Re: IPS signature update process

[Chris Green <cmgreen () UAB EDU>]

We first had a very paranoid "try it out on RESNET first" process.  Once we got some trust in our chosen IPS vendor, we 
got it approved as a routine change with a security "accept the vendor recommendations as tested" and a "do we need to 
augment it" hall conversation (default alow -> default block).

The major issues we've recalled amounted to deadlock-style issues where we had "power fail" open but not deadlock open. 
 More money could have engineered around some of the deadlock issues but not all.   Get more insight into your vendors 
signature process and leverage that to help make the decision of how much QA you should add on top of it.   Microsoft 
-> Does a very good job on patch process with partners IMO.   Oracle (and just about everyone else) -> you'd better 
test everything they ship you completely.   Having been on both sides of the vendor/customer,  I think the big thing at 
this point you are paying for is the rules + QA process for rules and if people are not willing to talk about it, you 
probably have a bad IPS vendor (or sales droid).

> -----Original Message-----
> From: The EDUCAUSE Security Constituent Group Listserv
> [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Michael Grinnell
> Sent: Monday, August 17, 2009 10:43 PM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: Re: [SECURITY] IPS signature update process
>
> On 8/17/2009 11:15 PM, Fields, Kimberly wrote:
> > Hello All,
> >
> > We are currently trying to formalize a process for updating our IPS
> signatures.  I was looking to see what other people out there are doing.
> Management would like to incorporate a review committee to help ensure
> legitimate traffic doesn't get blocked.  I'm struggling to come up with a
> model that would incorporate this.
> >   Any feedback would be helpful.
> >
> > _____________________________________________________________________
> >
> > Confidentiality Notice: This e-mail message, including any attachments, is
> for the sole use of the intended recipient(s) and may include
> > AMERIGROUP member(s) information that is legally privileged. Any
> unauthorized review, use, disclosure or distribution is prohibited.
> > If you are not the intended recipient, please contact the sender by reply e-
> mail and destroy copies of the original message.
> > _____________________________________________________________________
>
> Is this a big problem for you?  We've been running an IPS for 3 - 4
> years now and had 2 cases of rules that blocked legitimate traffic.
> Only one of those rules was on by default, and in both cases, it was the
> result of poorly coded applications.  In general, I think IPS/IDS
> signature updates, like AV updates, are too frequent and granular to
> justify extensive change control and review.  I think you're better off
> with regularly scheduled updates, a good record of the changes, and good
> logs of any blocked traffic.  You can then refer to these artifacts if
> an issue comes up and resolve it quickly.  SLAs, etc. may change the
> equation a bit, but if your IPS is blocking legitimate traffic
> frequently enough to warrant a review committee, I would start looking
> for a replacement.
>
> Regards,
>
> Michael Grinnell
> Senior Information Security Engineer
> The American University