http://www.internetwk.com/story/INW19990408S0009 Thursday, April 8, 1999, 4:33 PM ET. Security Mandate: Silence False Alarms By RUTRELL YASIN Network-based intrusion detection systems are about to stop crying wolf. Often, these systems deliver such a high number of false positives--which classify an action as an intrusion when it may be legitimate--that computer operators ignore intrusion alarms altogether. Several network security vendors are responding with products that do a better job of filtering out false alarms from actual attacks. Network Associates Inc. (NAI) this week unveiled a real-time intrusion detection system that correlates network- and host-based events to give IT managers a comprehensive view of system activity. CyberCop Monitor is a core component of NAI's new Active Security product line. Meanwhile, Axent Technologies, Cisco and Internet Security Systems (ISS) plan to deliver improved event correlation and filtering by year's end. The improvements take intrusion detection to the next level, as more companies use the high-tech burglar alarms to identify attacks from outsiders as well as insiders. IT managers looking for ways to reduce false-positive alarms cited the need for better event correlation. Robert Kondilas, a security manager at carrier Qwest Communications, which uses ISS's RealSecure system, noted that a correlation engine lets IT administrators manage more end points in the network with fewer people. Alan Paller, director of The SANS Institute, a training and consulting firm, said, The huge load of not-very-important alarms has caused a complete shift in the way people do network-based ID. He added that, initially, organizations think they can use intrusion detection tools to set off a beeper when an attack is under way, but they soon discover that the beeper goes off so often that they can't possibly respond to every alarm. The false-positive problem is generally confined to network-based intrusion detection systems that monitor network packets for IP spoofing and packet-flooding attacks, rather than the host-based systems that monitor PC server and firewall logs for suspicious activity. For example, an intrusion detection systems may confuse port scans from a network management tool such as Hewlett-Packard's OpenView--which employs SNMP-based polling and ICMP requests to discover network topology, status and configuration--with hacker attacks, if it is not properly tuned, experts said. Kondilas has seen his share of false positives. He recalled a recent incident where the intrusion detection system appeared to be picking up NetBus traffic. (NetBus is a hacker program that can be used to gain unauthorized access to network servers.) Closer analysis of the data, however, revealed that a machine was transmitting legitimate data, according to Kondilas. To avoid being overwhelmed by false alarms, IT managers at Qwest are documenting each false positive. By recording exactly what is happening in the network at the time an alarm triggered, operators can determine if similar events in the future are false alarms, he said. Since network- and host-based systems each have strengths and weaknesses, some vendors are providing hybrid systems that deliver the best of both worlds. For example, NAI's CyberCop Monitor dredges data from Windows NT event logs or logs from other key applications, in addition to monitoring network traffic coming into a server with the more classic network signature technique, said Gene Hodges, vice president of security product management at NAI. If there is fragmentation of network traffic, organizations can determine if the cause is a hacker or a bad router, and they also can look into the event log to see if there is suspicious activity, Hodges said. Both Axent and ISS introduced hybrid systems last year. ISS RealSecure can pull information from multiple network sensors and systems agents to track activity across a range of devices and systems. But that information is being sent to management consoles. ISS wants to add even more intelligence to the network. The company plans to unveil a RealSecure fusion engine that can correlate events from multiple intrusion detection engines placed strategically throughout a network, said Mark Wood, an ISS product manager. Axent and Cisco are both working to fine-tune the ability to describe attack signatures. As in the case of antivirus software, network-based intrusion detection systems look for abnormal patterns in packets sent across the network, matching them against signatures in a database. Axent plans to unveil a version of its NetProwler system that incorporates technology from ID-Trak, a tool the company obtained through its acquisition of Internet Tools earlier this year, said Scott Gordon, director of intrusion detection. ID-Trak lets users customize signatures to meet specific network requirements. The product also will benefit from tighter integration with the IntruderAlert engine, Axent's host-based system, he added. Fine-tuning attack signatures is a short-term solution for Cisco, which offers the NetRanger system, according to Joseph Sirrianni, a product marketing engineer. We're constantly improving signatures because certain ones trigger false positives, he added. Cisco, however, declined to name which NetRanger signatures specifically trigger false alarms. We're looking at ways of integrating certain correlation techniques, he said. The fruit of that labor should be incorporated in the product over the next six months, he added. However, some experts said false positives can be reduced if users get a better understanding of the intrusion detection systems. It's more an issue of deployment, said Mike Hagger, vice president of network security and disaster recovery at investment company Oppenheimer Funds. You have to know what you're trying to validate and track, and have the right people analyze the data, said Hagger, who uses ISS's RealSecure. Pete Cafarchio, technology program manager at the International Computer Security Association, recommends that users don't turn on alarming features until the intrusion detection system is up and running for 30 days, By that time, they should have a better understanding of how the system works, he added. In the future, network-based intrusion detection systems also can benefit from a technique called anomaly detection, which is more common in host-based systems, according to Cafarchio. Anomaly detection helps IT managers establish a baseline of normal user activity so they can set up filters that trigger alerts if that activity changes. For instance, they might monitor a person accessing certain information at a certain time of the week. The problem with this technique is that people can deviate from normal activity, Cafarchio said. -o- Subscribe: mail majordomoat_private with "subscribe isn". Today's ISN Sponsor: Hacker News Network [www.hackernews.com]
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:22:07 PDT