Re: [ISN] ITL Bulletin for July 2003

From: InfoSec News (isnat_private)
Date: Wed Jul 23 2003 - 00:02:50 PDT

  • Next message: InfoSec News: "Re: [ISN] Calculating security ROI is tricky business"

    Forwarded from: Robert G. Ferrell <rgferrellat_private>
    
    At 02:19 AM 7/22/03 -0500, you wrote:
    
    > In government and industry, intrusion detection systems (IDSs) are
    > now standard equipment for large networks.
    
    It is all well and good to develop standardized evaluation and
    implementation for IDS.  However the purpose of an IDS is to generate
    data, which must then be correctly interpreted for the product to have
    any real value to the enterprise.  This is the point at which IDS in
    practice fails.  No matter how well designed and deployed the software
    is, it's nothing but overhead on the network if the analyst looking at
    the resulting data hasn't been properly trained to sort the wheat from
    the chaff, as it were.  Analyzing patterns of attack and looking for
    subtle clues indicating unusual activity is a skill that requires the
    patience and intuition of a detective, yet the vast majority of people
    whose job it is to monitor IDS data are dumped into that position with
    no training or even aptitude testing.  Even the most sophisticated
    pattern recognition algorithms fall far short of the human brain, at
    least when it's been clued in as to what to look for.
    
    I see job descriptions every day that require experience with this or
    that IDS.  What they mean by "experience," however, is they expect you
    to have seen the product in action and know how to configure it.  
    It's extremely rare that I see a company ask for someone who knows how
    to interpret IDS data.  This is a far more esoteric skill than systems
    administration, and one that takes years of daily contact with raw IDS
    output to master, yet few seem to realize that.
    
    Until we put a great deal more emphasis on data interpretation, even
    the most sophisticated IDS will remain little more than an expensive
    "feel good" toy for upper management: another largely superfluous
    check mark on their Enterprise Security Scorecard.
    
    Put another way (in the words of Bill Griffith), "What Good is Seeking
    if No One's Peeking?"
    
    Cheers,
    
    RGF
    
    Robert G. Ferrell
    rgferrellat_private
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Wed Jul 23 2003 - 02:46:31 PDT