Information Security News mailing list archives

Re: ITL Bulletin for July 2003

From: InfoSec News <isn () c4i org>
Date: Wed, 23 Jul 2003 02:02:50 -0500 (CDT)

Forwarded from: Robert G. Ferrell <rgferrell () direcway com>

At 02:19 AM 7/22/03 -0500, you wrote:

In government and industry, intrusion detection systems (IDSs) are
now standard equipment for large networks.


It is all well and good to develop standardized evaluation and
implementation for IDS.  However the purpose of an IDS is to generate
data, which must then be correctly interpreted for the product to have
any real value to the enterprise.  This is the point at which IDS in
practice fails.  No matter how well designed and deployed the software
is, it's nothing but overhead on the network if the analyst looking at
the resulting data hasn't been properly trained to sort the wheat from
the chaff, as it were.  Analyzing patterns of attack and looking for
subtle clues indicating unusual activity is a skill that requires the
patience and intuition of a detective, yet the vast majority of people
whose job it is to monitor IDS data are dumped into that position with
no training or even aptitude testing.  Even the most sophisticated
pattern recognition algorithms fall far short of the human brain, at
least when it's been clued in as to what to look for.

I see job descriptions every day that require experience with this or
that IDS.  What they mean by "experience," however, is they expect you
to have seen the product in action and know how to configure it.  
It's extremely rare that I see a company ask for someone who knows how
to interpret IDS data.  This is a far more esoteric skill than systems
administration, and one that takes years of daily contact with raw IDS
output to master, yet few seem to realize that.

Until we put a great deal more emphasis on data interpretation, even
the most sophisticated IDS will remain little more than an expensive
"feel good" toy for upper management: another largely superfluous
check mark on their Enterprise Security Scorecard.

Put another way (in the words of Bill Griffith), "What Good is Seeking
if No One's Peeking?"

Cheers,

RGF

Robert G. Ferrell
rgferrell () direcway com



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.

Current thread:

ITL Bulletin for July 2003 InfoSec News (Jul 22)
- <Possible follow-ups>
- Re: ITL Bulletin for July 2003 InfoSec News (Jul 23)