IDS mailing list archives
RE: RE: Tuning false positives - SIM is not the answer
From: "Andrew Plato" <andrew.plato () anitian com>
Date: Fri, 30 Dec 2005 09:40:58 -0800
Yes. A SIM will not tune out or alter the reporting events. You need to actually logon to your IPS/IDS to do that. All a SIM does is manipulate the data once its been reported. For all the noise SIMs are getting in the market, the honest truth is - I've never seen a SIM that has significantly improved the security of an organization. They seem to be more about satisfying the need to have reports than actually improving security. And most of the SIM implementations I have seen strike me as a lot of good intentions that will never be fulfilled. I understand the desire to have tangible reports that can point to an improvement (or weakening) in security. And SIMs can provide such data management capabilities. But, it seems those reports can be very misleading. And the cost to not only procure a SIM technology but also tune it is - significant. I think implementing your own SIM is usually more trouble than its worth. Moreover, what a SIM offers can be easily outsourced to a managed security provider. It's a lot less expensive to have a managed security provider (we resell Lurhq and ISS, but there are others) do data collection and analysis than to try and build your own system. _____________________________________ Andrew Plato, CISSP President/Principal Consultant ANITIAN ENTERPRISE SECURITY Your Expert Partner for Security & Networking 3800 SW Cedar Hills Blvd, Suite 280 Beaverton, OR 97005 503-644-5656 Office 503-214-8069 Fax 503-201-0821 Mobile www.anitian.com _____________________________________ GPG public key available at: http://www.anitian.com/corp/keys.htm -----Original Message----- From: rassel_k () hotmail com [mailto:rassel_k () hotmail com] Sent: Wednesday, December 28, 2005 10:45 PM To: focus-ids () securityfocus com Subject: Re: RE: Tuning false positives - SIM is not the answer SIM systems are nice. They give great graphical views and good methods of drilling in to the info. However they are not able to do anything about cutting down the amount of false positives, tuning the IPS is still a must. SIM systems have nothing to do with the fact your IDS/IPS gets 300,000 alerts per day. It'll just sum it up nicely for you so you don't read them one at a time, however if some of them are for real attacks and others from misconfigured network devices you're bound to miss the real attacks. SIM will help you see trends, not find targeted attacks and if you want your IPS to work, you have to make a choice: lots of alarms catching lots of false positive (sometimes 80%-90% of alerts) or fewer alarms accepting you may be missing some of the more interesting attacks (either targeted or just stuff that gets to many false alarms in your specific environment). You should use a SIM, but don't expect it to solve the problem of configuring and analyzing your alarms, this problem is as old as detection systems. Just my $0.02 Rassel ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------ ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------
Current thread:
- RE: RE: Tuning false positives - SIM is not the answer Gary Halleen (ghalleen) (Jan 02)
- Re: Tuning false positives - SIM is not the answer Stefano Zanero (Jan 05)
- <Possible follow-ups>
- RE: RE: Tuning false positives - SIM is not the answer Andrew Plato (Jan 02)
- Re: RE: RE: Tuning false positives - SIM is not the answer rassel_k (Jan 05)
- Re: RE: RE: Tuning false positives - SIM is not the answer brent (Jan 05)
- Re: Tuning false positives - SIM is not the answer Jason (Jan 11)
- Re: Tuning false positives - SIM is not the answer Brent Stackhouse (Jan 12)
- Re: Tuning false positives - SIM is not the answer Jason (Jan 11)
- Re: Tuning false positives - SIM is not the answer Brent Stackhouse (Jan 10)
- Re: Tuning false positives - SIM is not the answer Jason (Jan 11)
- Re: Tuning false positives - SIM is not the answer Brent Stackhouse (Jan 11)
- RE: Tuning false positives - SIM is not the answer Bruce Young (Jan 15)