Forwarded from: Robert G. Ferrell <rgferrellat_private> At 02:19 AM 7/22/03 -0500, you wrote: > In government and industry, intrusion detection systems (IDSs) are > now standard equipment for large networks. It is all well and good to develop standardized evaluation and implementation for IDS. However the purpose of an IDS is to generate data, which must then be correctly interpreted for the product to have any real value to the enterprise. This is the point at which IDS in practice fails. No matter how well designed and deployed the software is, it's nothing but overhead on the network if the analyst looking at the resulting data hasn't been properly trained to sort the wheat from the chaff, as it were. Analyzing patterns of attack and looking for subtle clues indicating unusual activity is a skill that requires the patience and intuition of a detective, yet the vast majority of people whose job it is to monitor IDS data are dumped into that position with no training or even aptitude testing. Even the most sophisticated pattern recognition algorithms fall far short of the human brain, at least when it's been clued in as to what to look for. I see job descriptions every day that require experience with this or that IDS. What they mean by "experience," however, is they expect you to have seen the product in action and know how to configure it. It's extremely rare that I see a company ask for someone who knows how to interpret IDS data. This is a far more esoteric skill than systems administration, and one that takes years of daily contact with raw IDS output to master, yet few seem to realize that. Until we put a great deal more emphasis on data interpretation, even the most sophisticated IDS will remain little more than an expensive "feel good" toy for upper management: another largely superfluous check mark on their Enterprise Security Scorecard. Put another way (in the words of Bill Griffith), "What Good is Seeking if No One's Peeking?" Cheers, RGF Robert G. Ferrell rgferrellat_private - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Wed Jul 23 2003 - 02:46:31 PDT