Black Hat Researcher: Rethink And Refine Your IDS

[InfoSec News <alerts () infosecnews org>]

http://www.darkreading.com/security-monitoring/167901086/security/perimeter-security/240003734/black-hat-researcher-rethink-and-refine-your-ids.html

By Robert Lemos
Contributing Writer
Dark Reading
July 13, 2012

When a company finds out that an attacker has been in its network and 
stealing data, it's rare that its intrusion detection system (IDS) is 
the key to the discovery. More often, as shown by the 2012 Verizon Data 
Breach Investigations Report, data is stolen within hours, but the 
breach is found weeks or months later when the attackers use the data.

A large part of the problem is that IDSes have not kept up with 
attackers. But another part of the problem is companies are not properly 
managing the systems, according to John "Four" Flynn, a security 
engineer with Facebook, who plans to argue in a presentation on their 
failures at Black Hat USA later this month. For example, breached 
companies were more likely to find intruders through manual log analysis 
than by alerts generated by their IDSes, according to the Verizon 
report.

"When you actually dive into the details of how these systems are 
working against the modern, targeted attack that a lot of the 
enterprises are dealing with today, you find that the efficacy of these 
systems leaves a lot wanting," Flynn says. "It is pretty appalling. We 
need kind of a reset here."

He's not alone in criticizing IDSes and how they are being used by 
companies. The systems inundate security teams with data, need constant 
tuning, and have not kept up with attacks, says Bryan Sartin, director 
of intelligence for Verizon's RISK group.

[...]


--
Learn how to be a Pen Tester, CISSP, ISSMP, or ISSAP with Expanding Security online.
Come to a free class and see how good and fun the program really is.
http://www.expandingsecurity.com/PainPill