[ISN] Network-based IDS are about to stop crying wolf

From: mea culpa (jerichoat_private)
Date: Fri Apr 09 1999 - 23:19:42 PDT

  • Next message: mea culpa: "[ISN] End-to-end security for data delivery"

    Thursday, April 8, 1999, 4:33 PM ET.
    Security Mandate: Silence False Alarms
    Network-based intrusion detection systems are about to stop crying wolf. 
    Often, these systems deliver such a high number of false positives--which
    classify an action as an intrusion when it may be legitimate--that
    computer operators ignore intrusion alarms altogether. Several network
    security vendors are responding with products that do a better job of
    filtering out false alarms from actual attacks. 
    Network Associates Inc. (NAI) this week unveiled a real-time intrusion
    detection system that correlates network- and host-based events to give IT
    managers a comprehensive view of system activity. CyberCop Monitor is a
    core component of NAI's new Active Security product line. Meanwhile, Axent
    Technologies, Cisco and Internet Security Systems (ISS) plan to deliver
    improved event correlation and filtering by year's end. 
    The improvements take intrusion detection to the next level, as more
    companies use the high-tech burglar alarms to identify attacks from
    outsiders as well as insiders. 
    IT managers looking for ways to reduce false-positive alarms cited the
    need for better event correlation. 
    Robert Kondilas, a security manager at carrier Qwest Communications, which
    uses ISS's RealSecure system, noted that a correlation engine lets IT
    administrators manage more end points in the network with fewer people. 
    Alan Paller, director of The SANS Institute, a training and consulting
    firm, said, The huge load of not-very-important alarms has caused a
    complete shift in the way people do network-based ID. He added that,
    initially, organizations think they can use intrusion detection tools to
    set off a beeper when an attack is under way, but they soon discover that
    the beeper goes off so often that they can't possibly respond to every
    The false-positive problem is generally confined to network-based
    intrusion detection systems that monitor network packets for IP spoofing
    and packet-flooding attacks, rather than the host-based systems that
    monitor PC server and firewall logs for suspicious activity. 
    For example, an intrusion detection systems may confuse port scans from a
    network management tool such as Hewlett-Packard's OpenView--which employs
    SNMP-based polling and ICMP requests to discover network topology, status
    and configuration--with hacker attacks, if it is not properly tuned,
    experts said. 
    Kondilas has seen his share of false positives. He recalled a recent
    incident where the intrusion detection system appeared to be picking up
    NetBus traffic. (NetBus is a hacker program that can be used to gain
    unauthorized access to network servers.) Closer analysis of the data,
    however, revealed that a machine was transmitting legitimate data,
    according to Kondilas. 
    To avoid being overwhelmed by false alarms, IT managers at Qwest are
    documenting each false positive. By recording exactly what is happening in
    the network at the time an alarm triggered, operators can determine if
    similar events in the future are false alarms, he said. 
    Since network- and host-based systems each have strengths and weaknesses,
    some vendors are providing hybrid systems that deliver the best of both
    For example, NAI's CyberCop Monitor dredges data from Windows NT event
    logs or logs from other key applications, in addition to monitoring
    network traffic coming into a server with the more classic network
    signature technique, said Gene Hodges, vice president of security product
    management at NAI. 
    If there is fragmentation of network traffic, organizations can determine
    if the cause is a hacker or a bad router, and they also can look into the
    event log to see if there is suspicious activity, Hodges said. 
    Both Axent and ISS introduced hybrid systems last year. ISS RealSecure can
    pull information from multiple network sensors and systems agents to track
    activity across a range of devices and systems. But that information is
    being sent to management consoles. ISS wants to add even more intelligence
    to the network. 
    The company plans to unveil a RealSecure fusion engine that can correlate
    events from multiple intrusion detection engines placed strategically
    throughout a network, said Mark Wood, an ISS product manager. 
    Axent and Cisco are both working to fine-tune the ability to describe
    attack signatures. 
    As in the case of antivirus software, network-based intrusion detection
    systems look for abnormal patterns in packets sent across the network,
    matching them against signatures in a database. 
    Axent plans to unveil a version of its NetProwler system that incorporates
    technology from ID-Trak, a tool the company obtained through its
    acquisition of Internet Tools earlier this year, said Scott Gordon,
    director of intrusion detection. ID-Trak lets users customize signatures
    to meet specific network requirements. 
    The product also will benefit from tighter integration with the
    IntruderAlert engine, Axent's host-based system, he added. 
    Fine-tuning attack signatures is a short-term solution for Cisco, which
    offers the NetRanger system, according to Joseph Sirrianni, a product
    marketing engineer. 
    We're constantly improving signatures because certain ones trigger false
    positives, he added. Cisco, however, declined to name which NetRanger
    signatures specifically trigger false alarms. 
    We're looking at ways of integrating certain correlation techniques, he
    said. The fruit of that labor should be incorporated in the product over
    the next six months, he added. 
    However, some experts said false positives can be reduced if users get a
    better understanding of the intrusion detection systems. 
    It's more an issue of deployment, said Mike Hagger, vice president of
    network security and disaster recovery at investment company Oppenheimer
    You have to know what you're trying to validate and track, and have the
    right people analyze the data, said Hagger, who uses ISS's RealSecure. 
    Pete Cafarchio, technology program manager at the International Computer
    Security Association, recommends that users don't turn on alarming
    features until the intrusion detection system is up and running for 30
    days, By that time, they should have a better understanding of how the
    system works, he added. 
    In the future, network-based intrusion detection systems also can benefit
    from a technique called anomaly detection, which is more common in
    host-based systems, according to Cafarchio. 
    Anomaly detection helps IT managers establish a baseline of normal user
    activity so they can set up filters that trigger alerts if that activity
    changes. For instance, they might monitor a person accessing certain
    information at a certain time of the week. The problem with this technique
    is that people can deviate from normal activity, Cafarchio said. 
    Subscribe: mail majordomoat_private with "subscribe isn".
    Today's ISN Sponsor: Hacker News Network [www.hackernews.com]

    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:22:07 PDT