RE: RE: Tuning false positives - SIM is not the answer

["Andrew Plato" <andrew.plato () anitian com>]

Yes. A SIM will not tune out or alter the reporting events. You need to
actually logon to your IPS/IDS to do that. All a SIM does is manipulate
the data once its been reported. 

For all the noise SIMs are getting in the market, the honest truth is -
I've never seen a SIM that has significantly improved the security of an
organization. They seem to be more about satisfying the need to have
reports than actually improving security. And most of the SIM
implementations I have seen strike me as a lot of good intentions that
will never be fulfilled. 

I understand the desire to have tangible reports that can point to an
improvement (or weakening) in security. And SIMs can provide such data
management capabilities. But, it seems those reports can be very
misleading. And the cost to not only procure a SIM technology but also
tune it is - significant. 

I think implementing your own SIM is usually more trouble than its
worth. Moreover, what a SIM offers can be easily outsourced to a managed
security provider. It's a lot less expensive to have a managed security
provider (we resell Lurhq and ISS, but there are others) do data
collection and analysis than to try and build your own system. 

_____________________________________
Andrew Plato, CISSP
President/Principal Consultant
ANITIAN ENTERPRISE SECURITY

Your Expert Partner for Security & Networking

3800 SW Cedar Hills Blvd, Suite 280
Beaverton, OR 97005
503-644-5656 Office
503-214-8069 Fax
503-201-0821 Mobile
www.anitian.com
_____________________________________

GPG public key available at: http://www.anitian.com/corp/keys.htm 



 

-----Original Message-----
From: rassel_k () hotmail com [mailto:rassel_k () hotmail com] 
Sent: Wednesday, December 28, 2005 10:45 PM
To: focus-ids () securityfocus com
Subject: Re: RE: Tuning false positives - SIM is not the answer

SIM systems are nice. They give great graphical views and good methods
of drilling in to the info. However they are not able to do anything
about cutting down the amount of false positives, tuning the IPS is
still a must.
SIM systems have nothing to do with the fact your IDS/IPS gets 300,000
alerts per day. It'll just sum it up nicely for you so you don't read
them one at a time, however if some of them are for real attacks and
others from misconfigured network devices you're bound to miss the real
attacks.
SIM will help you see trends, not find targeted attacks and if you want
your IPS to work, you have to make a choice: lots of alarms catching
lots of false positive (sometimes 80%-90% of alerts) or fewer alarms
accepting you may be missing some of the more interesting attacks
(either targeted or just stuff that gets to many false alarms in your
specific environment).
You should use a SIM, but don't expect it to solve the problem of
configuring and analyzing your alarms, this problem is as old as
detection systems.

Just my $0.02
Rassel

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------




------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------