Re: Statistical Anomaly Analysis? (was: a bunch of things)

From: Andrew Plato (aplato@anitian.com)
Date: 03/18/02 

Date: 18 Mar 2002 08:36:37 -0000
From: Andrew Plato <aplato@anitian.com>
To: focus-ids@securityfocus.com
('binary' encoding is not supported, stored as-is)

In-Reply-To: <E80EEDF5-3A29-11D6-82D4-003065CC948C@well.com>

> The notion of disabling attacks just because they
> annoy someone is completely ridiculous. It's like
> poking your head in the sand and saying
> "no one can see me, since I can't see them!" If
> someone actually cares about the network they're
> protecting, this kind of approach to security
> should be unconscionable.

> Unfortunately, I see this attitude manifest itself
> every day when a network administrator gets a
> page, looks at the pager, then cradles it in
> the holster again and looks up, saying, "Just our
> IDS going off again..."

> And then said, "If you know your network really well
> then you can tune your IDS to look for things that
> shouldn't be happening."

Yes, in an ideal world, all IDS's would be tuned to only
detect and alert when something truly bad was
happening. And these alerts would be diligently
analyzed from a trained staff of administrators.

Unfortunately, most organizations are not running
under ideal conditions. The network is noisy, with a
lot of suspect traffic flying around. And the staff is
overworked and under skilled on the complexities of
handling IDSs.

One of the things I see is IDS systems that
become "bad software detectors." Within the first
few weeks of plugging in the IDS, the admins are
chasing down systems that are making an awful
racket on the network. For example, I have a client
that has spent the last few weeks clamoring to find all
the boxes that are sending out billions of SNMP
broadcasts. When we first plugged in the IDS, it lit up
light a Christmas tree with alerts from all over the
place.

Unfortunately, some IDS vendors and many resellers
do not stress or support the "post-IDS installation
environment." Once they get the sale and ship the
unit, you're on your own. If you call for help, they send
you through 2 or 3 levels of support twits.

Couple this with the abysmal state of most IDS
documentation and dearth of skilled IDS people...its a
icky situation. And many network admins are already
terribly overworked. Adding another painfully complex
task to their already busy life - well, you get the idea.

From a consultant's perspective, its tough as well.
When I help clients set up IDSs, I don't know all their
systems and what they do. And some times, they
won't tell you what they do. That makes it really hard
to know what is bad and what is okay. I have clients
that have a ceaseless amount of trojan scanning and
pinging on their networks. When I tell them this is bad
and should be stopped at the firewall, they shrug their
shoulders and note that they are not responsible for
the firewall so they can't stop that traffic. Okay
then...anything else I can do here? Should I scrub the
toilets on the way out?

And corporate budgets as tight as they are never
have room for extensive consulting help. Once the
unit is up and running and collecting alerts...the bean
counters want me out the door ASAP so I don't rack
up too much in consulting fees (and my rates are low
in comparison to my competitors.)

Hopefully, as the IDS market matures, the tuning
process will get more brain-time from IDS developers
and more respect from budget planners. The way I
see it, if firms are even deploying an IDS, at least they
are moving in the right direction. Maybe it isn't tuned
just right and they are ignoring it, but at least they
have one. That is better than not having one.

Andrew Plato
President / Principal Consultant
Anitian Corporation
www.anitian.com

Relevant Pages

  • Re: IDS and NMS
    ... Start by designing and installing a network. ... Next, a more detailed view of the network is required, so a NMS is ... the network administrator wants to see what ... This is where integrating the IDS console into the NMS makes sense. ...
    (Focus-IDS)
  • Re: "false positive" inanity
    ... So Mr. Snyder is asking for an IDS that does not need to be configured? ... maximum control of his/her network. ... attack. ... > assuming that it is not an intrusion. ...
    (Focus-IDS)
  • Re: Secure Network Design (DMZ, LAN, etc)
    ... I'd like one outside the firewall and one ... I assumed I could make the first IDS ... should I have the IDS listening on the 192.168.1.0/24 network as well (web ... >Since the whole world will need access to your web servers, ...
    (Security-Basics)
  • Re: which attacks will generate false positive or false negative?
    ... addresses of the servers on your network that are allowed to do DNS Zone ... you first install a Network IDS, snmpwalks may trigger from your network ... Matt brings up the point of alerts to things that didn't have any ... you're not sure of the best way to tune out false positives during your ...
    (Focus-IDS)
  • Re: ways of tracking the IP of an abuser?
    ... For the short term I think I am going to set up an IDS ... trying to get the network team to do something. ... >>We are looking into installing a personal firewall on ... >people using it that support is usually not an issue. ...
    (microsoft.public.security)