The right strategy will address potential drawbacks such
as false positives, says Richard Starnes
Intrusion detection systems have, according to industry
analysts, been in terminal decline for some years now, but they are
still refusing to lie down and die.
Four reasons are given for their predicted imminent demise:
- They produce too many false positives and negatives
- They increase the burden on IT organisations by requiring 24x7
monitoring
- They require a taxing incident response process
- They cannot handle high-bandwidth traffic.
To take the last complaint first, intrusion detection systems
have managed to cope thus far with high-bandwidth traffic, so we
can dispense with that supposed weakness by saying that speed is
not the issue it once was.
The remaining accusations, though, are worth a closer look,
particularly as they all seem to be true, if taken at face
value.
False positives
It is certainly true that intrusion detection systems produce a
higher than acceptable number of false positives and negatives. An
acceptable false positive rate would be 5% or less, and an
acceptable false negative rate would be less than 1%.
The systems I am familiar with do not come close to meeting either
of these standards.
But intrusion detection systems are still in the relatively early
stages of development, especially when compared to the more mature
anti-virus technology that fathered them.
Another factor affecting the performance of intrusion detection
systems is the manner in which they are deployed.
Take Cable &Wireless. Its managed security service used to
operate a two-tier system: filtering on the device and filtering on
the monitoring platform. But the company has now installed a
correlation database and a new monitoring platform. Intruder alerts
are filtered on the sensors at the correlation database and on the
monitoring platform.
As a result we have managed to reduce the number of false positive
alerts by a factor of 100, with no discernible rise in false
negatives. This is due to the company's refined deployment
strategy, the newly developed monitoring system and the
introduction of the correlation database.
Heavy monitoring burden
To the second charge - that intrusion detection systems place a
heavy 24x7 monitoring burden on IT departments - there can be no
rebuttal.
Intrusion detection systems need to be monitored around the clock
if they are to be effective. Otherwise, it is a bit like having a
burglar alarm that only works during certain predetermined hours of
the day.
Monitoring networks and systems 24 hours a day can be a costly
proposition, and too expensive for small and medium-sized
businesses.
Most large companies are already monitoring their networks on a
24x7 basis. However, staff with incident response and intrusion
detection systems monitoring skills are not usually on site around
the clock. This reinforces the case for outsourcing to a managed
security provider.
Taxing response process
The third point is that incident response processes are taxing. I
have been in IT for almost 20 years, four of them in incident
response management. In that time I have learned that you can make
a process as simple or as complicated as you want. So our incident
response process covers two pages and has been intentionally kept
simple.
The last thing an IT professional needs when their system is under
attack is an incident response process that looks like a 1980s Unix
manual. When writing a process I always keep a quote from Star
Trek's engineer in mind. "The more they over-think the plumbing,"
said Scotty, "the easier it is to stop up the drain."
The assertions of IT pundits are only partly correct. Intrusion
detection systems do produce too many false positives and
negatives. But the numbers can be brought down to a manageable
level with a properly implemented infrastructure, and the
round-the-clock monitoring requirement could be met through
outsourcing.
If your incident response process is overly complex, you should
rewrite it. Meanwhile, the bandwidth issues for intrusion detection
systems are no longer a primary concern.
Richard Starnes is director of incident response at Cable &
Wireless and president of the Information Systems Security
Association UK
How intrusion detection systems work
Networks are under constant threat from viruses, worms, hacking
attempts and denial of service attacks.
Unless these attacks are checked, a hacker could bring down the
company network. It is important to identify when an attack is
genuine, as stopping legitimate network use is disruptive to the
business.
Most intrusion detection system programs typically use
signatures of known hacking attempts to signal an alert. Others
look for deviations of the normal routine as indications of an
attack.
Intrusion detection is very tricky. Too much analysis can add
excessive overhead and also trigger false alarms. Insufficient
analysis can overlook a valid attack.