Re: RE: Tuning false positives - SIM is not the answer

[rassel_k () hotmail com]

SIM systems are nice. They give great graphical views and good methods of drilling in to the info. However they are not 
able to do anything about cutting down the amount of false positives, tuning the IPS is still a must.
SIM systems have nothing to do with the fact your IDS/IPS gets 300,000 alerts per day. It’ll just sum it up nicely for 
you so you don’t read them one at a time, however if some of them are for real attacks and others from misconfigured 
network devices you’re bound to miss the real attacks.
SIM will help you see trends, not find targeted attacks and if you want your IPS to work, you have to make a choice: 
lots of alarms catching lots of false positive (sometimes 80%-90% of alerts) or fewer alarms accepting you may be 
missing some of the more interesting attacks (either targeted or just stuff that gets to many false alarms in your 
specific environment).
You should use a SIM, but don’t expect it to solve the problem of configuring and analyzing your alarms, this problem 
is as old as detection systems.

Just my $0.02
Rassel

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
------------------------------------------------------------------------