Re: IPS signature update process

[Michael Grinnell <grinnell () AMERICAN EDU>]

On 8/17/2009 11:15 PM, Fields, Kimberly wrote:
> Hello All,
>
> We are currently trying to formalize a process for updating our IPS signatures.  I was looking to see what other people out there 
> are doing.  Management would like to incorporate a review committee to help ensure legitimate traffic doesn't get blocked.  
> I'm struggling to come up with a model that would incorporate this.
>
>   Any feedback would be helpful.
>
> _____________________________________________________________________
>
> Confidentiality Notice: This e-mail message, including any attachments, is for the sole use of the intended 
> recipient(s) and may include
> AMERIGROUP member(s) information that is legally privileged. Any unauthorized review, use, disclosure or distribution 
> is prohibited.
> If you are not the intended recipient, please contact the sender by reply e-mail and destroy copies of the original 
> message.
> _____________________________________________________________________

Is this a big problem for you?  We've been running an IPS for 3 - 4
years now and had 2 cases of rules that blocked legitimate traffic.
Only one of those rules was on by default, and in both cases, it was the
result of poorly coded applications.  In general, I think IPS/IDS
signature updates, like AV updates, are too frequent and granular to
justify extensive change control and review.  I think you're better off
with regularly scheduled updates, a good record of the changes, and good
logs of any blocked traffic.  You can then refer to these artifacts if
an issue comes up and resolve it quickly.  SLAs, etc. may change the
equation a bit, but if your IPS is blocking legitimate traffic
frequently enough to warrant a review committee, I would start looking
for a replacement.

Regards,

Michael Grinnell
Senior Information Security Engineer
The American University