The right strategy will address potential drawbacks such as false positives, says Richard Starnes
Intrusion detection systems have, according to industry analysts, been in terminal decline for some years now, but they are still refusing to lie down and die.
Four reasons are given for their predicted imminent demise:
- They produce too many false positives and negatives
- They increase the burden on IT organisations by requiring 24x7 monitoring
- They require a taxing incident response process
- They cannot handle high-bandwidth traffic.
To take the last complaint first, intrusion detection systems have managed to cope thus far with high-bandwidth traffic, so we can dispense with that supposed weakness by saying that speed is not the issue it once was.
The remaining accusations, though, are worth a closer look, particularly as they all seem to be true, if taken at face value.
It is certainly true that intrusion detection systems produce a higher than acceptable number of false positives and negatives. An acceptable false positive rate would be 5% or less, and an acceptable false negative rate would be less than 1%.
The systems I am familiar with do not come close to meeting either of these standards.
But intrusion detection systems are still in the relatively early stages of development, especially when compared to the more mature anti-virus technology that fathered them.
Another factor affecting the performance of intrusion detection systems is the manner in which they are deployed.
Take Cable &Wireless. Its managed security service used to operate a two-tier system: filtering on the device and filtering on the monitoring platform. But the company has now installed a correlation database and a new monitoring platform. Intruder alerts are filtered on the sensors at the correlation database and on the monitoring platform.
As a result we have managed to reduce the number of false positive alerts by a factor of 100, with no discernible rise in false negatives. This is due to the company's refined deployment strategy, the newly developed monitoring system and the introduction of the correlation database.
Heavy monitoring burden
To the second charge - that intrusion detection systems place a heavy 24x7 monitoring burden on IT departments - there can be no rebuttal.
Intrusion detection systems need to be monitored around the clock if they are to be effective. Otherwise, it is a bit like having a burglar alarm that only works during certain predetermined hours of the day.
Monitoring networks and systems 24 hours a day can be a costly proposition, and too expensive for small and medium-sized businesses.
Most large companies are already monitoring their networks on a 24x7 basis. However, staff with incident response and intrusion detection systems monitoring skills are not usually on site around the clock. This reinforces the case for outsourcing to a managed security provider.
Taxing response process
The third point is that incident response processes are taxing. I have been in IT for almost 20 years, four of them in incident response management. In that time I have learned that you can make a process as simple or as complicated as you want. So our incident response process covers two pages and has been intentionally kept simple.
The last thing an IT professional needs when their system is under attack is an incident response process that looks like a 1980s Unix manual. When writing a process I always keep a quote from Star Trek's engineer in mind. "The more they over-think the plumbing," said Scotty, "the easier it is to stop up the drain."
The assertions of IT pundits are only partly correct. Intrusion detection systems do produce too many false positives and negatives. But the numbers can be brought down to a manageable level with a properly implemented infrastructure, and the round-the-clock monitoring requirement could be met through outsourcing.
If your incident response process is overly complex, you should rewrite it. Meanwhile, the bandwidth issues for intrusion detection systems are no longer a primary concern.
Richard Starnes is director of incident response at Cable & Wireless and president of the Information Systems Security Association UK
How intrusion detection systems work
Networks are under constant threat from viruses, worms, hacking attempts and denial of service attacks.
Unless these attacks are checked, a hacker could bring down the company network. It is important to identify when an attack is genuine, as stopping legitimate network use is disruptive to the business.
Most intrusion detection system programs typically use signatures of known hacking attempts to signal an alert. Others look for deviations of the normal routine as indications of an attack.
Intrusion detection is very tricky. Too much analysis can add excessive overhead and also trigger false alarms. Insufficient analysis can overlook a valid attack.
This was first published in December 2004