smallest) configuration change. 

-- 
Burak DAYIOGLU
Phone: +90 312 2103379      Fax: +90 312 2103333
http://www.dayioglu.net        ICQ UIN: 72276975

Quantcast