Re: IPS signature update process

["Bradley, Stephen W. Mr." <bradlesw () MUOHIO EDU>]

I agree with Michael.  We have been running our IPS' for over 5 years now and for the first few years we reviewed each 
individual signature and realized it was a lot of effort for very little return.  I can't remember a single instance of 
the default setting from the vendor blocking legitimate traffic.

Now we receive the updates and deploy them then at a later date we review the classes to see if there are any that may 
need changed from allow to block or vice versa.


steve

-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Michael 
Grinnell
Sent: Monday, August 17, 2009 11:43 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] IPS signature update process

On 8/17/2009 11:15 PM, Fields, Kimberly wrote:
> Hello All,
>
> We are currently trying to formalize a process for updating our IPS signatures.  I was looking to see what other 
> people out there are doing.  Management would like to incorporate a review committee to help ensure legitimate 
> traffic doesn't get blocked.  I'm struggling to come up with a model that would incorporate this.
>
>   Any feedback would be helpful.
>
> _____________________________________________________________________
>
> Confidentiality Notice: This e-mail message, including any attachments, is for the sole use of the intended 
> recipient(s) and may include
> AMERIGROUP member(s) information that is legally privileged. Any unauthorized review, use, disclosure or distribution 
> is prohibited.
> If you are not the intended recipient, please contact the sender by reply e-mail and destroy copies of the original 
> message.
> _____________________________________________________________________

Is this a big problem for you?  We've been running an IPS for 3 - 4 
years now and had 2 cases of rules that blocked legitimate traffic. 
Only one of those rules was on by default, and in both cases, it was the 
result of poorly coded applications.  In general, I think IPS/IDS 
signature updates, like AV updates, are too frequent and granular to 
justify extensive change control and review.  I think you're better off 
with regularly scheduled updates, a good record of the changes, and good 
logs of any blocked traffic.  You can then refer to these artifacts if 
an issue comes up and resolve it quickly.  SLAs, etc. may change the 
equation a bit, but if your IPS is blocking legitimate traffic 
frequently enough to warrant a review committee, I would start looking 
for a replacement.

Regards,

Michael Grinnell
Senior Information Security Engineer
The American University