Re: Changes in IDS Companies?

From: scottw@cylant.com
Date: 10/18/02 

Date: Thu, 17 Oct 2002 18:58:16 -0700
From: scottw@cylant.com
To: Clint Byrum <cbyrum@spamaps.org>

Clint,

Excellent metaphor! The situation is actually worse. Every few
days, a new door is put in the building. This door isn't
authorized, doesn't go through the architects, doesn't get
approved, it just shows up. And, the alarm company isn't called
out to install a sensor for it.

Reality is harsh.

Regards,
scottwimer

On Thu, Oct 17, 2002 at 06:16:57PM -0700, Clint Byrum wrote:
> On Thu, 2002-10-17 at 00:26, Eye Dius wrote:
> > In-Reply-To: <003101c27594$5de8e970$01000001@SecurityConscious.com>
> >
> > - snip -
> >
> > >IDS vendors have not
> > >been able to get false alarm/postive rates down to a level where
> > >organizations would trust an IDS alert to enforce network policy.
> > >
> > >Nothing I've seen or read from these new vendors gives me any reason to
> > >believe they have cured the cancer of IDS - false alarms/positives.
> >
> > What are some of the big reasons for false positives? What is preventing
> > new or existing vendors from fixing this problem?
> >
>
> This is a good question. I think we can look to other intrusion
> detection systems for the answer. By that, I mean conventional physical
> alarm systems.
>
> Typically when you add an alarm system to your building, the installer
> finds all of the possibly vulnerable points of entry, and protects those
> with peripheral sensors such as motion detectors or glass break
> detectors.
>
> After that, the installer will consult with you on any other areas of
> great interest, such as accounting, the server rooms, or maybe areas
> with precious merchandise/raw materials. These are guarded with greater
> physical barriers, such as larger doors, chain link fence, etc.
>
> Then the system is setup with schedules, to allow for the expected
> behaviors of arrivals and departures, cleaning, etc.
>
> Finally, once the system is in place, the various classes of building
> tenants, from janitors to CEO's, are informed of any changes to their
> routines if necessary.
>
> Now, when NIDS is installed, similar things happen. Sensors are placed
> in vulnerable peripheral areas of the network, i.e. outside the
> firewall, on the DMZ.. etc. And then more sensors, and maybe even the
> actual NIPS are placed around critical machines such as authentication
> servers and ERP systems.
>
> Once this is done, the IDS's are tuned to allow for normal behavior, and
> possibly any previously unknown problems are fixed. This usually
> involves walking around and removing things like Kazaa and ICQ from
> peoples' machines. ;)
>
> So.. wait.. this sounds like we're doing things the same way.. right?
> Well, we are. The problem is, the traditional security system is
> handling people moving through a building. People generally walk pretty
> slow, and only so many can fit in the building at one time. These people
> also probably manage to trigger false alarms once or twice a year...
> depending on how many of them there are, and how tight the system is.
>
> With NIDS and NIPS, its like you're setting up a security system to
> monitor and control access to a building in which 10 million people work
> every day.
>
> Ok, so with that in mind.. how do we make false positives go away? Some
> things we can specify as known bad... like virus signatures and such.
> Other things just look suspicious, and we have to make a judgement call
> as to whether or not we're going to alert, or even shut down a
> connection, based on that suspicion. Now.. how to make that judgement
> call easy, is anyone's guess. :-P 

-- 
Scott M. Wimer, CTO			 Cylant
www.cylant.com				 121 Sweet Ave.
v. (208) 883-4892			 Suite 123
c. (208) 850-4454			 Moscow, ID 83843
There is no Security without Control.

Quantcast