I think this turned into a management issue. If rules are being turned off,
because they create too much "noise" then someone isn't using the IDS to its
full potential. This becomes a matter of administration and management.

What about fundamental rules for deployment. Is the following a true
statement?

  As the importance of the data being watched increases, the sensitivity of
the IDS sensors increases.

Don't factor in who is managing it or what is being turned on or off. Can
this statement be used as a general rule for IDS deployment? I think yes.

Now, if we factor in the amount of time available to manage the IDS, I can
see how sensitivity becomes a problem. I brought this up because I haven't
found anything anywhere that said "The general rule for IDS deployment is
more sensitivity whent he data is the most important." I guess I was
looking for someone to agree or disagree.

I certainly have gotten a lot out of the discussion.

Jason Lewis
http://www.rivalpath.com
"All you can do is manage the risks. There is no security."

-----Original Message-----
From: Jeff Nathan [mailto:jnathanstake.com]
Sent: Monday, May 07, 2001 4:46 PM
To: jlewisjasonlewis.net
Cc: FOCUS-IDSSECURITYFOCUS.COM
Subject: Re: IDS settings

For many deployments, IDS systems are tuned to reduce the level of false
alarms. In tuning the systems, signatures are often disabled (and in
some cases never re-enabled). Thus, the systems are desensitized. The
argument that the more sensitive the data you're protecting the more
sensitive the IDS must be certainly has merit. For a group of critical
systems, I suggest IDS systems are deployed in discrete networks to
protect groups of systems on a single switch. When deployed in this
fashion, the switch should also be behind a firewall. If you properly
configure the firewall to be appropriately restrictive, then there is
value in a very sensitive or even over sensitive IDS.

The disabling of signatures in the process of tuning an IDS is often two
accomplish two things. First, it is an attempt avoid the administrative
issues you mentioned (it often involves disabling poorly written
signatures that are unwanted, false alarm too often or are deemed to be
of little security risk). Second it might be done to allow for the
adding of custom rules specific to the environment in which the system
is deployed and where such rules may overlap default rules.

It would seem that some people just don't understand exactly what you've
said. "...if sensitivity and false alarms are decreasing, then the IDS
isn't doing it's job." Tuning a system has advantages and
disadvantages. In either case, it isn't something that happens once.
IDS systems must be properly managed and in doing so their rule sets
must be constantly re-evaluated as the network being monitored changes
and as new signatures become available.

-Jeff

Jason Lewis wrote:
>
> Good points and I appreciate the response. I have a question about this
> though.
>
> "The thinking that as false negatives decrease, sensitivity increases
> isn't all that truthful. Rather, as people tune their IDS systems, both
> sensitivity AND false alarms usually decrease. Further, measuring false
> positives (accuracy) isn't all that difficult, but how do you measure
> false negatives (completeness)?"
>
> Are people tuning their IDS to decrease false alarms and to avoid the
> management nightmare that IDS is? It would seem to me that if sensitivity
> and false alarms are decreasing, then the IDS isn't doing it's job.
>
> I really think that regardless of what people are doing, the IDS must be
> more sensitive the closer it sits to the data you are protecting. That
may
> not be what actually happens.
>
> Jason Lewis
> http://www.rivalpath.com
> "All you can do is manage the risks. There is no security."

--
http://jeff.wwti.com	 	(pgp key available)
"Common sense is the collection of prejudices acquired by age eighteen."
- Albert Einstein

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]