Intrusion detection sensors must be tuned and tweaked to keep false positives to a minimum. In the field of information security, we usually prefer more information to less. Because of the somewhat subjective nature of alerts, most systems are set to alert. The vendors that make IDS sensors don't extensively preconfigure the sensors, but they do set sensitivity levels that might not make sense for your organization. Therefore, tuning your sensors is an important step in reducing false positives and enabling the sensors to look for data that's truly important. You have a couple of ways to reduce the amount of time you spend chasing down red herrings.
Fine-tuning network IDS alerts. First, you can usually adjust the rating system within your network IDS software to a different level of alert. In systems such as the network IDS Snort, for example, a classification.config file sets up 13 levels of alert that range from "not suspicious traffic" to "Successful Administrator Privilege Gain." (For more information about this open-source network IDS, go to http://www.snort.org.) The alert levels are tied to specific alerts in individual rule files (e.g., exploit.rules) or in a concatenated configuration file. I don't recommend adjusting the alert classification levels unless you fully understand both the nature of an attack and the reason for the alert. However, if you feel sufficiently confident that what's being reported isn't useful to you and your organization, you can make changes.
Second, you can completely remove the logic that looks for a particular event. In most modern sensors, the logic (i.e., the set of "fingerprints" the sensor uses to identify potential attacks) is modular so that you can set your sensor to look for fewer potential attacks and thereby achieve better performance. Keep in mind that the sensor must look at every packet that passes it and must reassemble fragments to evaluate the entire packet. The sensor must be balanced for your network; otherwise, traffic can overload the sensor until the sensor drops packets without inspecting them. In Snort, the configuration files drive the types of events that the network IDS discovers. Out of the box, Snort identifies more than 900 events. In NFR Security's network IDS, a GUI lets you add and remove back ends (i.e., modules that categorize what the sensor will look for, such as SMTP attacks) from the distributed sensors to eliminate unnecessary analysis.
In either case, you should run your sensors for a while to get a feel for what actually occurs on your network and come to recognize which alerts are more meaningful than others. You might see activity that at first looks harmless but later discover that this innocent-looking traffic preceded an attack. Having "forensic evidence" to examine is valuable. Take time to understand the details of your network and its traffic—what should be present on the network and what shouldn't; what you want to have trigger an alert and what you can safely ignore—then fine-tune the sensors. Don't make the mistake of turning anything off or reducing the alert sensitivity before you really have a complete grasp of what's happening.
Monitoring your network IDS. When you deploy a network IDS at your perimeter or within your internal networks, you must make a commitment to look at the information it gathers. As obvious as that sounds, it's worth saying. Don't underestimate the amount of work involved in managing a distributed sensor installation.
Because incidents don't occur during the workday only, you must monitor your sensors 24 x 7. However, you and your organization might not be prepared to do so. I know of organizations that monitor IDS alerts during workdays, review overnight alerts the morning after, and review weekend alerts on Monday. Although this approach still offers some protection, it leaves significant gaps in the monitoring process—and experienced attackers move in and out during precisely those time frames. Attackers know that evenings and weekends are the least well-staffed times, and they make their moves when they think no one's watching.
If a limited budget or staff availability keeps you from adding enough network IDS-knowledgeable members to the security group to provide coverage around the clock, you can find several excellent organizations, such as Counterpane Internet Security (http://www.counterpane.com) and Riptech (http://www.riptech.com), that can manage the monitoring process for you.
In-Depth Network Defense
For your network IDS to give you the best protection, you must deploy it effectively. After you place your sensors correctly in your organization's overall architecture, fine-tune them, and develop a good system to monitor the data they provide, your network IDS can contribute significantly to your organization's security depth.
End of Article
Prev. page
1
2
[3]
next page -->
