IDS mailing list archives

Previous By Date Next
Previous By Thread Next

Re: IPS false negatives

From: "Thomas Choi" <tchoi () nortel com>
Date: Mon, 17 Apr 2006 18:01:30 -0400
Thomas Ptacek wrote:

above) for testing any given IDS.  I've applied my evaluation toolkit
against a number of commercial IDSs and have found this evaluation
approach to be extremely simple, efficient and effective.


So, what did you learn?
That commercial IDS vendors don't seem to understand what a knowledgeable security officer would expect from such a device. Specifically, they don't seem to understand that most security officers have very little time to analyze alarms and only care about attacks that are of importance to them. So flooding the officer with a huge volume of alarms that they don't care about will only cause them to eventually turn off the IDS.
Also, today's commercial IDSs come with so many extra features and gadgets that it requires several days of training just to learn how to do basic tasks such as analyzing and acting upon a specific event. IMO, an IDS alarm console should be very simple to use and navigate. Anything that's too complex to use, no matter how cool it is, will naturally turn people off. Security officers are busy people so why not provide them with a product that's simple to use while at the same time does the job.
Finally, my tests reveal that the today's IDS designs seem to be focused on specific exploits and not behavioral based attacks. IMO, if your IDS can't detect obvious malware propagation techniques then there's something very wrong with the design. Sure your product might be able to detect the latest known exploit but wouldn't it be embarrassing if you couldn't detect a new network spreading worm that scanned and exploited an unknown vulnerability and infected your customer's entire class A or B network? 





------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. 
------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: