Re: [ISN] ITL Bulletin for July 2003

From: InfoSec News (isnat_private)
Date: Wed Jul 23 2003 - 00:02:50 PDT

Next message: InfoSec News: "[ISN] Cisco Flaw: Fears Ease"

Previous message: InfoSec News: "[ISN] Microsoft's Patent Problem"
Maybe in reply to: InfoSec News: "[ISN] ITL Bulletin for July 2003"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Forwarded from: Robert G. Ferrell <rgferrellat_private>

At 02:19 AM 7/22/03 -0500, you wrote:

> In government and industry, intrusion detection systems (IDSs) are
> now standard equipment for large networks.

It is all well and good to develop standardized evaluation and
implementation for IDS.  However the purpose of an IDS is to generate
data, which must then be correctly interpreted for the product to have
any real value to the enterprise.  This is the point at which IDS in
practice fails.  No matter how well designed and deployed the software
is, it's nothing but overhead on the network if the analyst looking at
the resulting data hasn't been properly trained to sort the wheat from
the chaff, as it were.  Analyzing patterns of attack and looking for
subtle clues indicating unusual activity is a skill that requires the
patience and intuition of a detective, yet the vast majority of people
whose job it is to monitor IDS data are dumped into that position with
no training or even aptitude testing.  Even the most sophisticated
pattern recognition algorithms fall far short of the human brain, at
least when it's been clued in as to what to look for.

I see job descriptions every day that require experience with this or
that IDS.  What they mean by "experience," however, is they expect you
to have seen the product in action and know how to configure it.  
It's extremely rare that I see a company ask for someone who knows how
to interpret IDS data.  This is a far more esoteric skill than systems
administration, and one that takes years of daily contact with raw IDS
output to master, yet few seem to realize that.

Until we put a great deal more emphasis on data interpretation, even
the most sophisticated IDS will remain little more than an expensive
"feel good" toy for upper management: another largely superfluous
check mark on their Enterprise Security Scorecard.

Put another way (in the words of Bill Griffith), "What Good is Seeking
if No One's Peeking?"

Cheers,

RGF

Robert G. Ferrell
rgferrellat_private

-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomoat_private with 'unsubscribe isn'
in the BODY of the mail.
-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomoat_private with 'unsubscribe isn'
in the BODY of the mail.

Next message: InfoSec News: "[ISN] Cisco Flaw: Fears Ease"
Previous message: InfoSec News: "[ISN] Microsoft's Patent Problem"
Maybe in reply to: InfoSec News: "[ISN] ITL Bulletin for July 2003"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Jul 24 2003 - 06:46:04 PDT